Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde Infection [RESOLVED]

Started by preller , Apr 11 2008 01:56 AM

  • This topic is locked This topic is locked

#1
preller
Posted 11 April 2008 - 01:56 AM

preller

    Member

  • Member
  • PipPip
  • 15 posts
Hi there,

The virtumonde infection was originally detected (and supposedly removed) by SpybotSD. Subsequent scans showed no sign of infection but I kept getting Spybot warnings of Rundll32.exe trying to change a registry entry - which I have denied. This warning is persistent and pops up every few seconds.
I then did a web search and subsequently downloaded and ran VundoFix as per the instructions. The app detected and repaired? the problem.
Same Spybot warnings so I re-ran Vundofix. No problems detected!
To cut along story short, I have subsequently run HijackThis and VirtumondoBeGone to no avail. I have also done a registry edit to try and detect the entries that have been described ( WindowsUpd or SysUpd) and cannot find these entries anywhere.
I'm enclosing the logs from all 3 of the supposed solutions and hope that someone is able to make some sense out of what seems to be a self-perpetuating problem. :)

Attached Files


  • 0

Advertisements

#2
Rorschach112
Posted 11 April 2008 - 08:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please don't attach the reports


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
preller
Posted 11 April 2008 - 08:25 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks Rorschach112,

I appreciate you getting back to me. This com is not from the infected machine which I have disconnected from the net, so it may take a while for me to download, copy reload onto other machine etc. Please bear with me.

Thanks in anticipation!!!!
  • 0

#4
Rorschach112
Posted 11 April 2008 - 08:29 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No problem, take your time
  • 0

#5
preller
Posted 11 April 2008 - 09:06 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi again,

Herewith the logs requested.

________________________________________________________________________________
_____________________________________

ComboFix 08-04-10.9 - Computer 2008-04-11 16:44:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.655 [GMT 2:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bIjkQqru.ini
C:\WINDOWS\system32\bIjkQqru.ini2
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Hhhiknnn.ini
C:\WINDOWS\system32\Hhhiknnn.ini2
C:\WINDOWS\system32\hjmVEfhk.ini
C:\WINDOWS\system32\hjmVEfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OppXEfhk.ini
C:\WINDOWS\system32\OppXEfhk.ini2
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\PYxxIRqr.ini
C:\WINDOWS\system32\PYxxIRqr.ini2
C:\WINDOWS\system32\vwFPsBeg.ini
C:\WINDOWS\system32\vwFPsBeg.ini2
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550O
-------\Legacy_{FBE1D620-5418-4AAE-A0F0-316D590663A1}
-------\Service_{FBE1D620-5418-4aae-A0F0-316D590663A1}
-------\Service_asc3550o
-------\Legacy_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 16:49 . 2006-02-15 02:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-04-11 12:10 . 2008-04-11 12:10 86,080 --a------ C:\WINDOWS\system32\htwtxxnw.dll_old
2008-04-11 12:10 . 2008-04-11 14:24 294 --ahs---- C:\WINDOWS\system32\wnxxtwth.ini
2008-04-11 12:07 . 2008-04-11 12:07 3,648 --a------ C:\WINDOWS\system32\ooktllug.dll
2008-04-10 16:34 . 2008-04-10 16:34 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 16:34 . 2008-04-10 16:34 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 16:34 . 2008-04-10 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 12:04 . 2008-04-10 12:04 294 --ahs---- C:\WINDOWS\system32\qjfjponr.ini
2008-04-10 12:01 . 2008-04-10 12:01 270,848 --a------ C:\WINDOWS\system32\urqQkjIb.dll_old
2008-04-10 11:55 . 2006-11-27 16:54 539,136 -----c--- C:\WINDOWS\system32\dllcache\msftedit.dll
2008-04-10 11:40 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-10 11:33 . 2006-06-14 11:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-10 11:33 . 2006-06-14 10:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-10 11:04 . 2008-04-10 11:04 <DIR> d---s---- C:\Documents and Settings\Computer\UserData
2008-04-10 09:02 . 2008-04-10 09:02 294 --ahs---- C:\WINDOWS\system32\gborbmuj.ini
2008-04-10 08:56 . 2008-04-10 08:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-10 08:42 . 2008-04-10 08:42 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-09 18:52 . 2008-04-09 18:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 16:57 . 2008-04-10 09:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 16:57 . 2008-04-10 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 14:27 . 2005-07-20 18:08 327,808 --a------ C:\WINDOWS\system32\drivers\akshasp.sys
2008-04-09 13:36 . 2008-04-09 13:44 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-09 11:46 . 2008-04-09 14:09 706 --ahs---- C:\WINDOWS\system32\caiisdfo.ini
2008-04-09 11:37 . 2008-04-09 16:16 <DIR> d-------- C:\VundoFix Backups
2008-04-08 17:58 . 2008-04-09 11:19 474 --ahs---- C:\WINDOWS\system32\iywvgatj.ini
2008-04-07 17:07 . 2008-04-08 17:52 354 --ahs---- C:\WINDOWS\system32\nmxgfnhy.ini
2008-04-06 17:04 . 2008-04-06 17:05 474 --ahs---- C:\WINDOWS\system32\ghnlrxog.ini
2008-04-05 13:19 . 2008-04-06 17:01 414 --ahs---- C:\WINDOWS\system32\tsjcsjnv.ini
2008-04-04 15:15 . 2008-04-04 15:15 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Microsoft Web Folders
2008-04-04 13:57 . 2008-04-04 13:57 <DIR> d-------- C:\Documents and Settings\Trish\Application Data\ATI
2008-04-04 13:56 . 2008-04-04 13:56 <DIR> d-------- C:\Documents and Settings\Trish\Application Data\Bitdefender
2008-04-03 14:41 . 2008-04-03 14:42 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2008-04-03 14:25 . 2006-04-28 01:51 29,968 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-03 14:10 . 2008-04-03 14:10 <DIR> d-------- C:\Program Files\MSBuild
2008-04-03 14:07 . 2008-04-03 14:07 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-03 13:59 . 2008-04-09 16:06 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-03 13:58 . 2008-04-03 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-03 13:56 . 2008-04-03 13:56 <DIR> dr-h----- C:\MSOCache
2008-04-03 13:53 . 2008-04-03 20:18 414 --ahs---- C:\WINDOWS\system32\irvjpuyx.ini
2008-04-03 13:36 . 2008-04-11 14:28 1,021 --a------ C:\WINDOWS\wininit.ini
2008-04-03 11:28 . 2008-04-03 11:28 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-04-03 11:14 . 2008-04-03 11:14 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\CyberScrub
2008-04-03 11:10 . 2008-04-03 11:10 <DIR> d-------- C:\Program Files\Genie-Soft
2008-04-03 11:10 . 2008-04-03 11:10 <DIR> d-------- C:\Program Files\Common Files\Genie-Soft Shared
2008-04-02 17:55 . 2008-04-02 17:55 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\ATI
2008-04-02 17:54 . 2008-04-02 17:54 <DIR> d-------- C:\Documents and Settings\Computer\Application Data\Bitdefender
2008-04-02 16:57 . 2008-04-09 17:01 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-02 16:57 . 2008-04-09 17:07 4,638 --a------ C:\WINDOWS\unins000.dat
2008-04-02 16:20 . 2004-08-04 00:56 380,416 --a------ C:\WINDOWS\system32\irprops.cpl
2008-04-02 16:20 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-02 16:20 . 2007-07-30 19:19 216,408 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
2008-04-02 16:19 . 2005-07-26 01:46 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2008-04-02 16:18 . 2008-04-02 16:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 16:12 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002509_.tmp
2008-04-02 15:53 . 2008-04-02 16:37 414 --ahs---- C:\WINDOWS\system32\tcdfbupe.ini
2008-04-02 15:52 . 2004-08-04 00:56 192,000 --a------ C:\WINDOWS\system32\iuengine.dll
2008-04-02 15:34 . 2001-12-26 22:52 27,136 -ra------ C:\WINDOWS\system32\drivers\SISAGP.SYS
2008-04-02 15:34 . 2001-12-26 22:52 27,136 --a--c--- C:\WINDOWS\system32\dllcache\sisagp.sys
2008-04-02 15:18 . 2004-08-03 22:32 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-04-02 15:17 . 2001-08-17 22:36 205,824 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_seo.dll
2008-04-02 15:16 . 2004-08-03 22:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-04-02 15:15 . 2001-08-18 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-02 15:15 . 2001-08-18 14:00 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2008-04-02 15:13 . 2001-08-18 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-02 15:12 . 2004-08-03 23:04 78,848 --a--c--- C:\WINDOWS\system32\dllcache\dayi.ime
2008-04-02 15:12 . 2001-08-18 14:00 57,856 --a--c--- C:\WINDOWS\system32\dllcache\esuimgd.dll
2008-04-02 15:12 . 2004-08-03 22:31 57,399 --a--c--- C:\WINDOWS\system32\dllcache\cplexe.exe
2008-04-02 15:12 . 2001-08-18 14:00 45,056 --a--c--- C:\WINDOWS\system32\dllcache\esunid.dll
2008-04-02 15:12 . 2001-08-18 14:00 31,744 --a--c--- C:\WINDOWS\system32\dllcache\esucmd.dll
2008-04-02 15:12 . 2001-08-18 14:00 25,856 --a--c--- C:\WINDOWS\system32\dllcache\et4000.sys
2008-04-02 15:12 . 2001-08-18 14:00 18,944 --a--c--- C:\WINDOWS\system32\dllcache\cprofile.exe
2008-04-02 15:10 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-04-02 15:10 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2008-04-02 15:05 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-02 14:55 . 2008-04-02 14:55 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-02 14:48 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-04-02 14:43 . 2004-08-03 22:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-02 14:39 . 2001-08-18 14:00 1,085,913 -ra------ C:\WINDOWS\SET94.tmp
2008-04-02 14:39 . 2001-08-18 14:00 13,608 -ra------ C:\WINDOWS\SETA0.tmp
2008-04-02 13:01 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-04-02 12:58 . 2001-08-18 14:00 1,085,913 -ra------ C:\WINDOWS\SET92.tmp
2008-04-02 12:58 . 2001-08-18 14:00 13,608 -ra------ C:\WINDOWS\SET9E.tmp
2008-04-02 12:00 . 2004-08-04 00:56 741,376 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2008-04-02 12:00 . 2004-08-04 00:56 155,648 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl
2008-04-02 11:59 . 2004-08-04 00:56 146,432 --a------ C:\WINDOWS\system\winspool.drv
2008-04-02 11:59 . 2004-08-04 00:56 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2008-04-02 11:59 . 2001-08-18 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-04-02 11:59 . 2001-08-18 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-04-02 11:59 . 2001-08-18 14:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-04-02 11:59 . 2001-08-18 14:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-04-02 11:59 . 2004-08-03 23:00 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2008-04-02 11:58 . 2001-08-18 14:00 1,085,913 -ra------ C:\WINDOWS\SET93.tmp
2008-04-02 11:58 . 2001-08-18 14:00 797,189 --a--c--- C:\WINDOWS\system32\dllcache\NT5IIS.CAT
2008-04-02 11:58 . 2001-08-18 14:00 399,645 --a--c--- C:\WINDOWS\system32\dllcache\MAPIMIG.CAT
2008-04-02 11:58 . 2001-08-18 14:00 37,484 --a--c--- C:\WINDOWS\system32\dllcache\MW770.CAT
2008-04-02 11:58 . 2001-08-18 14:00 13,608 -ra------ C:\WINDOWS\SET9F.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 13:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-03 09:53 --------- d-----w C:\Program Files\CyberScrub Professional
2008-04-02 09:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 08:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 09:14 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-03-08 09:14 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-03-08 09:08 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-08 09:08 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-03-08 08:34 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-01 12:50 --------- d-----w C:\Program Files\SiSLan
2008-02-18 14:52 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006
2008-02-16 10:42 --------- d-----w C:\Program Files\QuickTime
2008-02-16 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-13 16:35 --------- d-----w C:\Program Files\ScanSoft
2008-02-13 16:35 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-02-13 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-02-13 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F50C8E0-D3A0-40C0-9F5A-679782F0C22E}]
C:\WINDOWS\system32\urqQkjIb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7B07B4-C2C2-4976-B8C5-74C18BEAF098}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0BBF3BE-B722-4AD4-AD6A-96CB9A353B83}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf72f809-99d6-4dc3-8e22-7c13bf4d1bd1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5B5AE7A-C924-480C-B654-2CDBDC3766D7}]
C:\WINDOWS\system32\rqRIxxYP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC1D56DF-EB97-4A64-8D95-8DEEFB153E9F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC62E4A6-8475-4EBF-B40B-626CE4034800}]
C:\WINDOWS\system32\khfEVmjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAF3A6BE-5552-47D0-973E-754D9EC88C79}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-12 20:21 171448]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-07-14 01:14 2643312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-05 12:35 335872]
"Cmaudio"="cmicnfg.cpl" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM7f3a99d1"="C:\WINDOWS\system32\dqsthepx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 21:26 423184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-07-14 00:03 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim72.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"=
"%windir%\\system32\\sessmgr.exe"=

S0 Eim72;Eim72;C:\WINDOWS\system32\Drivers\Eim72.sys []
S1 mqzprwe;mqzprwe;C:\WINDOWS\mqzprwe.log []
S2 Windows IPSEC Monitor;Windows IPSEC Monitor;"C:\WINDOWS\system32\test12.exe" [2008-03-31 16:11]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 15:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 09:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-11 14:52:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-10 14:34:49 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-10 14:34:43 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-10 14:36:21 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 16:50:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mqzprwe]
"ImagePath"="\??\C:\WINDOWS\mqzprwe.log"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 16:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 14:55:29
Pre-Run: 16,850,350,080 bytes free
Post-Run: 16,771,788,800 bytes free
.
2008-04-10 16:16:17 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:09 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - C:\WINDOWS\system32\urqQkjIb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - C:\WINDOWS\system32\rqRIxxYP.dll (file missing)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - C:\WINDOWS\system32\khfEVmjh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM7f3a99d1] Rundll32.exe "C:\WINDOWS\system32\dqsthepx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196583868056
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Windows IPSEC Monitor - Unknown owner - C:\WINDOWS\system32\test12.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6718 bytes


Thanks again for your patience.
  • 0

#6
Rorschach112
Posted 11 April 2008 - 10:00 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\htwtxxnw.dll_old
C:\WINDOWS\system32\wnxxtwth.ini
C:\WINDOWS\system32\ooktllug.dll
C:\WINDOWS\system32\qjfjponr.ini
C:\WINDOWS\system32\urqQkjIb.dll_old
C:\WINDOWS\system32\gborbmuj.ini
C:\WINDOWS\system32\caiisdfo.ini
C:\WINDOWS\system32\iywvgatj.ini
C:\WINDOWS\system32\nmxgfnhy.ini
C:\WINDOWS\system32\ghnlrxog.ini
C:\WINDOWS\system32\tsjcsjnv.ini
C:\WINDOWS\system32\irvjpuyx.ini
C:\WINDOWS\SET94.tmp
C:\WINDOWS\SETA0.tmp
C:\WINDOWS\SET92.tmp
C:\WINDOWS\SET9E.tmp
C:\WINDOWS\SET93.tmp
C:\WINDOWS\SET9F.tmp
C:\WINDOWS\system32\test12.exe

Driver::
Eim72
Windows IPSEC Monitor
mqzprwe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
  • 0

#7
preller
Posted 11 April 2008 - 10:21 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Do I paste the contents of the Report.txt back on the forum and then proceed with the next step? Or do I wait for a reply?
  • 0

#8
preller
Posted 11 April 2008 - 10:38 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here's the content of Report.txt.

[b]Report.txt[/b]
SDFix: Version 1.169
Run by Computer on Fri 04/11/2008 at 06:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
mqzprwe

Path:
\??\C:\WINDOWS\mqzprwe.log

mqzprwe - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use Gmer or Dr.Web CureIt

Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:26:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe"="C:\\Program Files\\Kyodai Mahjongg 2006\\kmj.exe:*:Enabled:Kyodai Mahjongg"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 6 Dec 2007 2,391,944 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0088dfc4cdea48f5256f646abf338968\BIT10.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1950380ad27a186ad7b25c1e483494eb\BIT15.tmp"
Thu 15 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\BITF.tmp"
Thu 15 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3becf78026ee8bb0c18f61c3d3645cb6\BIT4.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BITA1.tmp"
Sun 2 Dec 2007 2,391,944 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BIT9.tmp"
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp"
Thu 15 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\67c8fc01100a7555e3d40c5e21ad4a52\BIT13.tmp"
Sun 2 Dec 2007 2,585,864 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2c8f709dd0237a7e496be18e0ba404e\BIT4.tmp"
Thu 15 Nov 2007 151,105 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b54528191e99a817679c5ba3ee641572\BIT4.tmp"
Sun 2 Dec 2007 5,652,328 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\be9cf81654629f0178f1fbd377160e05\BIT7.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c68473efbad5749d3d8bf01a4318e5bd\BIT5.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BITA0.tmp"
Thu 15 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT11.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe118da81936b46e3d5dc2e2674ee3a5\BIT37.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\download\BIT7.tmp"
Tue 11 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\286d3f4fe26a9c6ab877183f2e37aa91\download\BIT5.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33cb1e7dae8a29b002e7473fd58a1557\download\BIT8.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\458b0ddf827cd2ca02539e5a3b1a3d3c\download\BIT19.tmp"
Wed 21 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\download\BIT6.tmp"
Wed 2 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a6f6242cdf0ec852d894cf5c1d66e870\download\BIT19.tmp"
Tue 11 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e2306f0216dfc9822a8553f09db95f71\download\BIT7.tmp"
Tue 18 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ec3e2e6b3f1b25baadb3a70dfe94cd10\download\BIT10.tmp"

Finished!
  • 0

#9
Rorschach112
Posted 11 April 2008 - 10:58 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok go on with the ComboFix step

Also do this after it


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

  • 0

#10
preller
Posted 11 April 2008 - 11:08 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I don't know if this is related but whenever I log into my admin account, I get a rundll error as follows:

Error loading C:\WINDOWS\system32\ dqsthepx.dll
The specified module could not be found.
  • 0

Advertisements

#11
Rorschach112
Posted 11 April 2008 - 12:12 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nothing to worry about

Continue on with the steps
  • 0

#12
preller
Posted 11 April 2008 - 12:59 PM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Herewith Latest HijackThis log




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49, on 2008-04-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F50C8E0-D3A0-40C0-9F5A-679782F0C22E} - C:\WINDOWS\system32\urqQkjIb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5B5AE7A-C924-480C-B654-2CDBDC3766D7} - C:\WINDOWS\system32\rqRIxxYP.dll (file missing)
O2 - BHO: (no name) - {EC62E4A6-8475-4EBF-B40B-626CE4034800} - C:\WINDOWS\system32\khfEVmjh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM7f3a99d1] Rundll32.exe "C:\WINDOWS\system32\dqsthepx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196583868056
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6411 bytes
  • 0

#13
Rorschach112
Posted 11 April 2008 - 03:58 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the ComboFix log and the Dr. Web Cureit report
  • 0

#14
preller
Posted 12 April 2008 - 01:27 AM

preller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry for the long delay, work to get finished and sleep needed.

Herewith docs as requested..........

DrWeb


Process in memory: C:\WINDOWS\system32\services.exe:676;;BackDoor.MaosBoot;Eradicated.;
Master Boot Record HDD1;;BackDoor.MaosBoot;Cured.;
psexesvc.exe;c:\windows;Program.PsExec.170;Incurable.Deleted.;
;;BackDoor.MaosBoot;Eradicated.;
fccbARKE.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod.based;Incurable.Moved.;
Av-test.txt;C:\DOCUME~1\Computer\LOCALS~1\Temp;EICAR Test File (NOT a Virus!);Incurable.Moved.;
psexesvc.exe;c:\windows;Program.PsExec.170;;


ComboFix


KillAll::

File::
C:\WINDOWS\system32\htwtxxnw.dll_old
C:\WINDOWS\system32\wnxxtwth.ini
C:\WINDOWS\system32\ooktllug.dll
C:\WINDOWS\system32\qjfjponr.ini
C:\WINDOWS\system32\urqQkjIb.dll_old
C:\WINDOWS\system32\gborbmuj.ini
C:\WINDOWS\system32\caiisdfo.ini
C:\WINDOWS\system32\iywvgatj.ini
C:\WINDOWS\system32\nmxgfnhy.ini
C:\WINDOWS\system32\ghnlrxog.ini
C:\WINDOWS\system32\tsjcsjnv.ini
C:\WINDOWS\system32\irvjpuyx.ini
C:\WINDOWS\SET94.tmp
C:\WINDOWS\SETA0.tmp
C:\WINDOWS\SET92.tmp
C:\WINDOWS\SET9E.tmp
C:\WINDOWS\SET93.tmp
C:\WINDOWS\SET9F.tmp
C:\WINDOWS\system32\test12.exe

Driver::
Eim72
Windows IPSEC Monitor
mqzprwe
  • 0

#15
Rorschach112
Posted 12 April 2008 - 06:28 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
That is CFScript

I need you to post the ComboFix log, it is far bigger

Should be in C:\ComboFix
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP