Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Sneaky Malware [RESOLVED]

Started by Lost in cyber space , Mar 10 2008 12:22 AM

  • This topic is locked This topic is locked

#1
Lost in cyber space
Posted 10 March 2008 - 12:22 AM

Lost in cyber space

    Member

  • Member
  • PipPip
  • 15 posts
I have been trying to erradicate malware from my system, I use AVG for my spyware and anti-virus, it is fully updated. However, there seems to be something hiding in my internet explorer, I say that becuase I do not see any suspisous processes running. Its seems to hi-jack my links sometimes and also sometimes when I open a new IE window. I use Process Explorer and can't find anything to my knowledge. I had some IE add-ons which were suspisous so I disabled them however I still get pop-ups only while having IE running. Any help I would aprreciate it. Thanks. Here is the HijackThis file with one of the pop-ups active.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:46:10 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Thomas Family\My Documents\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080130
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27A82D47-9A2A-4B39-B4EC-792BBDFD03FA} - C:\WINDOWS\system32\ljjgfdb.dll
O2 - BHO: (no name) - {4B1A921B-ED55-4CBF-96A9-82C6DEC1E275} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {F19E9E26-0751-4211-8DFE-390E78FDF702} - C:\Program Files\MSN\xucif89104.dll (file missing)
O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - C:\WINDOWS\system32\xxywuss.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM8324219d] Rundll32.exe "C:\WINDOWS\system32\bahwjpci.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Intel PROSet Wireless.lnk = C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
O4 - Global Startup: Logitech LCD Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202541555750
O20 - Winlogon Notify: ljjgfdb - C:\WINDOWS\SYSTEM32\ljjgfdb.dll
O20 - Winlogon Notify: xxywuss - xxywuss.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8620 bytes

Edited by Lost in cyber space, 10 March 2008 - 12:53 AM.

  • 0

Advertisements

#2
RatHat
Posted 10 March 2008 - 07:59 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:
  • Re-Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download VundoFix from Here to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following:
  • The HijackThis uninstall list
  • The contents of vundofix.txt
  • The contents of Combofix.txt
  • The MBAM log
  • The contents of Kaspersky.txt
(Note that you may need to make two or three posts to ensure all the logs are posted in full.)

And let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#3
Lost in cyber space
Posted 10 March 2008 - 05:21 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
RatHat here are the results of the Unistall List. Thank You 4 ur help. :)

Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Advanced Audio FX Engine
Advanced Video FX Engine
Age of Empires III
AGEIA PhysX v7.06.26
AVG 7.5
AVG Anti-Spyware 7.5
BugOff 1.10
Dell DataSafe Online
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Diskeeper Professional Edition
Documentation & Support Launcher
Games, Music, & Photos Launcher
Ground Control II
High Definition Audio Driver Package - KB835221
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Document Viewer 6.1
HP Extended Capabilities 6.1
HP Imaging Device Functions 6.1
HP Photosmart Premier Software 6.1
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
Intel® PROSet/Wireless Software
IntelliSonic Speech Enhancement
Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 6
Laptop Integrated Webcam Driver (1.03.02.0719)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Logitech Gaming LCD Software 1.04
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Reader
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
mWlsSafe
mWMI
mZConfig
Network Monitor
NVIDIA Drivers
Project64 1.6
QuickSet
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sins of a Solar Empire
Sins of a Solar Empire
Sonic Activation Module
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
WinAce Archiver
WindowBlinds
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
World in Conflict
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Widgets
  • 0

#4
Lost in cyber space
Posted 10 March 2008 - 05:49 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here are the results for the Vundo Fix:


C:\windows\system32\ljjgfdb.dll

Here is part one results for the combo-fix:

ComboFix 08-03-10.1 - Thomas Family 2008-03-10 16:37:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526 [GMT -7:00]
Running from: C:\Documents and Settings\Thomas Family\My Documents\Downloads\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\b.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bahwjpci.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tdii.sys
C:\WINDOWS\system32\exxocvkk.dll
C:\WINDOWS\system32\ljjgfdb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\winlogon.exe
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_TDII
-------\Network Monitor
-------\tdii


((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 16:18 . 2008-03-10 16:26 <DIR> d-------- C:\VundoFix Backups
2008-03-08 17:54 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-08 17:54 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-08 17:54 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-08 17:53 . 2008-03-08 17:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-08 17:51 . 2008-03-08 17:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 17:51 . 2008-03-08 17:52 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-08 13:03 . 2008-03-08 13:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 13:00 . 2008-03-10 08:00 <DIR> d-------- C:\Documents and Settings\Thomas Family\Application Data\AVG7
2008-03-08 13:00 . 2008-03-08 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-08 13:00 . 2008-03-08 13:00 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2008-03-08 12:55 . 2008-03-08 12:55 <DIR> d-------- C:\Documents and Settings\Thomas Family\Application Data\Grisoft
2008-03-08 12:54 . 2008-03-08 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 12:54 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 11:35 . 2008-03-08 11:35 <DIR> d-------- C:\Program Files\Live_TV
2008-03-08 11:19 . 2008-03-08 11:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-03-08 11:09 . 2008-03-08 11:09 134 --a------ C:\n.bat
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\WINDOWS\system32\typ2
2008-03-08 11:08 . 2008-03-08 11:21 <DIR> d-------- C:\WINDOWS\system32\sbc2
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\WINDOWS\system32\lows8
2008-03-08 11:08 . 2008-03-09 11:33 <DIR> d-------- C:\WINDOWS\system32\iDlo18
2008-03-08 11:08 . 2008-03-09 11:33 <DIR> d-------- C:\WINDOWS\system32\ech5
2008-03-08 11:08 . 2008-03-09 11:33 <DIR> d-------- C:\WINDOWS\system32\dr6
2008-03-08 11:08 . 2008-03-10 16:37 <DIR> d-------- C:\Temp
2008-03-08 10:31 . 2008-03-08 16:15 <DIR> d-------- C:\Documents and Settings\Thomas Family\Shared
2008-03-05 09:01 . 2008-03-05 09:01 <DIR> d-------- C:\Program Files\Microsoft Reader
2008-03-05 09:01 . 2007-01-30 16:06 60,944 --a------ C:\WINDOWS\DASShp.dll
2008-03-01 17:41 . 2008-03-01 17:41 <DIR> d-------- C:\Program Files\Project64 1.6
2008-02-28 16:33 . 2008-02-28 16:33 <DIR> d-------- C:\WINDOWS\Sun
2008-02-23 01:08 . 2008-02-23 01:08 <DIR> d-------- C:\Documents and Settings\Thomas Family\Application Data\Yahoo!
2008-02-23 01:08 . 2008-02-23 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-23 01:06 . 2008-02-23 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-23 00:32 . 2008-02-23 00:32 <DIR> d-------- C:\Documents and Settings\Thomas Family\Application Data\HP
2008-02-23 00:23 . 2008-02-23 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-23 00:21 . 2008-02-23 00:21 <DIR> d-------- C:\Program Files\Common Files\HP
2008-02-23 00:19 . 2008-02-23 00:19 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-23 00:18 . 2008-02-23 00:18 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-23 00:15 . 2005-03-22 05:48 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-02-23 00:15 . 2005-10-27 17:24 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-02-23 00:15 . 2005-10-14 23:42 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2008-02-23 00:15 . 2005-10-27 17:24 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-02-23 00:15 . 2004-08-03 23:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-23 00:15 . 2004-08-03 23:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-23 00:14 . 2005-03-14 13:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-02-23 00:14 . 2005-03-14 13:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-02-23 00:14 . 2005-03-08 12:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-02-23 00:14 . 2005-03-14 13:05 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-02-23 00:14 . 2005-03-14 14:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-02-23 00:14 . 2005-03-08 12:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-02-23 00:13 . 2008-02-23 00:19 <DIR> d-------- C:\Program Files\HP
2008-02-23 00:13 . 2004-08-04 00:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-23 00:11 . 2008-02-23 00:31 109,191 --a------ C:\WINDOWS\hpoins08.dat
2008-02-23 00:11 . 2006-01-24 00:11 7,577 --------- C:\WINDOWS\hpomdl08.dat
2008-02-23 00:01 . 2004-08-04 00:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-23 00:01 . 2004-08-04 00:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 17:15 . 2008-03-04 17:16 20,480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL
2008-02-13 17:13 . 2008-02-13 17:13 <DIR> d-------- C:\Program Files\WinAce
2008-02-10 17:49 . 2008-02-10 17:49 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-02-10 17:37 . 2008-02-10 17:37 <DIR> d-------- C:\Program Files\Stardock Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 16:57 --------- d-----w C:\Program Files\Dell
2008-03-09 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-05 16:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-24 01:57 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\Roxio
2008-02-23 08:06 --------- d-----w C:\Program Files\Yahoo!
2008-02-23 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-07 07:24 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\CyberLink
2008-02-07 07:16 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-07 03:32 --------- d--h--r C:\Documents and Settings\Thomas Family\Application Data\SecuROM
2008-02-07 03:21 --------- d-----w C:\Program Files\Sierra Entertainment
2008-02-07 02:58 --------- d-----w C:\Program Files\Microsoft Games
2008-02-07 02:46 --------- d-----w C:\Program Files\Ground Control II
2008-02-06 06:44 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\EVEMon
2008-02-05 20:39 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-05 14:00 --------- d-----w C:\Program Files\Google
2008-02-05 02:21 --------- d-----w C:\Program Files\Executive Software
2008-02-05 02:21 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\Leadertech
2008-02-05 01:58 --------- d-----w C:\Program Files\Stardock
2008-02-05 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-30 00:29 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Roxio
2008-01-30 00:29 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-01-30 00:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
2008-01-30 00:26 --------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-30 00:26 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2008-01-30 00:25 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-30 00:24 --------- d-----w C:\Program Files\Dell Support Center
2008-01-30 00:24 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-01-30 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-30 00:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 00:21 --------- d-----w C:\Program Files\Dell DataSafe Online
2008-01-30 00:20 --------- d-----w C:\Program Files\Roxio
2008-01-30 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-01-30 00:15 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-30 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-30 00:14 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-30 00:14 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-30 00:13 --------- d-----w C:\Program Files\Sigmatel
2008-01-30 00:09 --------- d-----w C:\Program Files\Logitech
2008-01-30 00:09 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-30 00:09 --------- d-----w C:\Program Files\AGEIA Technologies
2008-01-30 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-30 00:07 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-01-30 00:07 --------- d-----w C:\Program Files\Creative Live! Cam
2008-01-30 00:07 --------- d-----w C:\Program Files\Creative
2008-01-30 00:07 --------- d-----w C:\Program Files\Common Files\Reallusion
2008-01-30 00:07 --------- d-----w C:\Program Files\Common Files\Creative
2008-01-30 00:07 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\InstallShield
2008-01-30 00:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-30 00:06 21,393 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-30 00:06 21,393 ----a-w C:\WINDOWS\AegisP.sys
2008-01-30 00:06 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-30 00:06 --------- d-----w C:\Program Files\Intel, Inc
2008-01-30 00:06 --------- d-----w C:\Documents and Settings\Thomas Family\Application Data\Intel
2008-01-30 00:06 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-01-30 00:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-01-30 00:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Intel
2008-01-30 00:05 --------- d-----w C:\Program Files\Intel
2008-01-30 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-01-30 00:02 --------- d-----w C:\Program Files\Java
2008-01-30 00:01 --------- d-----w C:\Program Files\Common Files\Java
2008-01-29 23:59 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-29 23:27 --------- d-----w C:\Program Files\Synaptics
2008-01-29 23:19 7,339 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_XPS_M1730.mrk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F19E9E26-0751-4211-8DFE-390E78FDF702}]
C:\Program Files\MSN\xucif89104.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-05 17:43 8491008]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 13:00 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 13:00 219136]

