Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Downloader.Win32.Agent [CLOSED]


  • This topic is locked This topic is locked

#16
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you just run ComboFix ?
  • 0

Advertisements


#17
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hello again rorschach!!
sorry again for the delay, but i just ran combo fix and have my new hijack this log

to be quite honest, running combo fix got me a little scared.. i suppose showing the blue screen and having things done for me gets me a littled worried

anyway, here is my new hijackthis log and my combo fix log

COMBO FIX LOG::
ComboFix 08-08-18.04 - jlaxaman 2008-08-18 22:35:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.565 [GMT -7:00]
Running from: C:\Documents and Settings\jlaxaman\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\archie\UserData
C:\Documents and Settings\archie\UserData\0N8N0BK3\oWindowsUpdate[1].xml
C:\Documents and Settings\archie\UserData\4LKLUTMJ\oWindowsUpdate[1].xml
C:\Documents and Settings\archie\UserData\index.dat
C:\Documents and Settings\Default User\UserData
C:\Documents and Settings\Default User\UserData\0N8N0BK3\oWindowsUpdate[1].xml
C:\Documents and Settings\Default User\UserData\4LKLUTMJ\oWindowsUpdate[1].xml
C:\Documents and Settings\Default User\UserData\index.dat
C:\Documents and Settings\jlaxaman\Application Data\macromedia\Flash Player\#SharedObjects\SLWA7LM5\interclick.com
C:\Documents and Settings\jlaxaman\Application Data\macromedia\Flash Player\#SharedObjects\SLWA7LM5\interclick.com\ud.sol
C:\Documents and Settings\jlaxaman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\jlaxaman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\jlaxaman\Cookies\[email protected][1].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][2].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][1].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][2].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][3].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][2].txt
C:\Documents and Settings\jlaxaman\Cookies\[email protected][1].txt
C:\Documents and Settings\jlaxaman\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\jlaxaman\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\jlaxaman\UserData
C:\Documents and Settings\jlaxaman\UserData\0N8N0BK3\oWindowsUpdate[1].xml
C:\Documents and Settings\jlaxaman\UserData\23W90V0F\YL[1].xml
C:\Documents and Settings\jlaxaman\UserData\4LKLUTMJ\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\jlaxaman\UserData\4LKLUTMJ\oWindowsUpdate[1].xml
C:\Documents and Settings\jlaxaman\UserData\index.dat
C:\Documents and Settings\jlaxaman\UserData\YFE50PU7\sn[1].xml
C:\Documents and Settings\neptune\UserData
C:\Documents and Settings\neptune\UserData\0N8N0BK3\oWindowsUpdate[1].xml
C:\Documents and Settings\neptune\UserData\index.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AIhOnnnn.ini
C:\WINDOWS\system32\arstteka.ini
C:\WINDOWS\system32\bahqibrb.ini
C:\WINDOWS\system32\bbxmfwro.ini
C:\WINDOWS\system32\bdbysnhi.ini
