Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojandownloader.xs :( [RESOLVED]

Started by memmsy , Mar 31 2008 06:14 AM

  • This topic is locked This topic is locked

#31
memmsy
Posted 07 April 2008 - 07:27 AM

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Rorschach

Combofix seems to be stalling again, as before, left it for 45 minutes at the stage "deleting files" and nothing happened. Rebooted the machine. Before this is brought up the script

"Access denide
SED: can't read runs.dat: no such file or directory"

It has shown this each time I have run combofix during our conversations.

No log was produced on reboot.

Shall I try something else? The computer is running just fine right now and there is no visible evidence of the infection....?

Thanks

Emma
  • 0

Advertisements

#32
Rorschach112
Posted 07 April 2008 - 07:42 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Some remains left

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll
C:\WINDOWS\system32\slwslbpz.dll
C:\Documents and Settings\All Users\Application Data\zopajkti.dll
C:\WINDOWS\system32\mvgnbhyx.dll
C:\Documents and Settings\All Users\Application Data\opongjel.dll
C:\WINDOWS\system32\fomefhfr.dll
C:\WINDOWS\system32\xmecaqxv.dll
C:\Documents and Settings\All Users\Application Data\adgjofcr.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply
  • 0

#33
memmsy
Posted 07 April 2008 - 08:34 AM

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,

ok, below is the avenger text and a new DSS log. By the way your description of how the avenger program would work didn't quite match up, possible they have updated it. However I just followed my nose. :)


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 07 15:23:57 2008

15:23:57: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 07 15:24:37 2008

15:24:37: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 07 15:25:48 2008

15:25:48: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll" deleted successfully.
File "C:\WINDOWS\system32\slwslbpz.dll" deleted successfully.
File "C:\Documents and Settings\All Users\Application Data\zopajkti.dll" deleted successfully.
File "C:\WINDOWS\system32\mvgnbhyx.dll" deleted successfully.
File "C:\Documents and Settings\All Users\Application Data\opongjel.dll" deleted successfully.
File "C:\WINDOWS\system32\fomefhfr.dll" deleted successfully.
File "C:\WINDOWS\system32\xmecaqxv.dll" deleted successfully.
File "C:\Documents and Settings\All Users\Application Data\adgjofcr.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Deckard's System Scanner v20071014.68
Run by cfgeca on 2008-04-07 15:30:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as cfgeca.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30, on 2008-04-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\KBE86D.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\cfgeca\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cfgeca.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9476 bytes

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 09:41:38 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Malwarebytes
2008-04-07 09:41:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 09:41:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-04 16:46:57 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-04 09:46:56 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-04 09:46:56 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-04 09:46:56 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-04 09:46:56 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-03 11:50:08 0 d-------- C:\WINDOWS\ERUNT
2008-04-02 14:33:24 3860 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 14:32:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-02 14:32:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-02 14:32:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-02 14:32:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-02 14:32:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-02 14:32:23 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Templates
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Start Menu
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\SendTo
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Recent
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\PrintHood
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\NetHood
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\My Documents
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Local Settings
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Favorites
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Desktop
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Cookies
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Application Data
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sun
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sonic
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Application Data\Microsoft
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Intel
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Identities
2008-04-02 14:21:54 786432 --ah----- C:\Documents and Settings\administrator.GMCF\NTUSER.DAT
2008-03-27 13:26:46 0 d-------- C:\Program Files\AvantGo Connect
2008-03-27 13:25:58 65613 --a------ C:\WINDOWS\system32\ppvexp.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:57 24652 --a------ C:\WINDOWS\system32\uicom.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 65615 --a------ C:\WINDOWS\system32\pmailext.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 57423 --a------ C:\WINDOWS\system32\MsgStRPC.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 114688 --a------ C:\WINDOWS\system32\malslib.dll <Not Verified; AvantGo, Inc.; AvantGo Connect>
2008-03-27 13:25:56 77899 --a------ C:\WINDOWS\system32\rapi.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 36942 --a------ C:\WINDOWS\system32\ppcload.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 24653 --a------ C:\WINDOWS\system32\ceutil.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 12:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:30:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 15:21:26 0 d-------- C:\Documents and Settings\cfgeca\.housecall6.6
2008-03-19 11:01:32 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Datalayer
2008-03-17 12:57:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 12:57:17 0 d-------- C:\Program Files\Real
2008-03-17 12:57:12 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 12:57:11 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Real


-- Find3M Report ---------------------------------------------------------------

2008-04-07 15:27:04 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-31 12:43:29 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:21:05 0 d-------- C:\Program Files\Common Files
2008-03-27 14:21:01 0 d-------- C:\Program Files\Lavasoft
2008-03-27 13:26:48 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 12:30:37 0 d-------- C:\Documents and Settings\cfgeca\Application Data\AdobeUM
2008-03-06 11:56:55 0 d-------- C:\Documents and Settings\cfgeca\Application Data\PC Suite
2008-03-06 11:38:13 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Nokia
2008-03-02 13:00:15 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-02 13:00:13 0 d-------- C:\Program Files\Nokia
2008-03-02 13:00:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-02 12:59:48 0 d-------- C:\Program Files\DIFX
2008-03-02 12:59:30 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-02 12:58:16 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-08-23 11:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-23 10:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-23 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-08-23 11:09]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-08-23 11:09]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 05:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 19:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 08:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 15:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [2004-08-16 19:52:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-08 10:55:22]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-02-03 01:11:00]
ZyWALL VPN Client.lnk - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [2006-12-14 15:49:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-04-07 15:31:07 ------------
  • 0

#34
Rorschach112
Posted 07 April 2008 - 09:00 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#35
memmsy
Posted 07 April 2008 - 09:36 AM

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
A Thousand Thank yous! You really are a legend.

You have helped me so much. Thank you for your patience and thank you for being there. I will recommend the site to everyone.

You have succeeded where our IT team didn't even think to go.

Best wishes

Emma
  • 0

#36
Rorschach112
Posted 07 April 2008 - 09:47 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP