Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan (Backdoor, ZXW, ZYE, ZUY, ZXK, etc. [RESOLVED]

Started by CindyKay , Aug 18 2008 05:02 PM

This topic is locked

#16
CindyKay

Posted 24 August 2008 - 08:06 PM

Member

Topic Starter
Member
12 posts

ComboFix 08-08-21.02 - Owner 2008-08-24 21:10:45.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\_000002_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000046_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000001_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000045_.tmp.dll
C:\WINDOWS\system32\comsa32.sys
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-17 20:18 . 2008-08-17 20:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HorizonWimba
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 17:47 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-17 17:23 . 2008-08-17 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 14:28 . 2008-08-17 14:38 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-17 14:28 . 2008-08-17 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-16 18:22 . 2008-08-14 13:46 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-08-16 17:21 . 2008-08-19 16:47 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-08-16 17:09 . 2008-08-16 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-08-12 20:02 . 2008-08-12 20:02 <DIR> d-------- C:\Program Files\Ofoto
2008-08-12 20:02 . 2002-10-14 09:56 3,007,488 --------- C:\WINDOWS\system32\OfotoNow.scr
2008-08-12 20:02 . 2002-08-28 10:20 18,102 --------- C:\WINDOWS\system32\OfotoNow.res
2008-07-29 22:07 . 2008-07-29 22:07 <DIR> d-------- C:\Program Files\PassAlong
2008-07-29 22:07 . 2007-10-11 17:41 111,944 --a------ C:\WINDOWS\system32\TPActiveX.dll
2008-07-29 14:28 . 2008-07-29 14:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-28 19:18 . 2008-07-28 19:18 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-07-27 14:50 . 2008-08-24 14:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:50 . 2008-07-27 14:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 14:50 . 2008-07-27 14:50 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 14:50 . 2008-07-27 14:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 14:49 . 2008-07-27 14:49 <DIR> d-------- C:\Program Files\AVG
2008-07-26 23:36 . 2008-07-26 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-13 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 03:03 --------- d-----w C:\Program Files\Java
2008-07-27 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 02:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-16 03:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-16 02:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-07-16 02:49 --------- d-----w C:\Program Files\Windows Live
2008-07-16 02:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-16 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-16 02:05 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-16 02:04 --------- d-----w C:\Program Files\Philips
2008-07-16 02:04 --------- d-----w C:\Program Files\DIFX
2008-07-16 02:03 --------- d-----w C:\Program Files\Common Files\SPC520NC
2008-07-12 04:17 --------- d-----w C:\Program Files\iTunes
2008-07-12 04:17 --------- d-----w C:\Program Files\iPod
2008-07-12 04:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 04:14 --------- d-----w C:\Program Files\QuickTime
2008-07-12 04:12 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 04:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-11 01:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2006-01-13 20:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-25 20:50 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30 73728]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 23:10 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 20:13 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 14:49 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPro520.lnk - C:\WINDOWS\VPro520.exe [2008-07-15 22:03:04 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-08-14 13:46]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 14:50]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 14:49]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 14:49]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 14:50]
S3 SPC520;Philips SPC520NC PC Camera;C:\WINDOWS\system32\drivers\SPC520.sys [2007-03-27 21:27]
S3 SPC520m;Philips SPC520NC PC Cameram;C:\WINDOWS\system32\drivers\SPC520m.sys [2007-03-27 21:27]
.
Contents of the 'Scheduled Tasks' folder

2008-08-25 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2008-08-25 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 21:29:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\TMP0000002740A043DF73F6C748

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-24 21:36:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 01:36:37
ComboFix2.txt 2008-08-24 20:52:39
ComboFix3.txt 2008-08-23 22:08:46
ComboFix4.txt 2008-08-23 00:10:29

Pre-Run: 1,729,499,136 bytes free
Post-Run: 1,710,047,232 bytes free

162 --- E O F --- 2008-08-24 12:41:38

So far my computer seems to be fine. There are no more strange noises coming from it and I've closed it and reopened it and get no pop-ups.
Is is now safe to remove the files that I've downloaded for this ...like ComboFix, Malware Bytes, Hijack This, TaskManager just to free up memory since sometimes when I download a site, I'm told that I don't have enough disk space memory?
Also, should I keep the logs saved or does it matter?

Thanks, Cindy

#17
CindyKay

Posted 25 August 2008 - 05:33 PM

Member

Topic Starter
Member
12 posts

#18
CindyKay

Posted 25 August 2008 - 05:35 PM

Member

Topic Starter
Member
12 posts

Problems...when I got home today, after having the computer on for about 2 hours, a screen popped up warning of a Trojan Horse Clicker.PMD virus located on C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A:620-64F2CA1BFB5F}\RP872\A0236601.sys
Most of the virus notices I received before we started this "healing" process were in the "System Volume Information" wherever that is.

#19
emeraldnzl

Posted 25 August 2008 - 05:43 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello CindyKay,

My apologies for the delay in getting back to you.

Those warnings are in System Restore which we will fix now. Nevertheless let me know how you get on after the clean up below.

It's been a long haul, your machine was quite infected, you did very well to stay the course, well done!

Congratulations; yes I think your machine is clean now.

I'm told that I don't have enough disk space memory?

Yep your C drive appears to be very close, if not past, the limits. My understanding is that the optimum is at least 15% free and according to the OTScanIt report you have 2.63% space Free.

A couple of thoughts that might be useful. Java does not remove it's old programs when you upgrade. You have the latest version of Java Runtime Environment (jre1.6.0_07) and that is good because older versions are vunerable to attack. However you may still have the older versions taking up space on you computer.

Go to Start > Settings > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java. Go here for a video on how to do it Video Add/Remove Programs
Check (highlight) any item except JRE 1.6.0_07 with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all older Java components are removed.

As it happens I am short on hard disk memory in my C drive. As a substitute for Adobe Acrobat Reader I use a program called Foxit. This uses a tiny amount of memory compared to Acrobat Reader.

For a good reader that uses very little memory download Foxit Reader from here.

Those are my thoughts but I am sure the guys in the Tech section have others. If you have time you might like to check them out.

Now we have a last step to perform (this will clear the System Restore as well) and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program which works well with XP:

ATF Cleaner

--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

SUPERAntiSpyware Free for Home Users to detect and remove spyware.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!

#20
CindyKay

Posted 25 August 2008 - 08:21 PM

Member

Topic Starter
Member
12 posts

Hi,
I thought I had everything done, old Javas killed, Adobe reader switched, combofix deleted, etc.
Then I switched users and go over to my daughters side to check on her "temp" folders and when I open a "cookies" folder it has around 189 files so I attempt to delete all of them. When I'm doing that, several of the files I try to delete I get a popup from AVG resident shield that is warning me of things like "overture" and mediaplex" and a couple of others. I told the AVG to "heal". I quit with the deletion till I could figure out what to do.
Should I not have assumed that what we did under the user w/ my name to heal would heal the computer under all of the user names? Or maybe this is no big deal and AVG can really truly "heal" it when I tell it to.
Any advice?
Thanks...again!
Cindy

#21
emeraldnzl

Posted 25 August 2008 - 09:54 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello again CindyKay,

Generally cookies are not a problem, in fact you will not be able to access many websites if you disallow them. Having said that I don't feel comfortable leaving them on my computer forever and a day. I have my Web Browser (FireFox in my case) set to delete them on closure.

The link below will take you to a site that explains what cookies are:

http://en.wikipedia....iki/HTTP_cookie

The site below tells you how to manage cookies in Internet Explorer:

http://support.microsoft.com/kb/283185

Another thing you could do from time to time is run AFT Cleaner. You will see it in my last post. It's free to download and if you run it now and again it will clear up some space for you and delete old cookies on your system. Just remember to check the select all box at the bottom when you run it.

Cheers
emeraldnzl

#22
CindyKay

Posted 26 August 2008 - 05:19 AM

Member

Topic Starter
Member
12 posts

Thank you so much for your help. I've taken all of your advice and applied it. You have a great day.

#23
Rorschach112

Posted 26 August 2008 - 02:54 PM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.