C:\WINDOWS\system32\cclvtvtj.ini
C:\WINDOWS\system32\efuygrad.ini
C:\WINDOWS\system32\hgQsttwa.ini
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\iniogtpi.ini
C:\WINDOWS\system32\kiusndco.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\movbluef.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nmealyep.ini
C:\WINDOWS\system32\nWELlUtv.ini
C:\WINDOWS\system32\ofoidxyj.ini
C:\WINDOWS\system32\PVxwFfhk.ini
C:\WINDOWS\system32\PVxwFfhk.ini2
C:\WINDOWS\system32\skqpqpkc.ini
C:\WINDOWS\system32\sokljucw.ini
C:\WINDOWS\system32\ssfhinkx.ini
C:\WINDOWS\system32\svhihiqf.ini
C:\WINDOWS\system32\tlinwuvo.ini
C:\WINDOWS\system32\tnnsliyc.ini
C:\WINDOWS\system32\tqaivddm.ini
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\uxucjtwi.ini
C:\WINDOWS\system32\vbefgyct.ini
C:\WINDOWS\system32\vhoeudpy.ini
C:\WINDOWS\system32\vqllxcxj.ini
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wxtybegv.ini
C:\WINDOWS\system32\xcnoufup.ini
C:\WINDOWS\system32\xgrwicqb.ini
C:\WINDOWS\system32\ynvfwjef.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-17 13:50 . 2008-08-17 13:50 <DIR> d-------- C:\_OTMoveIt
2008-08-17 12:49 . 2008-08-17 12:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 12:37 . 2008-08-17 12:37 <DIR> d-------- C:\Deckard
2008-08-17 11:55 . 2008-08-17 11:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 11:55 . 2008-08-17 11:55 <DIR> d-------- C:\Documents and Settings\jlaxaman\Application Data\Malwarebytes
2008-08-17 11:55 . 2008-08-17 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 11:55 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 04:35 . 2008-08-18 22:40 109,150 --a------ C:\WINDOWS\system32\drivers\527d489f.sys
2008-08-10 21:53 . 2008-08-10 21:53 172 --a------ C:\WINDOWS\el.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 05:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-18 07:21 --------- d-----w C:\Program Files\LogMeIn
2008-08-12 22:40 90,112 ----a-w C:\WINDOWS\DUMP6ef6.tmp
2008-08-11 14:23 90,112 ----a-w C:\WINDOWS\DUMP6cf2.tmp
2008-08-11 14:05 90,112 ----a-w C:\WINDOWS\DUMP69b6.tmp
2008-08-11 14:01 90,112 ----a-w C:\WINDOWS\DUMP70cb.tmp
2008-07-31 05:51 --------- d-----w C:\Program Files\Warcraft III
2008-07-17 03:27 --------- d-----w C:\Program Files\World of Warcraft
2008-07-07 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-21 07:37 11,861 ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-06-21 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 07:37 --------- d-----w C:\Program Files\D-Link AirPlus Xtreme G
2008-06-21 07:26 --------- d-----w C:\Program Files\WebEx
2008-06-21 07:10 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-06-10 17:43 155,995 -c--a-w C:\WINDOWS\java\Packages\B5FZZXJN.ZIP
2008-04-25 00:15 400,957 -c--a-w C:\Documents and Settings\jlaxaman\g79.exe
2007-01-05 15:57 28,672 -c--a-w C:\Documents and Settings\jlaxaman\atwbxdet.dll
2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\YWRtaW4\asappsrv.dll
2005-07-29 23:24 472 -csha-r C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
.

------- Sigcheck -------

2004-08-04 03:00 17408 c24297f187ab2a79fffdea02355fb5f0 C:\WINDOWS\system32\svchost.exe

2004-08-04 03:00 506368 85cd692165958637f93aa6982521146f C:\WINDOWS\system32\winlogon.exe

2007-06-13 03:23 1035776 51d7d5a606154d6d116850ceff4d87d9 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 03:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2004-08-04 03:00 110592 18cabceb8ffc0ffe5c4141c95041df4a C:\WINDOWS\system32\services.exe

2004-08-04 03:00 14848 c9e726ac4e548c3d51af564906944916 C:\WINDOWS\system32\lsass.exe

2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 16:53 58880 ff9b18835a62c8309fd0eeb4691e71e6 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wij"="C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe" [?]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 10:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 14:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 14:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 14:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 12:58 1032192]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 18:00 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 09:50 120640]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 15:31 63048]
"{01-19-91-1E-ZN}"="C:\windows\system32\nndsregk.exe" [2007-05-17 21:52 49179]
"{ZN}"="C:\windows\system32\nndsregk.exe" [2007-05-17 21:52 49179]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 14:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-08-17 07:37:10 1528880]
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe [2008-06-21 00:37:03 512082]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-09 20:13:38 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=flyidfuj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{20FBC8B1-6DDC-464A-A7F5-3CBC32E259EE} - C:\WINDOWS\system32\comui.dll
BHO-{3170C42F-5C0A-4AFA-8D42-C1AB0A0AFD58} - C:\WINDOWS\system32\khfFwxVP.dll
BHO-{7665D216-D7AB-420C-A09E-4220EA0D0570} - C:\WINDOWS\system32\nnnnOhIA.dll
BHO-{76781874-9D53-4542-A5FC-BDA49E7418DC} - C:\WINDOWS\system32\awttsQgh.dll
BHO-{9DF9874E-C0ED-478F-B278-854E4BCC19A9} - C:\WINDOWS\system32\vtUlLEWn.dll
BHO-{B464F6A1-DC41-4F7F-9298-22E256D4FBF6} - C:\WINDOWS\system32\pmkhh.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-98b019b1 - C:\WINDOWS\system32\bqciwrgx.dll
HKLM-Run-BM9b832a2d - C:\WINDOWS\system32\aejnwgao.dll
HKLM-Run-{9e879e42-bc8e-890b-0b3c-960fa76c8c2b} - C:\WINDOWS\system32\zrvtjoypnqbw.dll
HKLM-Run-C:\WINDOWS\system32\kdddz.exe - C:\WINDOWS\system32\kdddz.exe
SSODL-ovFGmn-{98B0191F-321A-B3B5-2FD0-D96E95EE0F61} - C:\WINDOWS\system32\kfdh.dll
Notify-pmkhh - C:\WINDOWS\system32\pmkhh.dll
Notify-efcBqolj - efcBqolj.dll
Notify-khfETmnn - khfETmnn.dll
Notify-urqNETmn - urqNETmn.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\jlaxaman\Application Data\Mozilla\Firefox\Profiles\vlflv9qu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.rudolphtech.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 22:39:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdddz.exe"="C:\\WINDOWS\\system32\\kdddz.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\527d489f]
"ImagePath"="\SystemRoot\System32\drivers\527d489f.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-18 22:42:09 - machine was rebooted [jlaxaman]
ComboFix-quarantined-files.txt 2008-08-19 05:42:06

Pre-Run: 32,207,687,680 bytes free
Post-Run: 32,212,299,776 bytes free

241 --- E O F --- 2008-06-13 08:55:24

NEW HIJACKTHIS LOG::
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:45, on 2008-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rudolphtech.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [{01-19-91-1E-ZN}] C:\windows\system32\nndsregk.exe CHD003
O4 - HKCU\..\Run: [Wij] "C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTEC.NET
O17 - HKLM\Software\..\Telephony: DomainName = RTEC.NET
O20 - AppInit_DLLs: flyidfuj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - http://www.browning....s/2004jul_s.jpg
O24 - Desktop Component 1: (no name) - http://www.browning....s/2004jul_l.jpg
O24 - Desktop Component 2: (no name) - http://www.browning....s/2004jul_m.jpg

--
End of file - 7757 bytes
  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\527d489f.sys
C:\WINDOWS\el.ini
C:\WINDOWS\java\Packages\B5FZZXJN.ZIP
C:\Documents and Settings\jlaxaman\g79.exe
C:\Documents and Settings\jlaxaman\atwbxdet.dll
C:\WINDOWS\system32\kdddz.exe

Folder::
C:\WINDOWS\YWRtaW4

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdddz.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\527d489f]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#19
Potatomoto

Potatomoto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hello again rorshach, i have my new log right here for yeh

ComboFix 08-08-18.05 - jlaxaman 2008-08-19 19:27:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -7:00]
Running from: C:\Documents and Settings\jlaxaman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jlaxaman\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\jlaxaman\atwbxdet.dll
C:\Documents and Settings\jlaxaman\g79.exe
C:\WINDOWS\el.ini
C:\WINDOWS\java\Packages\B5FZZXJN.ZIP
C:\WINDOWS\system32\drivers\527d489f.sys
C:\WINDOWS\system32\kdddz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jlaxaman\atwbxdet.dll
C:\Documents and Settings\jlaxaman\g79.exe
C:\Documents and Settings\jlaxaman\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\el.ini
C:\WINDOWS\java\Packages\B5FZZXJN.ZIP
C:\WINDOWS\system32\drivers\527d489f.sys
C:\WINDOWS\YWRtaW4
C:\WINDOWS\YWRtaW4\asappsrv.dll
C:\WINDOWS\YWRtaW4\sqlQuqb.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_527d489f


((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-17 13:50 . 2008-08-17 13:50 <DIR> d-------- C:\_OTMoveIt
2008-08-17 12:49 . 2008-08-17 12:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 12:37 . 2008-08-17 12:37 <DIR> d-------- C:\Deckard
2008-08-17 11:55 . 2008-08-17 11:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 11:55 . 2008-08-17 11:55 <DIR> d-------- C:\Documents and Settings\jlaxaman\Application Data\Malwarebytes
2008-08-17 11:55 . 2008-08-17 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 11:55 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 07:07 --------- d-----w C:\Program Files\LogMeIn
2008-08-19 05:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-12 22:40 90,112 ----a-w C:\WINDOWS\DUMP6ef6.tmp
2008-08-11 14:23 90,112 ----a-w C:\WINDOWS\DUMP6cf2.tmp
2008-08-11 14:05 90,112 ----a-w C:\WINDOWS\DUMP69b6.tmp
2008-08-11 14:01 90,112 ----a-w C:\WINDOWS\DUMP70cb.tmp
2008-07-31 05:51 --------- d-----w C:\Program Files\Warcraft III
2008-07-17 03:27 --------- d-----w C:\Program Files\World of Warcraft
2008-07-07 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-21 07:37 11,861 ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-06-21 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 07:37 --------- d-----w C:\Program Files\D-Link AirPlus Xtreme G
2008-06-21 07:26 --------- d-----w C:\Program Files\WebEx
2008-06-21 07:10 --------- d-----w C:\Program Files\AT&T Global Network Client
.

------- Sigcheck -------

2004-08-04 03:00 17408 c24297f187ab2a79fffdea02355fb5f0 C:\WINDOWS\system32\svchost.exe

2004-08-04 03:00 506368 85cd692165958637f93aa6982521146f C:\WINDOWS\system32\winlogon.exe

2007-06-13 03:23 1035776 51d7d5a606154d6d116850ceff4d87d9 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 03:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2004-08-04 03:00 110592 18cabceb8ffc0ffe5c4141c95041df4a C:\WINDOWS\system32\services.exe

2004-08-04 03:00 14848 c9e726ac4e548c3d51af564906944916 C:\WINDOWS\system32\lsass.exe

2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 16:53 58880 ff9b18835a62c8309fd0eeb4691e71e6 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( [email protected]_22.41.49.79 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wij"="C:\Documents and Settings\jlaxaman\My Documents\??sembly\w?crtupd.exe" [?]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 10:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 14:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 14:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 14:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 12:58 1032192]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 18:00 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 09:50 120640]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 15:31 63048]
"{01-19-91-1E-ZN}"="C:\windows\system32\nndsregk.exe" [2007-05-17 21:52 49179]
"{ZN}"="C:\windows\system32\nndsregk.exe" [2007-05-17 21:52 49179]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 14:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-08-17 07:37:10 1528880]
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe [2008-06-21 00:37:03 512082]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-09 20:13:38 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 19:30:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-19 19:32:30 - machine was rebooted [jlaxaman]
ComboFix-quarantined-files.txt 2008-08-20 02:32:27
ComboFix2.txt 2008-08-19 05:42:10

Pre-Run: 32,123,908,096 bytes free
Post-Run: 32,106,196,992 bytes free

155 --- E O F --- 2008-06-13 08:55:24
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP