Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Need to get rid of Virtumonde and Win32.TDSS.rtk.

Started by Neo , Mar 09 2009 04:15 PM

  • This topic is locked This topic is locked
139 replies to this topic

#61 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 15 March 2009 - 06:57 PM

newbe17,

Are the choices of how to start windows just choices between windows and recovery console?

We didn't get it all last time. We need to run another script.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
c:\windows\system32\jfxfwse.dll

NetSvc::
dbthee

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]

Driver::
dbthee
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove

#62 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 12:02 AM

Tomk,

The options given to me by doss to start my windows after reboot are as followed:

1) safe mode
2)safe mode with networking
3)safe mode with command promt
4)last known good configuration
5)start windows normally ( which is what I choose )

Here's the ComboFix log :)


ComboFix 09-03-14.02 - Compaq_Owner 2009-03-16 0:33:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.66 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\jfxfwse.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jfxfwse.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DBTHEE
-------\Service_dbthee
-------\Service_tyyvugn


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- C:\KAV
2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-14 23:54 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 18:21 . 2009-03-15 21:01 <DIR> d-------- c:\program files\Full Tilt Poker.Net
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-14 16:56 8,704 --sha-w c:\program files\Thumbs.db
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-16 05:38:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_468.dat
+ 2009-03-16 05:38:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S2 tyyvugn;Support Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - TYYVUGN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tyyvugn
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 00:38:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tyyvugn]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-16 0:44:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 05:44:16
ComboFix2.txt 2009-03-15 22:15:51
ComboFix3.txt 2009-03-15 20:34:25
ComboFix4.txt 2009-03-15 18:25:19
ComboFix5.txt 2009-03-16 05:32:00

Pre-Run: 66,424,545,280 bytes free
Post-Run: 66,407,710,720 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,4,5
142 --- E O F --- 2008-06-13 23:12:36



Newbe17
Best
Wishes,

Neo

Posted Image

#63 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 16 March 2009 - 08:12 AM

newbe17,

That's a different startup problem than what I was thinking of. I'll have to think on it a little.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
c:\windows\system32\DRIVERS\szkg.sys

Rootkit::
c:\windows\system32\jfxfwse.dll

NetSvc::
tyyvugn

Driver::
szkg5
tyyvugn
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#64 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 11:11 AM

Tomk, Just b4 I do the next scan - something strange happened just after the last one. My computer slowed down to a crawl shortly after I rebooted from the last scan and got back onto the internet. My avast antivirus sent me a box explaining that it had found a live virus working in my pc and that it was dangerous to have windows running. Then I got another box from avast asking if i wanted to do a boot time scan, so i scheduled one and it found 2 infected files, they are as listed below: 1)_jfxfwse.dll.zip 2)jfxfwse.dll What should I do with these files? they are currently in my avast virus chest. Newbe17
Best
Wishes,

Neo

Posted Image

#65 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 16 March 2009 - 11:56 AM

newbe17, If you look at the CFscript I have you running, you will recognize that file. I'm trying to kill it but so far it has regenerated. If it doesn't stay dead after this run, we will have to run a different tool to see if the "trigger" is still hidden. Please run the CFscript.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#66 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 01:08 PM

Tomk,
I have a concern to express. When Combo Fix reboots me after a scan, my avast on access scanner starts up, even though I disabled it b4 using CF. CF tells me not to run ANY programs while its running, setting up a log. Should I totally disable my avast? Or is this not something to worry about.

here's the last scan log:


ComboFix 09-03-15.01 - Compaq_Owner 2009-03-16 13:41:03.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.53 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\DRIVERS\szkg.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jfxfwse.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TYYVUGN
-------\Service_szkg5
-------\Service_tyyvugn


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- C:\KAV
2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-16 01:32 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 18:21 . 2009-03-16 13:10 <DIR> d-------- c:\program files\Full Tilt Poker.Net
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 11:04 8,704 --sha-w c:\program files\Thumbs.db
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-16 18:45:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2009-03-16 18:45:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_464.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S2 ddcxz;Security Driver;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DDCXZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ddcxz
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 13:45:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddcxz]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(368)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-16 13:51:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 18:51:24
ComboFix2.txt 2009-03-16 05:44:33
ComboFix3.txt 2009-03-15 22:15:51
ComboFix4.txt 2009-03-15 20:34:25
ComboFix5.txt 2009-03-16 18:39:59

Pre-Run: 66,385,330,176 bytes free
Post-Run: 66,367,582,208 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,4,5
142 --- E O F --- 2008-06-13 23:12:36




Newbe17 p.s. ty :)
Best
Wishes,

Neo

Posted Image

#67 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 16 March 2009 - 01:19 PM

newbe17,

Your concern is valid. However, your Avast is starting after ComboFix is finished scanning. It's a little annoying but at this point it's better than being without any anti-virus running.

Well, that stinking file regenerated again. I need a different look at what's going on.

Please download gmer.zip from Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#68 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 02:37 PM

Tomk,
:pullhair: (we r getting aggravated)
Firstly, I don't know what clipboard is, I never use it. Secondly, i searched my pc to find it and could not. Thirdly, while I was in the middle of the gmer scan a box came up saying the file was unreadable and offered me 2 things, i chose to terminate the application rather to rebug it, I cannot recall the name of the file although it looked familliar to me, was somewhere in c . I don't even think I have notepad at this point.



GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-16 15:14:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF71D0618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF71D04D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF71D09B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF71D00AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF71D05AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF71CFFEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF71D0050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF71D06CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF71D068E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF71D080E]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[412] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ddcxz <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@DisplayName Security Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ddcxz\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@DisplayName Center Time
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee@Description Monitors system security settings and configurations.
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\dbthee\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxpavymrmt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@DisplayName Center Time
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee@Description Monitors system security settings and configurations.
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\dbthee\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxpavymrmt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@DisplayName Security Driver
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@Type 32
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@Start 2
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz\Parameters
Reg HKLM\SYSTEM\ControlSet005\Services\ddcxz\Parameters@ServiceDll C:\WINDOWS\system32\jfxfwse.dll

---- EOF - GMER 1.0.15 ----


I hope this helps you and that the clip board thing is not too much of an issue, thanks



Newbe17
Best
Wishes,

Neo

Posted Image

#69 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 02:40 PM

Tomk, Oh, and when I went into command and typed in """stop gmer , it answered and said it didnt recognize the program as being downloaded onto my machine. Newbe17
Best
Wishes,

Neo

Posted Image

#70 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 16 March 2009 - 03:18 PM

newbe17,

Whenever you highlight something, right click it, then select copy .... it is copied to the clipboard. When you select paste ... you copy from the clipboard.

The report you provided looks correct so I think you still have notepad. :)

I know it's frustrating but I believe we are gaining. That scan showed what I believe to be the trigger and this script should get rid of it.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Rootkit::
c:\windows\system32\jfxfwse.dll
c:\windows\system32\drivers\gaopdxpavymrmt.sys

NetSvc::
ddcxz

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddcxz]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dbthee]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\dbthee]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ddcxz]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddcxz]

Driver::
ddcxz
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove

#71 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 05:43 PM

Tomk,
WoW, what a storm :wacko: .... I think we backed this snake into a corner because it went crazy and caused me to unplug my pc, lol. Just got a box from svchost.exe - Application Error : The instruction at 0x00ecf496 refrenced memory at 0x00ecf496. The memory could not be "written" . has a red balloon with a white x symbol on it says click on ok to terminate the program or cancel to debug..... I'm clicking OK. Now where was I b4 I was so rudely interrupted by that silly little box? Oh yes, Avast found a hidden root kit just after I connected to this site and offered to do nothing or delete it . I deleted the root kit. Here's your log:


ComboFix 09-03-15.01 - Compaq_Owner 2009-03-16 17:25:46.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.50 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jfxfwse.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDCXZ
-------\Service_ddcxz


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-16 15:32 . 2009-03-16 15:33 157,221 --a------ c:\windows\system32\x
2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- C:\KAV
2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-16 01:32 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 18:21 . 2009-03-16 13:10 <DIR> d-------- c:\program files\Full Tilt Poker.Net
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 11:04 8,704 --sha-w c:\program files\Thumbs.db
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-16 22:30:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2009-03-16 22:29:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 17:30:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(368)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-16 17:35:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 22:34:58
ComboFix2.txt 2009-03-16 18:51:31
ComboFix3.txt 2009-03-16 05:44:33
ComboFix4.txt 2009-03-15 22:15:51
ComboFix5.txt 2009-03-16 22:24:56

Pre-Run: 66,330,464,256 bytes free
Post-Run: 66,318,696,448 bytes free

Current=5 Default=5 Failed=1 LastKnownGood=3 Sets=,1,2,3,4,5
133 --- E O F --- 2008-06-13 23:12:36

Now, whenever i try to click on add reply, i get a connection trouble box that says my connection to the server was interrupted, imonna redowload the page....

Newbe17
Best
Wishes,

Neo

Posted Image

#72 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 16 March 2009 - 05:46 PM

Tomk, Avast just found another hidden root kit and I deleted it. newbe17
Best
Wishes,

Neo

Posted Image

#73 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 16 March 2009 - 08:20 PM

newbe17,

I'm not sure about all your symptoms but you are correct, that snake didn't want to die quietly. However, he appears headless now. :woot:

Hopefully the file avast found was in a quarantine. But you've developed another weird file.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\windows\system32\x<===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it doesn't work, then:

Please visit this site and follow the instructions for uploading the c:\windows\system32\x file.

Once you get it submitted or uploaded (either one) you can continue:

Please try to update your copy of Malwarebytes'. After updating, please run a scan and post me results.

Once you have posted the results, you can start the Kaspersky scan.


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#74 Neo

Neo

    Silver Member

  • Guests
  • PipPipPip
  • 374 posts

Posted 17 March 2009 - 12:48 AM

Tomk, dude.....this is baaad.....On the upbeat I made it to jotti's :) Right then and there, my pc froze and i had to unplug it again... Made it back just now, don't know how much longer this will last things r running VERY slowly, so here ya go..... 1 more thing .... ran a boot time scan i have a bout 5 viruses in my virus chest, one of them was cwin\32\x, had to let it back into the puter to upload it onto jotti, gonna go scan 4 viruses, b back a.s.a.p. Scan taken on 17 Mar 2009 06:40:29 (GMT) A-Squared Found Net-Worm.Win32.Kido!IK AntiVir Found TR/Crypt.XPACK.Gen ArcaVir Found Worm.Kido.Ca Avast Found Win32:Confi AVG Antivirus Found nothing BitDefender Found Worm.Generic.42199 ClamAV Found Worm.Downadup-1 CPsecure Found W32.Net.W.Kido.c Dr.Web Found Win32.HLLW.Shadow.based F-Prot Antivirus Found W32/Conficker!Generic F-Secure Anti-Virus Found Worm:W32/Downadup.gen!A, Net-Worm.Win32.Kido.ih Ikarus Found Net-Worm.Win32.Kido Kaspersky Anti-Virus Found Net-Worm.Win32.Kido.ih NOD32 Found a variant of Win32/Conficker.X Norman Virus Control Found Conficker.HQ Panda Antivirus Found W32/Conficker.C.worm Quick Heal Found Trojan.Agent.ATV Sophos Antivirus Found Mal/Conficker-A VirusBuster Found Trojan.Conficker.Gen!Pac VBA32 Found Net-Worm.Win32.Kido.ca newbe17
Best
Wishes,

Neo

Posted Image

#75 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 17 March 2009 - 06:36 AM

newbe17,

That's the conflicker worm. That explains the inability for you to get to websites and run tools. It also explains the massive sluggishness of your machine.

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.whatth..._....html&st=60

Collect::
c:\windows\system32\x


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Once you've posted here, you can continue without further input from me.

Then, go ahead and run MSRT:
  • In the lower left of your screen, click on Start
  • Click on Run
  • Type MRT in the box.
  • Hit enter
  • When the window opens, click Next
  • Choose Full Scan and click Next
  • When scan is finished, in the middle of the window it will say "View detailed results of the can". Click on that sentence.
  • When the results page opens, please copy/paste the information here.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·