Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojandownloader.xs [CLOSED]

Started by ratboy32 , Mar 24 2008 03:47 PM

  • This topic is locked This topic is locked

#1
ratboy32
Posted 24 March 2008 - 03:47 PM

ratboy32

    New Member

  • Member
  • Pip
  • 3 posts
I seem to have "Trojandownloader.xs" program on my system and I can not get rid of it. I have run Combofix.exe and am attaching the log.txt file from it. My system is running Lavasoft's Adaware 2007 with the current updates. I have even run Window Defender and it still is there. I know how I got it by doing something stupid that I normally do not do. Please help me

ComboFix 08-03-24.1 - kp 2008-03-24 17:34:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.997 [GMT -4:00]
Running from: C:\Documents and Settings\kp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\WINDOWS\dwnrpofk.dll
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-24 16:13 . 2008-03-24 16:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-24 14:51 . 2008-03-24 14:51 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-24 14:10 . 2008-03-24 14:10 <DIR> d-------- C:\Documents and Settings\kp\Desktopvirii
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopFWebdEditor.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfwebd.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfkwp2.0.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfkwp1.5.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
2008-03-24 14:09 . 2008-03-24 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tmxudghg
2008-03-24 14:09 . 2008-03-24 12:41 270,336 --a------ C:\WINDOWS\vbgtorfd.dll
2008-03-24 14:09 . 2008-03-24 12:41 249,856 --a------ C:\WINDOWS\kdftlboeopx.dll
2008-03-24 14:09 . 2008-03-24 14:09 114,688 --a------ C:\WINDOWS\system32\dyfqvibg.exe
2008-03-24 14:06 . 2008-03-24 14:07 45 --a------ C:\xmp.bat
2008-03-11 11:45 . 2008-03-16 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 11:45 . 2008-03-11 11:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 15:15 . 2008-03-04 15:15 <DIR> d-------- C:\Program Files\MSECache
2008-03-03 21:14 . 2008-03-03 21:15 <DIR> d-------- C:\Program Files\MFInstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 20:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-23 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-18 01:38 --------- d-----w C:\Program Files\mIRC
2008-03-11 14:42 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-03 03:51 --------- d-----w C:\Program Files\Trillian
2008-02-22 19:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Philips Intelligent Agent
2008-01-12 17:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F97A8CB-0E8F-4AF0-B737-12C03F355794}]
2008-03-24 12:41 249856 --a------ C:\WINDOWS\kdftlboeopx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Philips Intelligent Agent"="C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 11:58 579760]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"gagehbjp"="C:\WINDOWS\system32\dyfqvibg.exe" [2008-03-24 14:09 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 13:08 143360]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2005-03-07 00:52 276480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43 86016]
"DLink Control Panel Silent"="dlnetcp.cpl" [2003-09-29 04:14 471040 C:\WINDOWS\system32\dlNetCp.cpl]
"DLink System Tray"="C:\Program Files\D-Link\DGE-530T\dlnetst.exe" [2003-09-29 04:14 24576]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 09:14 1695744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-05-30 15:22 542208]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-02-17 22:23 2476408]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 15:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 15:07 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 14:25 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\kp\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-03-23 12:01:40 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"k0qetSkS9C"= C:\Documents and Settings\All Users\Application Data\tmxudghg\hstgvazg.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PrxWin"= {3947aea9-6ef5-44be-a61f-5601a663649e} - C:\WINDOWS\Installer\{3947aea9-6ef5-44be-a61f-5601a663649e}\PrxWin.dll [2008-03-24 14:08 14378]
"vbgtorfd"= {0CFDAE17-0694-4B7F-8DAD-05452DC297FE} - C:\WINDOWS\vbgtorfd.dll [2008-03-24 12:41 270336]
"dwnrpofk"= {44633588-96DA-4372-B682-A1BA04330009} - C:\WINDOWS\dwnrpofk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"587:TCP"= 587:TCP:outlook

R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2005-03-07 00:52]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 00:39]
S3 m4cxwxp;NDIS5.1 Miniport Driver for D-Link DGE-530T Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\m4cxwxp.sys [2003-08-27 06:23]
S3 SkLaggProtocol;Link Aggregation Protocol (LAGG) Support;C:\WINDOWS\system32\DRIVERS\sklagg.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 21:33:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-24 21:09:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-24 20:57:47 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-24 20:57:48 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-24 20:28:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 17:36:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
Completion time: 2008-03-24 17:37:27
ComboFix-quarantined-files.txt 2008-03-24 21:37:24
.
2008-03-23 03:09:35 --- E O F ---
  • 0

Advertisements

#2
miekiemoes
Posted 25 March 2008 - 02:13 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you have installed the Recovery Console...

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem

Then,
Please uninstall PC-Cleaner, because this looks

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\dyfqvibg.exe
C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\kp\DesktopFWebdEditor.exe
C:\Documents and Settings\kp\Desktopfwebd.exe
C:\Documents and Settings\kp\Desktopfkwp2.0.exe
C:\Documents and Settings\kp\Desktopfkwp1.5.exe
C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
C:\WINDOWS\vbgtorfd.dll
C:\WINDOWS\kdftlboeopx.dll
Folder::
C:\WINDOWS\Installer\{3947aea9-6ef5-44be-a61f-5601a663649e}
C:\Documents and Settings\All Users\Application Data\tmxudghg
Dirlook::
C:\Documents and Settings\kp\Desktopvirii
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F97A8CB-0E8F-4AF0-B737-12C03F355794}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=-
"gagehbjp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"k0qetSkS9C"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PrxWin"=-
"vbgtorfd"=-
"dwnrpofk"=-
Collect::[8]
C:\xmp.bat


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, did you download and install C:\Program Files\PC-Cleaner ??
  • 0

#3
ratboy32
Posted 26 March 2008 - 08:17 PM

ratboy32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here is the log.txt from the combofix that was run. To my knowledge I did not install PC cleaner.



ComboFix 08-03-25.4 - kp 2008-03-26 18:59:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.996 [GMT -4:00]
Running from: C:\Documents and Settings\kp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kp\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\tmxudghg
C:\Documents and Settings\All Users\Application Data\tmxudghg\hstgvazg.exe
C:\xmp.bat

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-25 18:10 . 2008-03-25 18:10 102,400 --a------ C:\WINDOWS\system32\wtopejel.exe
2008-03-24 22:31 . 2008-03-24 22:31 94,208 --a------ C:\WINDOWS\system32\hurgvsho.exe
2008-03-24 22:21 . 2008-03-25 18:02 5,158 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 22:15 . 2008-03-24 22:15 94,208 --a------ C:\WINDOWS\system32\zwlcheba.exe
2008-03-24 16:13 . 2008-03-24 16:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-24 14:51 . 2008-03-24 14:51 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-24 14:10 . 2008-03-24 14:10 <DIR> d-------- C:\Documents and Settings\kp\Desktopvirii
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopFWebdEditor.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfwebd.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfkwp2.0.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfkwp1.5.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
2008-03-24 14:10 . 2008-03-24 14:10 4,096 --a------ C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
2008-03-24 14:09 . 2008-03-24 14:09 114,688 --a------ C:\WINDOWS\system32\dyfqvibg.exe
2008-03-11 11:45 . 2008-03-16 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 11:45 . 2008-03-11 11:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 15:15 . 2008-03-04 15:15 <DIR> d-------- C:\Program Files\MSECache
2008-03-03 21:14 . 2008-03-03 21:15 <DIR> d-------- C:\Program Files\MFInstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 23:03 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-23 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-18 01:38 --------- d-----w C:\Program Files\mIRC
2008-03-11 14:42 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-03 03:51 --------- d-----w C:\Program Files\Trillian
2008-02-22 19:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Philips Intelligent Agent
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\kp\Desktopvirii ----

2008-03-24 14:10 4096 --a------ C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
2008-03-24 14:10 4096 --a------ C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
2008-03-24 14:10 4096 --a------ C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
2008-03-24 14:10 4096 --a------ C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
2008-03-24 14:10 4096 --a------ C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe


((((((((((((((((((((((((((((( snapshot@2008-03-24_17.37.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-03-24 20:58:58 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-26 23:07:24 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-24 20:58:58 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-26 23:07:24 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Philips Intelligent Agent"="C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 11:58 579760]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"lusnaqkr"="C:\WINDOWS\system32\zwlcheba.exe" [2008-03-24 22:15 94208]
"kuyxvskg"="C:\WINDOWS\system32\hurgvsho.exe" [2008-03-24 22:31 94208]
"tsrfflql"="C:\WINDOWS\system32\wtopejel.exe" [2008-03-25 18:10 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 13:08 143360]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2005-03-07 00:52 276480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43 86016]
"DLink Control Panel Silent"="dlnetcp.cpl" [2003-09-29 04:14 471040 C:\WINDOWS\system32\dlNetCp.cpl]
"DLink System Tray"="C:\Program Files\D-Link\DGE-530T\dlnetst.exe" [2003-09-29 04:14 24576]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 09:14 1695744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-05-30 15:22 542208]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-02-17 22:23 2476408]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 15:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 15:07 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 14:25 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\kp\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-03-23 12:01:40 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"587:TCP"= 587:TCP:outlook

R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2005-03-07 00:52]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 00:39]
S3 m4cxwxp;NDIS5.1 Miniport Driver for D-Link DGE-530T Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\m4cxwxp.sys [2003-08-27 06:23]
S3 SkLaggProtocol;Link Aggregation Protocol (LAGG) Support;C:\WINDOWS\system32\DRIVERS\sklagg.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 21:33:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-27 01:09:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-27 02:06:22 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-27 02:06:23 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-26 23:05:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 22:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-26 22:08:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 02:08:24
ComboFix2.txt 2008-03-26 22:58:35
ComboFix3.txt 2008-03-25 22:06:34
ComboFix4.txt 2008-03-25 02:28:11
ComboFix5.txt 2008-03-24 21:37:29
.
2008-03-23 03:09:35 --- E O F ---

<<< attachement removed - you were not supposed to attach the submission here since we don't want anyone to download the infected files from here >>>

Edited by miekiemoes, 27 March 2008 - 12:07 AM.

  • 0

#4
miekiemoes
Posted 27 March 2008 - 12:05 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

It appears that you didn't copy and paste the contents of the CFScript properly and forgot to include the File:: on top.
So we have to do this again...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\wtopejel.exe
C:\WINDOWS\system32\hurgvsho.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\zwlcheba.exe
C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\kp\DesktopFWebdEditor.exe
C:\Documents and Settings\kp\Desktopfwebd.exe
C:\Documents and Settings\kp\Desktopfkwp2.0.exe
C:\Documents and Settings\kp\Desktopfkwp1.5.exe
C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
C:\WINDOWS\system32\dyfqvibg.exe
Folder::
C:\Documents and Settings\kp\Desktopvirii
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lusnaqkr"=-
"kuyxvskg"=-
"tsrfflql"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 27 March 2008 - 12:08 AM.

  • 0

#5
ratboy32
Posted 27 March 2008 - 07:35 PM

ratboy32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here is the latest

ComboFix 08-03-25.4 - kp 2008-03-27 21:21:16.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014 [GMT -4:00]
Running from: C:\Documents and Settings\kp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kp\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
C:\Documents and Settings\kp\Desktopfkwp1.5.exe
C:\Documents and Settings\kp\Desktopfkwp2.0.exe
C:\Documents and Settings\kp\Desktopfwebd.exe
C:\Documents and Settings\kp\DesktopFWebdEditor.exe
C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\dyfqvibg.exe
C:\WINDOWS\system32\hurgvsho.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wtopejel.exe
C:\WINDOWS\system32\zwlcheba.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\kp\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\kp\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\kp\Desktopfilemanagerclient.exe
C:\Documents and Settings\kp\Desktopfkwp1.5.exe
C:\Documents and Settings\kp\Desktopfkwp2.0.exe
C:\Documents and Settings\kp\Desktopfwebd.exe
C:\Documents and Settings\kp\DesktopFWebdEditor.exe
C:\Documents and Settings\kp\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\kp\Desktopvirii
C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
C:\Documents and Settings\kp\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
C:\WINDOWS\system32\dyfqvibg.exe
C:\WINDOWS\system32\hurgvsho.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\wtopejel.exe
C:\WINDOWS\system32\zwlcheba.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-24 16:13 . 2008-03-24 16:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-24 14:51 . 2008-03-24 14:51 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-11 11:45 . 2008-03-16 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 11:45 . 2008-03-11 11:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 15:15 . 2008-03-04 15:15 <DIR> d-------- C:\Program Files\MSECache
2008-03-03 21:14 . 2008-03-03 21:15 <DIR> d-------- C:\Program Files\MFInstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 01:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-23 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-18 01:38 --------- d-----w C:\Program Files\mIRC
2008-03-11 14:42 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-03 03:51 --------- d-----w C:\Program Files\Trillian
2008-02-22 19:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Philips Intelligent Agent
2008-01-12 17:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-24_17.37.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-03-24 20:58:58 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-28 01:17:07 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-24 20:58:58 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-28 01:17:07 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Philips Intelligent Agent"="C:\Program Files\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 11:58 579760]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 13:08 143360]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2005-03-07 00:52 276480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 21:43 86016]
"DLink Control Panel Silent"="dlnetcp.cpl" [2003-09-29 04:14 471040 C:\WINDOWS\system32\dlNetCp.cpl]
"DLink System Tray"="C:\Program Files\D-Link\DGE-530T\dlnetst.exe" [2003-09-29 04:14 24576]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 09:14 1695744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-05-30 15:22 542208]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 15:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 15:07 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-12 14:25 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\kp\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-03-23 12:01:40 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"587:TCP"= 587:TCP:outlook

R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2005-03-07 00:52]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 00:39]
S3 m4cxwxp;NDIS5.1 Miniport Driver for D-Link DGE-530T Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\m4cxwxp.sys [2003-08-27 06:23]
S3 SkLaggProtocol;Link Aggregation Protocol (LAGG) Support;C:\WINDOWS\system32\DRIVERS\sklagg.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 21:33:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-27 02:09:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-28 01:26:49 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-28 01:26:51 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-03-28 01:28:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 21:25:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-27 21:28:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 01:28:17
ComboFix2.txt 2008-03-27 02:08:28
ComboFix3.txt 2008-03-26 22:58:35
ComboFix4.txt 2008-03-25 22:06:34
ComboFix5.txt 2008-03-25 02:28:11
.
2008-03-23 03:09:35 --- E O F ---
  • 0

#6
miekiemoes
Posted 28 March 2008 - 02:01 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Can you also post a new HijackThislog as requested?
  • 0

#7
miekiemoes
Posted 09 April 2008 - 12:43 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP