This topic is lockedI've noticed the only way I can get things to run on this computer is right clicking and choosing Run As. Now I run it as the same person logged on but that seems to be the only way i can get things to run.
Any suggestions?
Trojan-Spy.Win32@mx
Started by
derek01f
, May 28 2008 07:08 AM
#16
Posted 28 May 2008 - 11:45 AM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
I've noticed the only way I can get things to run on this computer is right clicking and choosing Run As. Now I run it as the same person logged on but that seems to be the only way i can get things to run.
Any suggestions?
#17
Posted 28 May 2008 - 12:03 PM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
Right click on it and rename it to Combo-Fix.
Then let me know how it goes.
Then let me know how it goes.
#18
Posted 28 May 2008 - 12:03 PM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
its working...what the [bleep] causes that.... the virus must know the name of that program right?Right click on it and rename it to Combo-Fix.
Then let me know how it goes.
Edited by derek01f, 28 May 2008 - 12:06 PM.
#19
Posted 28 May 2008 - 03:18 PM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
Correct it blocks against any (most) processes used to kill it.
#20
Posted 28 May 2008 - 03:37 PM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
i'm not at work right now so i can't look at that computer... but before i left i tried running that combofix. it worked for putting window restore on, but after that it keeps freezing. the one time it got the whole way to where it said its rebooting windows and froze.
I looked but no logs were produced yet. So I ran it a few times but it keeps freezing.
Any suggestions?
I looked but no logs were produced yet. So I ran it a few times but it keeps freezing.
Any suggestions?
#21
Posted 28 May 2008 - 03:49 PM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
Try disabling your Noton protection.
If that doesn't work try to delete combofix and download it again renaming it of course.
Then try again.
Let me know if that works or not.
If that doesn't work try to delete combofix and download it again renaming it of course.
Then try again.
Let me know if that works or not.
Edited by kahdah, 28 May 2008 - 03:49 PM.
#22
Posted 29 May 2008 - 08:41 AM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
think that worked. its rebooting now. hopefully there'll be a log there nowTry disabling your Noton protection.
If that doesn't work try to delete combofix and download it again renaming it of course.
Then try again.
Let me know if that works or not.
#23
Posted 29 May 2008 - 08:44 AM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
combofix log:
ComboFix 08-05-28.4 - sbalsinger 2008-05-29 10:40:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.698 [GMT -4:00]
Running from: C:\Documents and Settings\sbalsinger\Desktop\Combo-Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\clbdriver.sys
.
---- Previous Run -------
.
C:\Documents and Settings\administrator.CAMBRIA\cftmon.exe
C:\Documents and Settings\Administrator\cftmon.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\sbalsinger\Application Data\install.dat
C:\Documents and Settings\sbalsinger\cftmon.exe
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\WINDOWS\system32\__c00166B2.exe
C:\WINDOWS\system32\__c0030350.exe
C:\WINDOWS\system32\__c00362A.exe
C:\WINDOWS\system32\__c0074305.exe
C:\WINDOWS\system32\__c008DD0C.exe
C:\WINDOWS\system32\__c00A8054.dat
C:\WINDOWS\system32\__c00AC88E.dat
C:\WINDOWS\system32\__c00D9790.exe
C:\WINDOWS\system32\__c00DA46F.exe
C:\WINDOWS\system32\__c00EF9A0.exe
C:\WINDOWS\system32\__c00F3E24.exe
C:\WINDOWS\system32\__c00F71C6.exe
C:\WINDOWS\system32\baseatc32.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\spools.exe
C:\windows\xpupdate.exe
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.
2008-05-28 14:44 . 2008-05-28 14:44 61,440 --a------ C:\WINDOWS\system32\rexesvr.exe
2008-05-28 11:18 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-28 11:18 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-28 10:27 . 2008-05-28 10:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:55 . 2008-05-28 10:34 <DIR> d-------- C:\SDFix
2008-05-28 09:51 . 2008-05-28 09:51 1,681,135 --a------ C:\SDFix.exe
2008-05-28 09:41 . 2008-05-28 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-27 15:14 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 15:14 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 15:14 . 2008-04-13 23:31 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 15:14 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 15:14 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 15:14 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 15:14 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 15:07 . 2008-05-28 13:33 5,120 --a------ C:\Documents and Settings\Administrator\ftp34.dll
2008-05-27 15:03 . 2008-05-28 13:25 5,120 --a------ C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
2008-05-27 11:01 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-27 08:40 . 2008-05-28 14:34 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\Documents and Settings\sbalsinger\ftp34.dll
2008-04-30 09:50 . 2008-04-30 09:50 101,153 --a------ C:\WINDOWS\system32\usb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 14:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-28 15:18 --------- d-----w C:\Program Files\Symantec
2008-05-28 15:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 13:03 --------- d-----w C:\Documents and Settings\sbalsinger\Application Data\AdobeUM
2008-04-29 14:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-28 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-15 14:27 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-15 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 13:04 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 13:04 --------- d-----w C:\Program Files\CCleaner
2008-04-14 13:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 13:41 --------- d-----w C:\Program Files\TightVNC
2006-05-17 17:04 1,568 ----a-w C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8054]
C:\WINDOWS\system32\__c00A8054.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 20:22]
S3 rexesvr;BeyondLogic RmtExec Server;C:\WINDOWS\System32\rexesvr.exe [2008-05-28 14:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 10:43:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-05-29 10:44:48 - machine was rebooted [sbalsinger]
ComboFix-quarantined-files.txt 2008-05-29 14:44:45
Pre-Run: 71,462,572,032 bytes free
Post-Run: 71,449,161,728 bytes free
130
ComboFix 08-05-28.4 - sbalsinger 2008-05-29 10:40:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.698 [GMT -4:00]
Running from: C:\Documents and Settings\sbalsinger\Desktop\Combo-Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\clbdriver.sys
.
---- Previous Run -------
.
C:\Documents and Settings\administrator.CAMBRIA\cftmon.exe
C:\Documents and Settings\Administrator\cftmon.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\sbalsinger\Application Data\install.dat
C:\Documents and Settings\sbalsinger\cftmon.exe
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\WINDOWS\system32\__c00166B2.exe
C:\WINDOWS\system32\__c0030350.exe
C:\WINDOWS\system32\__c00362A.exe
C:\WINDOWS\system32\__c0074305.exe
C:\WINDOWS\system32\__c008DD0C.exe
C:\WINDOWS\system32\__c00A8054.dat
C:\WINDOWS\system32\__c00AC88E.dat
C:\WINDOWS\system32\__c00D9790.exe
C:\WINDOWS\system32\__c00DA46F.exe
C:\WINDOWS\system32\__c00EF9A0.exe
C:\WINDOWS\system32\__c00F3E24.exe
C:\WINDOWS\system32\__c00F71C6.exe
C:\WINDOWS\system32\baseatc32.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\spools.exe
C:\windows\xpupdate.exe
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.
2008-05-28 14:44 . 2008-05-28 14:44 61,440 --a------ C:\WINDOWS\system32\rexesvr.exe
2008-05-28 11:18 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-28 11:18 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-28 10:27 . 2008-05-28 10:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:55 . 2008-05-28 10:34 <DIR> d-------- C:\SDFix
2008-05-28 09:51 . 2008-05-28 09:51 1,681,135 --a------ C:\SDFix.exe
2008-05-28 09:41 . 2008-05-28 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-27 15:14 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 15:14 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 15:14 . 2008-04-13 23:31 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 15:14 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 15:14 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 15:14 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 15:14 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 15:07 . 2008-05-28 13:33 5,120 --a------ C:\Documents and Settings\Administrator\ftp34.dll
2008-05-27 15:03 . 2008-05-28 13:25 5,120 --a------ C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
2008-05-27 11:01 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-27 08:40 . 2008-05-28 14:34 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\Documents and Settings\sbalsinger\ftp34.dll
2008-04-30 09:50 . 2008-04-30 09:50 101,153 --a------ C:\WINDOWS\system32\usb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 14:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-28 15:18 --------- d-----w C:\Program Files\Symantec
2008-05-28 15:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 13:03 --------- d-----w C:\Documents and Settings\sbalsinger\Application Data\AdobeUM
2008-04-29 14:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-28 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-15 14:27 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-15 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 13:04 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 13:04 --------- d-----w C:\Program Files\CCleaner
2008-04-14 13:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 13:41 --------- d-----w C:\Program Files\TightVNC
2006-05-17 17:04 1,568 ----a-w C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8054]
C:\WINDOWS\system32\__c00A8054.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 20:22]
S3 rexesvr;BeyondLogic RmtExec Server;C:\WINDOWS\System32\rexesvr.exe [2008-05-28 14:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 10:43:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-05-29 10:44:48 - machine was rebooted [sbalsinger]
ComboFix-quarantined-files.txt 2008-05-29 14:44:45
Pre-Run: 71,462,572,032 bytes free
Post-Run: 71,449,161,728 bytes free
130
#24
Posted 29 May 2008 - 08:44 AM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O20 - Winlogon Notify: __c00A8054 - C:\WINDOWS\system32\__c00A8054.dat (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 4590 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O20 - Winlogon Notify: __c00A8054 - C:\WINDOWS\system32\__c00A8054.dat (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 4590 bytes
#25
Posted 29 May 2008 - 11:45 AM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Click Start , then Run
- type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File:: C:\Documents and Settings\Administrator\ftp34.dll C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll C:\Documents and Settings\LocalService\ftp34.dll C:\Documents and Settings\sbalsinger\ftp34.dll C:\WINDOWS\system32\1112.dat Dirlook:: C:\WINDOWS\system32\usb Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00A8054]
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
#26
Posted 29 May 2008 - 01:18 PM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
combfix log:
ComboFix 08-05-28.4 - sbalsinger 2008-05-29 15:16:45.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.704 [GMT -4:00]
Running from: C:\Documents and Settings\sbalsinger\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\sbalsinger\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
C:\Documents and Settings\Administrator\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\sbalsinger\ftp34.dll
C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
C:\Documents and Settings\Administrator\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\sbalsinger\ftp34.dll
C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.
2008-05-28 14:44 . 2008-05-28 14:44 61,440 --a------ C:\WINDOWS\system32\rexesvr.exe
2008-05-28 11:18 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-28 11:18 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-28 10:27 . 2008-05-28 10:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:55 . 2008-05-28 10:34 <DIR> d-------- C:\SDFix
2008-05-28 09:51 . 2008-05-28 09:51 1,681,135 --a------ C:\SDFix.exe
2008-05-28 09:41 . 2008-05-28 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-27 15:14 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 15:14 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 15:14 . 2008-04-13 23:31 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 15:14 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 15:14 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 15:14 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 15:14 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 11:01 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-04-30 09:50 . 2008-04-30 09:50 101,153 --a------ C:\WINDOWS\system32\usb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 14:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-28 15:18 --------- d-----w C:\Program Files\Symantec
2008-05-28 15:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 13:03 --------- d-----w C:\Documents and Settings\sbalsinger\Application Data\AdobeUM
2008-04-29 14:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-28 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-15 14:27 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-15 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 13:04 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 13:04 --------- d-----w C:\Program Files\CCleaner
2008-04-14 13:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 13:41 --------- d-----w C:\Program Files\TightVNC
2006-05-17 17:04 1,568 ----a-w C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\system32\usb ----
C:\WINDOWS\system32\usb\
((((((((((((((((((((((((((((( snapshot@2008-05-29_10.44.30.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-29 14:33:14 2,692 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{780C4D78-A18B-4F1D-953A-2E1CD77BA93B}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 20:22]
S3 rexesvr;BeyondLogic RmtExec Server;C:\WINDOWS\System32\rexesvr.exe [2008-05-28 14:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 15:17:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-29 15:18:20
ComboFix-quarantined-files.txt 2008-05-29 19:18:18
ComboFix2.txt 2008-05-29 14:44:49
Pre-Run: 71,450,865,664 bytes free
Post-Run: 71,439,155,200 bytes free
101
ComboFix 08-05-28.4 - sbalsinger 2008-05-29 15:16:45.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.704 [GMT -4:00]
Running from: C:\Documents and Settings\sbalsinger\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\sbalsinger\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
C:\Documents and Settings\Administrator\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\sbalsinger\ftp34.dll
C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\administrator.CAMBRIA\ftp34.dll
C:\Documents and Settings\Administrator\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\sbalsinger\ftp34.dll
C:\WINDOWS\system32\1112.dat
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.
2008-05-28 14:44 . 2008-05-28 14:44 61,440 --a------ C:\WINDOWS\system32\rexesvr.exe
2008-05-28 11:18 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-28 11:18 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-28 10:27 . 2008-05-28 10:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:55 . 2008-05-28 10:34 <DIR> d-------- C:\SDFix
2008-05-28 09:51 . 2008-05-28 09:51 1,681,135 --a------ C:\SDFix.exe
2008-05-28 09:41 . 2008-05-28 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-27 15:14 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 15:14 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 15:14 . 2008-04-13 23:31 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 15:14 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 15:14 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 15:14 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 15:14 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 11:01 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-22 09:40 . 2008-05-28 15:21 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-04-30 09:50 . 2008-04-30 09:50 101,153 --a------ C:\WINDOWS\system32\usb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 14:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-28 15:18 --------- d-----w C:\Program Files\Symantec
2008-05-28 15:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 13:03 --------- d-----w C:\Documents and Settings\sbalsinger\Application Data\AdobeUM
2008-04-29 14:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-28 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-15 14:27 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-15 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 13:04 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 13:04 --------- d-----w C:\Program Files\CCleaner
2008-04-14 13:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-14 13:41 --------- d-----w C:\Program Files\TightVNC
2006-05-17 17:04 1,568 ----a-w C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\system32\usb ----
C:\WINDOWS\system32\usb\
((((((((((((((((((((((((((((( snapshot@2008-05-29_10.44.30.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-29 14:33:14 2,692 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{780C4D78-A18B-4F1D-953A-2E1CD77BA93B}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys [2005-05-09 20:22]
S3 rexesvr;BeyondLogic RmtExec Server;C:\WINDOWS\System32\rexesvr.exe [2008-05-28 14:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 15:17:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-29 15:18:20
ComboFix-quarantined-files.txt 2008-05-29 19:18:18
ComboFix2.txt 2008-05-29 14:44:49
Pre-Run: 71,450,865,664 bytes free
Post-Run: 71,439,155,200 bytes free
101
#27
Posted 29 May 2008 - 01:19 PM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 4470 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 4470 bytes
#28
Posted 29 May 2008 - 01:27 PM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
#29
Posted 30 May 2008 - 07:04 AM
derek01f
- Topic Starter
-
- Member
-
- 51 posts
Member
malwarebytes log:
Malwarebytes' Anti-Malware 1.14
Database version: 800
09:05:22 2008-05-30
mbam-log-5-30-2008 (09-05-22).txt
Scan type: Quick Scan
Objects scanned: 45790
Time elapsed: 4 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SpamBlockerUtility 4.8.4 (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\sbalsinger\Start Menu\Programs\WinAntivirusPro.lnk (Rogue.SpyRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\sbalsinger\Desktop\WinAntivirusPro.lnk (Rogue.Link) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.14
Database version: 800
09:05:22 2008-05-30
mbam-log-5-30-2008 (09-05-22).txt
Scan type: Quick Scan
Objects scanned: 45790
Time elapsed: 4 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SpamBlockerUtility 4.8.4 (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\sbalsinger\Start Menu\Programs\WinAntivirusPro.lnk (Rogue.SpyRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\sbalsinger\Desktop\WinAntivirusPro.lnk (Rogue.Link) -> Quarantined and deleted successfully.
#30
Posted 30 May 2008 - 07:14 AM
kahdah
-
- Retired Staff
-
- 15,822 posts
GeekU Teacher
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
========================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
========================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as button:
- Save the file in txt format to your desktop.
- Post that information in your next post.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
