Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I've Been Jacked

Started by grammareetz , Apr 30 2007 06:51 PM

  • Please log in to reply
17 replies to this topic

#1 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 30 April 2007 - 06:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:38:16 PM, on 30/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ULi5287\ULi5287.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\retadpu1000627.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User-1\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=25040
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULi5287\ULi5287.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    Advertisements

Register to Remove

#2 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 02 May 2007 - 03:49 PM

Howdy grammareetz, And welcome to Tom Coyote. I will be reviewing your log, and will post back once the review is completed.

#3 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 02 May 2007 - 06:16 PM

One known bad file showing in the running processes here, but only that so far. Let's make some changes and see what else we need to address here.


Your log shows absolutely no protective software loaded or running on your system. As a minimum you need a current antivirus software installed, and at least an anti-spyware of some sort to supplement that. Let's add the AV installation idea into our procedures here.



First you need to move HijackThis to a permanent location so changes will be saved. Select or create a permanent folder (not desktop or temp) and move the HijackThis.exe file there to run from that location. Once you have moved it I would like you to also rename HijackThis.exe to thistool.exe. Just right click the HijackThis.exe file, select "rename" and make the change, then after click on the thistool.exe to run HijackThis.



Now Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis.

C:\WINDOWS\retadpu1000627.exe

------------------------------------------

Then for now choose between the free AV installs of AVG or Avast. Download the software of your choice, install it and immediately update it once installed. Don't run a scan with it just yet though.

------------------------------------------

Then close all open windows and running programs, open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools - Delete File on Reboot. Navigate to the following file, double-click it, then say Yes to reboot and allow the reboot.

C:\WINDOWS\retadpu1000627.exe



==========================================

Once the computer has rebooted completely, reboot again into Safe Mode (at startup tap the F8 key and select Safe Mode).


Open the AV software (AVG/Avast) and run a complete scan with it, being sure to choose the option to Quarantine any items found.


----------------------------------------

Then reboot to normal mode. Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


Run a new HijackThis scan, and post that back here along with the combofix.txt please.

#4 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 06 May 2007 - 03:15 PM

Now Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis.

C:\WINDOWS\retadpu1000627.exe

------------------------------------------

Then for now choose between the free AV installs of AVG or Avast. Download the software of your choice, install it and immediately update it once installed. Don't run a scan with it just yet though.

------------------------------------------

Then close all open windows and running programs, open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools - Delete File on Reboot. Navigate to the following file, double-click it, then say Yes to reboot and allow the reboot.

C:\WINDOWS\retadpu1000627.exe


As you had advised earlier in the post, I looked for but did not see the above files.


Logfile of HijackThis v1.99.1
Scan saved at 2:06:42 PM, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ULi5287\ULi5287.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Jacked\thistool.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=25040
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qmqjnupo.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULi5287\ULi5287.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\icadytms.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


"User-1" - 07-05-06 13:58:27 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\User-1\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fccbxvu.dll
C:\WINDOWS\system32\qomjhee.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnmjhg.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\network monitor\netmon.exe
C:\Program Files\webhancer\whAgent_update.exe
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\network monitor
C:\Program Files\webhancer
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\WINDOWS\IA


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cmdService
-------\Network Monitor
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-04 11:59 <DIR> d-------- C:\WINDOWS\pss
2007-05-04 11:39 <DIR> d-------- C:\Jacked
2007-05-04 08:57 132,660 --a------ C:\WINDOWS\system32\icadytms.dll
2007-05-04 08:53 26,678 --a------ C:\WINDOWS\system32\nnnmnlm.dll
2007-05-03 08:11 26,678 --a------ C:\WINDOWS\system32\rqrrppq.dll
2007-05-02 19:31 <DIR> d-------- C:\DOCUME~1\User-1\APPLIC~1\U3
2007-05-02 08:55 26,678 --a------ C:\WINDOWS\system32\iifghfd.dll
2007-05-01 08:18 26,678 --a------ C:\WINDOWS\system32\iifdaxx.dll
2007-04-30 17:29 26,678 --a------ C:\WINDOWS\system32\cbxxywu.dll
2007-04-30 17:26 132,660 --a------ C:\WINDOWS\system32\neircdql.dll
2007-04-30 17:23 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-04-30 17:18 69,697 --a------ C:\DOCUME~1\User-1\net.exe
2007-04-30 17:18 26,678 --a------ C:\WINDOWS\system32\qomjgef.dll
2007-04-30 10:03 <DIR> d-------- C:\DOCUME~1\User-1\APPLIC~1\SystemDoctor 2006 Free
2007-04-13 19:23 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-04-13 19:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-04-13 19:22 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-04-13 19:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-04-13 19:16 <DIR> dr-h----- C:\MSOCache


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-25 21:49 -------- d-------- C:\Program Files\msn messenger
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 07:08 101438 --a------ C:\WINDOWS\b122.exe
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 14:34 17207032 --a------ C:\Program Files\avg75free_428a818.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\qmqjnupo.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ULiRaid"="C:\\Program Files\\ULi5287\\ULi5287.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\icadytms.dll\",realset"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
Usnsvc REG_MULTI_SZ usnsvc\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 14:03:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-06 14:04:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-06 14:04


05-06-09 13:01	  1405	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\readme.txt.vir
05-07-29 16:24	  472	--a------	C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir
05-08-02 16:46	  187904	--a------	C:\Qoobox\Quarantine\C\WINDOWS\IA\asappsrv.dll.vir
05-08-02 16:58	  293888	--a------	C:\Qoobox\Quarantine\C\WINDOWS\IA\command.exe.vir
06-01-03 17:45	  1989	--a------	C:\Qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
06-01-04 18:09	  94208	--a------	C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
06-07-17 11:02	  8292	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\license.txt.vir
07-03-29 14:15	  249856	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir
07-03-29 14:19	  114688	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir
07-03-29 14:19	  151552	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir
07-03-29 14:20	  565248	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir
07-04-25 21:49	  26678	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnmjhg.dll.vir
07-04-25 21:54	  281172	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnnk.dll.vir
07-04-29 08:57	  867326	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\knnmp.bak1.vir
07-04-30 17:21	  12288	--a------	C:\Qoobox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir
07-04-30 17:29	  26678	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\qomjhee.dll.vir
07-04-30 18:27	  26678	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\fccbxvu.dll.vir
07-05-02 17:39	  687592	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir
07-05-02 17:39	  687592	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir
07-05-02 17:41	  391100	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\whAgent_update.exe.vir
07-05-04 08:57	  885251	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\knnmp.bak2.vir
07-05-06 13:53	  211	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whAgent.ini.vir
07-05-06 14:00	  14	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt.vir
07-05-06 14:00	  35464	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt.vir
07-05-06 14:01	  1080	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
07-05-06 14:01	  1130	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
07-05-06 14:01	  2458	--a------	C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf
07-05-06 14:01	  2830	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Network Monitor.reg.cf
07-05-06 14:01	  891655	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\knnmp.ini.vir
99-12-23 14:12	  11264	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\sporder.dll.vir


Folder PATH listing
Volume serial number is 145C-02EA
C:\QOOBOX
\---Quarantine
	+---C
	|   +---DOCUME~1
	|   |   \---LOCALS~1
	|   |	   \---APPLIC~1
	|   |		   \---NetMon
	|   |				   domains.txt.vir
	|   |				   log.txt.vir
	|   |				   
	|   +---Program Files
	|   |   +---Ipwindows
	|   |   |	   UnInstall.exe.vir
	|   |   |	   
	|   |   +---Network Monitor
	|   |   |	   netmon.exe.vir
	|   |   |	   
	|   |   \---webHancer
	|   |	   |   whAgent_update.exe.vir
	|   |	   |   
	|   |	   \---Programs
	|   |			   license.txt.vir
	|   |			   readme.txt.vir
	|   |			   sporder.dll.vir
	|   |			   webhdll.dll.vir
	|   |			   whagent.exe.vir
	|   |			   whAgent.ini.vir
	|   |			   whiehlpr.dll.vir
	|   |			   whinstaller.exe.vir
	|   |			   
	|   \---WINDOWS
	|	   |   uninstall_nmon.vbs.vir
	|	   |   
	|	   +---IA
	|	   |	   asappsrv.dll.vir
	|	   |	   command.exe.vir
	|	   |	   KE.vbs.vir
	|	   |	   
	|	   \---system32
	|			   atmtd.dll.vir
	|			   atmtd.dll._.vir
	|			   fccbxvu.dll.vir
	|			   knnmp.bak1.vir
	|			   knnmp.bak2.vir
	|			   knnmp.ini.vir
	|			   pmnmjhg.dll.vir
	|			   pmnnk.dll.vir
	|			   qomjhee.dll.vir
	|			   
	\---Registry_backups
			LEGACY_CMDSERVICE.reg.cf
			LEGACY_NETWORK_MONITOR.reg.cf
			services_cmdService.reg.cf
			services_Network Monitor.reg.cf

#5 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 07 May 2007 - 01:07 PM

Looks like excellent progress there. It's okay if you couldn't locate the file with Killbox - we'll make sure on that with these next steps.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qmqjnupo.dll (file missing)
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\icadytms.dll",realset

---------------------------------------------------

Download The Avenger from here to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Files to delete:
C:\WINDOWS\system32\icadytms.dll
C:\WINDOWS\system32\nnnmnlm.dll
C:\WINDOWS\system32\rqrrppq.dll
C:\WINDOWS\system32\iifghfd.dll
C:\WINDOWS\system32\iifdaxx.dll
C:\WINDOWS\system32\cbxxywu.dll
C:\WINDOWS\system32\neircdql.dll
C:\Documents and Settings\User-1\net.exe
C:\WINDOWS\system32\qomjgef.dll
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu1000627.exe

Folders to delete:
C:\Documents and Settings\User-1\Application Data\SystemDoctor 2006 Free

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.


=================================================

Once your computer has rebooted, disable your antivirus program and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.


------------------------------------------------------------------------

Then download SmitfraudFix.zip from here.

Unzip it to your desktop and doubleclick on smitfraudfix.cmd.

Choose Option 1 and hit Enter to generate a report about the infected files. Please save the Log (it will save to C:\rapport.txt) and post it here.


Run a new ComboFix and HijackThis scan, and post those here, along with the avenger.txt log, the BitDefender log and the rapport.txt log please.


As some of the files removed by Avenger are newer variants I would like you to send them so they can be included in future repairs. Just locate the C:\avenger\backup.zip file, and send it here as an attachment. Place "Submitted Files - Grammareetz" as the Subject, and be sure to include a link to this thread.

Edited by little eagle, 07 May 2007 - 05:37 PM.

#6 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 May 2007 - 10:38 AM

Firstly let me say that I appriciate your help. I am doing this for my mother-in-law so cannot get up here every day. Hence to sporadic nature of my posts. Here is the next logfile as requested. BitDefender Online Scanner Scan report generated at: Thu, May 10, 2007 - 21:29:23 Scan path: A:\;C:\;D:\; Statistics Time 00:28:03 Files 243252 Folders 4273 Boot Sectors 2 Archives 2750 Packed Files 28880 Results Identified Viruses 6 Infected Files 21 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 21 Engines Info Virus Definitions 505532 Engine build AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08) Scan plugins 14 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o) Update failed C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\avenger\backup.zip=>avenger/net.exe=>(NSIS o) Update failed C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o) Update failed C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Agent.AUG C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\Documents and Settings\User-1\Desktop\net.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021681.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Agent.AUG C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP351\A0021683.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP352\A0021700.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP353\A0021714.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP354\A0021733.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP355\A0021750.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021938.dll Infected with: Trojan.Virtumod.JQ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021938.dll Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021938.dll Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0001 Infected with: MemScan:Trojan.Vundo.AJ C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0002 Infected with: Trojan.Downloader.Agent.YAN C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0002 Disinfection failed C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o)=>zlib_nsis0002 Deleted C:\System Volume Information\_restore{88EB8EF2-F968-45AE-9C62-B6A3B45CF543}\RP358\A0021942.exe=>(NSIS o) Update failed C:\WINDOWS\b104.exe=>(NSIS o)=>lzma_solid_nsis0002 Infected with: Trojan.Downloader.Small.BUY C:\WINDOWS\b104.exe=>(NSIS o)=>lzma_solid_nsis0002 Deleted C:\WINDOWS\b104.exe=>(NSIS o) Update failed C:\WINDOWS\b129.exe=>(NSIS o)=>lzma_solid_nsis0006 Infected with: Trojan.Dloader.AFR C:\WINDOWS\b129.exe=>(NSIS o)=>lzma_solid_nsis0006 Disinfection failed C:\WINDOWS\b129.exe=>(NSIS o)=>lzma_solid_nsis0006 Deleted C:\WINDOWS\b129.exe=>(NSIS o) Update failed

#7 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 May 2007 - 10:42 AM

SmitFraudFix v2.179 Scan done at 9:40:50.39, 11/05/2007 Run from C:\Documents and Settings\User-1\Desktop\New Folder (2)\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode ğğğğğğğğğğğğğğğğğğğğğğğğ Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ULi5287\ULi5287.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\cmd.exe ğğğğğğğğğğğğğğğğğğğğğğğğ hosts ğğğğğğğğğğğğğğğğğğğğğğğğ C:\ ğğğğğğğğğğğğğğğğğğğğğğğğ C:\WINDOWS ğğğğğğğğğğğğğğğğğğğğğğğğ C:\WINDOWS\system ğğğğğğğğğğğğğğğğğğğğğğğğ C:\WINDOWS\Web ğğğğğğğğğğğğğğğğğğğğğğğğ C:\WINDOWS\system32 ğğğğğğğğğğğğğğğğğğğğğğğğ C:\Documents and Settings\User-1 ğğğğğğğğğğğğğğğğğğğğğğğğ C:\Documents and Settings\User-1\Application Data ğğğğğğğğğğğğğğğğğğğğğğğğ Start Menu ğğğğğğğğğğğğğğğğğğğğğğğğ C:\DOCUME~1\User-1\FAVORI~1 ğğğğğğğğğğğğğğğğğğğğğğğğ Desktop ğğğğğğğğğğğğğğğğğğğğğğğğ C:\Program Files ğğğğğğğğğğğğğğğğğğğğğğğğ Corrupted keys ğğğğğğğğğğğğğğğğğğğğğğğğ Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" ğğğğğğğğğğğğğğğğğğğğğğğğ Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll ğğğğğğğğğğğğğğğğğğğğğğğğ AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" ğğğğğğğğğğğğğğğğğğğğğğğğ Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" ğğğğğğğğğğğğğğğğğğğğğğğğ pe386-msguard-lzx32-huy32 ğğğğğğğğğğğğğğğğğğğğğğğğ DNS Description: ULi PCI Fast Ethernet Controller - Packet Scheduler Miniport DNS Server Search Order: 64.59.144.18 DNS Server Search Order: 64.59.144.19 HKLM\SYSTEM\CCS\Services\Tcpip\..\{071ABA5F-AAC2-411B-BFBA-4BD59F951A19}: DhcpNameServer=64.59.144.18 64.59.144.19 HKLM\SYSTEM\CS1\Services\Tcpip\..\{071ABA5F-AAC2-411B-BFBA-4BD59F951A19}: DhcpNameServer=64.59.144.18 64.59.144.19 HKLM\SYSTEM\CS3\Services\Tcpip\..\{071ABA5F-AAC2-411B-BFBA-4BD59F951A19}: DhcpNameServer=64.59.144.18 64.59.144.19 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.59.144.18 64.59.144.19 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.59.144.18 64.59.144.19 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.59.144.18 64.59.144.19 ğğğğğğğğğğğğğğğğğğğğğğğğ Scanning for wininet.dll infection ğğğğğğğğğğğğğğğğğğğğğğğğ End

#8 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 May 2007 - 10:45 AM

"User-1" - 07-05-11 9:42:44 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\User-1\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-11 to 2007-05-11 ))))))))))))))))))))))))))))))))))


2007-05-11 09:40 2,374 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-08 17:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-08 17:04 <DIR> d-------- C:\avenger
2007-05-06 14:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-04 11:59 <DIR> d-------- C:\WINDOWS\pss
2007-05-04 11:39 <DIR> d-------- C:\Jacked
2007-05-02 19:31 <DIR> d-------- C:\DOCUME~1\User-1\APPLIC~1\U3
2007-04-30 17:23 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-04-13 19:23 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-04-13 19:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-04-13 19:22 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-04-13 19:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-04-13 19:16 <DIR> dr-h----- C:\MSOCache


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-25 21:49 -------- d-------- C:\Program Files\msn messenger
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 14:34 17207032 --a------ C:\Program Files\avg75free_428a818.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"ULiRaid"="C:\\Program Files\\ULi5287\\ULi5287.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
Usnsvc REG_MULTI_SZ usnsvc\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-11 09:43:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-11 9:43:51
C:\ComboFix-quarantined-files.txt ... 07-05-11 09:43
C:\ComboFix2.txt ... 07-05-06 14:04

#9 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 May 2007 - 10:46 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:45:23 AM, on 11/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ULi5287\ULi5287.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Jacked\thistool.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=25040
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULi5287\ULi5287.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#10 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 May 2007 - 10:53 AM

I apologize that I do not see how to submit a file to get you the avenger/backup.zip Found it. hope the link worked for you

Edited by grammareetz, 11 May 2007 - 10:56 AM.

    Advertisements

Register to Remove

#11 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 15 May 2007 - 11:43 AM

You mention only being able to get posts back here infrequently grammareetz, but if I miss that you have posted again like I just did that will be both of us posting here infrequently.

You didn't post back the avenger.txt log, but I can see in the BitDefender log some of what it did successfully remove. Looking very good at this point, so let's scan to see what might remain now. Also post back how the system is running at this point.


We need to make sure all hidden files are showing so please:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


And Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\WINDOWS\system32\tmp.reg



Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.


Then go here for an online AV scan (requires IE to run). If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.

Scan "Local Disks" and when finished save the scan log and then post the log here. To save the log first select the See Report button, then select the Save report button, and post that log back here.

#12 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 May 2007 - 06:43 PM

I wasn't sure if you wanted that missed scan or to just carry on. Here is the results of the panda scan as requested. Looks not good to me. Ohter than that the machine seems to be working fine although I am not using it for any other purpose besides our work here. Note: AVG is still disabled from previous instruction set. I think I will turn it on for now. Incident Status Location Adware:Adware/Maxifiles Not disinfected C:\avenger\backup.zip[avenger/b122.exe] Adware:Adware/Maxifiles Not disinfected C:\avenger\backup.zip[avenger/b122.exe][Installeur.exe] Adware:Adware/ActiveSearch Not disinfected C:\avenger\backup.zip[avenger/b122.exe][²ÜÇ\Services.dll] Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/neircdql.dll] Virus:Trj/Downloader.OBC Not disinfected C:\avenger\backup.zip[avenger/net.exe][²ÖÇ\install.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User-1\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe] Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User-1\Desktop\net.exe[²ÖÇ\is67333.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User-1\Desktop\New Folder (2)\SmitfraudFix\Process.exe Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\User-1\Desktop\New Folder (2)\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User-1\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\User-1\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe] Adware:Adware/Maxifiles Not disinfected Personal Folders\Sent Items\Submitted Files - Grammareetz\backup.zip[avenger/b122.exe] Adware:Adware/Maxifiles Not disinfected Personal Folders\Sent Items\Submitted Files - Grammareetz\backup.zip[avenger/b122.exe][Installeur.exe] Adware:Adware/ActiveSearch Not disinfected Personal Folders\Sent Items\Submitted Files - Grammareetz\backup.zip[avenger/b122.exe][²ÜÇ\Services.dll] Spyware:Spyware/Virtumonde Not disinfected Personal Folders\Sent Items\Submitted Files - Grammareetz\backup.zip[avenger/neircdql.dll] Virus:Trj/Downloader.OBC Not disinfected Personal Folders\Sent Items\Submitted Files - Grammareetz\backup.zip[avenger/net.exe][²ÖÇ\install.exe] Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir Adware:Adware/WebHancer Not disinfected C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir Adware:Adware/WebHancer Not disinfected C:\QooBox\Quarantine\C\Program Files\webHancer\whAgent_update.exe.vir[whiehlpr.dll] Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\IA\asappsrv.dll.vir Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\IA\command.exe.vir Adware:Adware/CommAd Not disinfected C:\QooBox\Quarantine\C\WINDOWS\IA\KE.vbs.vir Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir Virus:Generic Trojan Disinfected C:\WINDOWS\b104.exe Adware:Adware/WebHancer Not disinfected C:\WINDOWS\b129.exe Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Edited by grammareetz, 17 May 2007 - 06:46 PM.

#13 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 18 May 2007 - 06:03 AM

Yes, when you are not performing any scans suggested here you should keep your protective software enabled, so good idea doing that.

The Panda scan shows mostly either tools we used or items we have quarantined with those tools. It also picked up the infection remaining in your saved sent email folder there, so be sure to empty that now.


Panda did locate two additional infection files that need to be removed, and it would be best after to check with a follow up scan and be sure no new items are found.


Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\WINDOWS\b104.exe
C:\WINDOWS\b129.exe


Run ATF Cleaner after that, reboot and run a new Panda scan to post back here please.

#14 grammareetz

grammareetz

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 28 May 2007 - 05:34 PM

found and deleted: C:\WINDOWS\b129.exe also found but did not delete: b122.exe going to run scans now.

#15 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 28 May 2007 - 08:46 PM

Post when ready and let's take a look.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·