C:\Documents and Settings\Thomas Family\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 15:34:48 3746856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Intel PROSet Wireless.lnk - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe [2007-07-25 15:30:36 974848]
Logitech LCD Manager.lnk - C:\WINDOWS\Installer\{F7511FE7-BA89-4939-B2EF-A3F287B0F298}\NewShortcut1.E8BD1F6A_63E9_4BC3_8DF5_1E24A65D44C8.exe [2008-01-29 17:09:26 22486]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuss]
xxywuss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 09:35]
R3 DXEC02;DXEC02;C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 11:31]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 13:54]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 13:55]
R3 physX32;physX32;C:\WINDOWS\system32\DRIVERS\physX32.sys [2007-06-26 10:15]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\gAGP440p.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 16:43:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Edited by Lost in cyber space, 10 March 2008 - 06:04 PM.

  • 0

#5
Lost in cyber space
Posted 10 March 2008 - 05:50 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is part 2 of Combo-Fix:

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-10 16:46:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 23:46:14
.
2008-03-09 08:15:16 --- E O F ---
  • 0

#6
Lost in cyber space
Posted 10 March 2008 - 05:56 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the MBAM Results: (I thought anti-virus and spayware programs should find this stuff!)

Malwarebytes' Anti-Malware 1.08
Database version: 475

Scan type: Quick Scan
Objects scanned: 27285
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\dr6 (Adware.Rabio) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ech5 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo18 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lows8 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sbc2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\typ2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lows8\spgdn65.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\typ2\key89104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#7
RatHat
Posted 10 March 2008 - 06:04 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you post me the Kaspersky log and let me know how your computer is behaving.

Thanks,
RatHat
  • 0

#8
Lost in cyber space
Posted 10 March 2008 - 07:06 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
My computer seems to be operating normally without pop-ups. :) During the Kaspersky Scan my AVG anti-virus found some of the files (14) listed (not sure why it didn't find them before), I "healed" them as it suggested. Here is the results of the Kaspersky Scan:

Monday, March 10, 2008 6:05:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 622574


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 72947
Number of viruses found 6
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 00:41:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Dell\QuickSet\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Thomas Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-32a7b290.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped

C:\Documents and Settings\Thomas Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-32a7b290.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Thomas Family\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Application Data\Yahoo\Widget Engine\Widgets DB\widgets.db Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Temp\~DF66E2.tmp Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Thomas Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Thomas Family\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Thomas Family\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ljjgfdb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jwy skipped

C:\QooBox\Quarantine\C\winlogon.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped

C:\QooBox\Quarantine\catchme2008-03-10_164242.51.zip/tdii.sys Infected: Rootkit.Win32.Agent.to skipped

C:\QooBox\Quarantine\catchme2008-03-10_164242.51.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0004319.dll Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0004329.dll Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0004330.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0004348.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004384.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004398.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004400.exe/0/TBEDRS.DLL Infected: not-a-virus:AdWare.Win32.Shopper.u skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004400.exe/0 Infected: not-a-virus:AdWare.Win32.Shopper.u skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004400.exe QuickBatch: infected - 2 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004401.exe/0/TBEDRS.DLL Infected: not-a-virus:AdWare.Win32.Shopper.u skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004401.exe/0 Infected: not-a-virus:AdWare.Win32.Shopper.u skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0004401.exe QuickBatch: infected - 2 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0004429.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0004437.dll Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0004460.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0004463.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP41\A0004860.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP41\A0004861.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP42\A0004918.exe Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP44\A0005051.exe Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP44\A0005056.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jwy skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP44\change.log Object is locked skipped

C:\VundoFix Backups\ljjgfdb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jwy skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan was interrupted by user! (It was scanning a game disk in my D: drive, C: was completed)
  • 0

#9
RatHat
Posted 10 March 2008 - 07:20 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You are looking good! Couple of things left to do though.

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Thomas Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-32a7b290.zip


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Your version of Java is out of date. Please update to the latest version here (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:
  • Click START then RUN
  • Now type "%userprofile%\desktop\ComboFix.exe" /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Finally, please run one more online scan for me.
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post the results from above, and a fresh HijackThis log in your next reply. Let me know if you are having any more problems too.

Regards,
RatHat
  • 0

#10
Lost in cyber space
Posted 10 March 2008 - 07:48 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I did the MoveIT however when I went to open notepad my computer locked, so i was unable to copy the results. I couldn't see all that was listed, sorry. I think it did what it was suppose to though. What should I do?
  • 0

Advertisements

#11
RatHat
Posted 10 March 2008 - 07:51 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Can you reboot your computer, then continue on with the remainder of the fixes.

Regards,
RatHat
  • 0

#12
Lost in cyber space
Posted 10 March 2008 - 07:55 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes I did and moved on to ATFCleaner it said it freed up 38.33 MB when it completed. Moving on to the Java update
  • 0

#13
RatHat
Posted 10 March 2008 - 07:57 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
:)
  • 0

#14
Lost in cyber space
Posted 10 March 2008 - 08:18 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, Java done. I messed up on installing the Combo fix, i tried to uninstall but cant seem to do it. The path I ran it from is C:\Documents and Settings\Thomas Family\My Documents\Downloads\Combo-Fix.exe

However I tried that with the " / u and it doesn't work. Like you said, I should have followed the directions more closely.

Sorry :)
  • 0

#15
Lost in cyber space
Posted 10 March 2008 - 08:23 PM

Lost in cyber space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Nevermind, I am an idoit I forgot the begining " :) Is it not a good idea to keep combo-fix installed, just incase I get Hijacked again?

Edited by Lost in cyber space, 10 March 2008 - 08:27 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP