Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Malware/trjoan Overload


  • This topic is locked This topic is locked
7 replies to this topic

#1 smoosh

smoosh

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 13 August 2007 - 07:12 PM

Am working on a sisters computer that was inundated w/ more malware than I have ever seen a single HDD contain. Multiple viruses...and the list goes on. The three that I just cannot remove are "Trojan.agent.aoy" & "Downloader.tiny.id" & a really nasty one: "AppInit_DLLs: c:\windows\system32\ldcore.dll" I have tried Smith Fraud, hijackthis, Panda anti-root...and I just cannot get rid of these. Any insight would be GREATLY appreciated. Here is Smith Fraud log & Hijackthis log, respectively...

...............................................Smith Fraud..........................................................

SmitFraudFix v2.211

Scan done at 20:03:18.34, Mon 08/13/2007
Run from C:\Documents and Settings\SLT\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1183342695\ee\aolsoftware.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SLT


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SLT\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SLT\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39D7CBDB-7CC0-4824-9C36-307C8D24470C}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C528BB54-4EB3-48AA-BDCD-A117EFA928C4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39D7CBDB-7CC0-4824-9C36-307C8D24470C}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C528BB54-4EB3-48AA-BDCD-A117EFA928C4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39D7CBDB-7CC0-4824-9C36-307C8D24470C}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C528BB54-4EB3-48AA-BDCD-A117EFA928C4}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


.........................................................HiJack This.........................................................

Logfile of HijackThis v1.99.1
Scan saved at 6:55:06 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1183342695\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\FNTS~1\smss.exe
C:\WINDOWS\??mantec\m?config.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\SLT\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://osu.facebook....php?id=12410031
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1183342695\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\gfvxlykw.dll",forkonce
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\FNTS~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Wysiqk] C:\WINDOWS\??mantec\m?config.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\SLT\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\SLT\Application Data\Microsoft\Windows\teovqnu.exe
O4 - HKCU\..\Run: [fqwq] C:\PROGRA~1\COMMON~1\fqwq\fqwqm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hgwcpnjs.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 13 August 2007 - 08:15 PM

Hello smoosh and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


1. I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, then Settings, then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, Remove the Viewpoint component
4. Do the same for each Viewpoint component.


2. Please download this file - combofix.exe by sUBs
  • Save it to your Desktop
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll


  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 smoosh

smoosh

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 15 August 2007 - 09:00 PM

Hey Trevuren...thanks for the prompt response. I believe that I may have made some progress on my own. I did remove all Viewpoint pgrms. here are the logs that you requested:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:22 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\SLT\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://osu.facebook....php?id=12410031
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

)))))))))))))))))))))))))))))))))))))))ComboFix(((((((((((((((((((((((((((((((((
(((((((((

ComboFix 07-08-09.3 - "SLT" 2007-08-15 16:40:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.100 [GMT -5:00]
Command switches used :: /KillAll


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-15 16:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-13 21:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 21:29 <DIR> d-------- C:\!KillBox
2007-08-13 21:28 <DIR> d-------- C:\VundoFix Backups
2007-08-13 20:30 75,328 --a------ C:\WINDOWS\SYSTEM32\lojegaau.exe
2007-08-12 18:46 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-08-12 17:23 75,328 --a------ C:\WINDOWS\SYSTEM32\tclwymcf.exe
2007-08-12 12:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 12:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-12 10:12 75,328 --a------ C:\WINDOWS\SYSTEM32\tjrijufc.exe
2007-08-11 21:01 75,328 --a------ C:\WINDOWS\SYSTEM32\fyogjfyy.exe
2007-08-11 20:42 75,328 --a------ C:\WINDOWS\SYSTEM32\ghctgnhb.exe
2007-08-11 20:34 2,054 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-11 15:59 75,328 --a------ C:\WINDOWS\SYSTEM32\iwypmbkn.exe
2007-08-11 15:50 75,328 --a------ C:\WINDOWS\SYSTEM32\bfkikqtm.exe
2007-08-11 15:41 75,328 --a------ C:\WINDOWS\SYSTEM32\fgwsvvrl.exe
2007-08-11 15:41 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-11 14:02 75,328 --a------ C:\WINDOWS\SYSTEM32\dhhdddir.exe
2007-08-11 11:35 75,328 --a------ C:\WINDOWS\SYSTEM32\pqglfcus.exe
2007-08-11 11:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 11:20 75,328 --a------ C:\WINDOWS\SYSTEM32\uisvbghq.exe
2007-08-11 11:20 <DIR> d-------- C:\Program Files\EndItAll
2007-08-11 11:14 75,328 --a------ C:\WINDOWS\SYSTEM32\meiyqenx.exe
2007-08-11 11:02 75,328 --a------ C:\WINDOWS\SYSTEM32\jjlmscsp.exe
2007-08-11 10:09 75,328 --a------ C:\WINDOWS\SYSTEM32\rrqenjym.exe
2007-08-11 10:06 1,687,980 ---hs---- C:\WINDOWS\SYSTEM32\hjiii.ini2
2007-08-11 09:59 8,704 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\alpnyrjtaphl.sys
2007-08-11 09:47 75,328 --a------ C:\WINDOWS\SYSTEM32\npxntmle.exe
2007-08-11 09:29 75,328 --a------ C:\WINDOWS\SYSTEM32\yonwgepa.exe
2007-08-11 09:29 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2007-08-11 09:23 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-11 09:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-11 09:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-11 09:02 75,328 --a------ C:\WINDOWS\SYSTEM32\rfhnkfen.exe
2007-08-08 17:12 75,328 --a------ C:\WINDOWS\SYSTEM32\vkdpllki.exe
2007-08-05 21:18 <DIR> d-------- C:\WINDOWS\fqwq
2007-08-05 21:18 <DIR> d-------- C:\Program Files\Common Files\fqwq
2007-08-04 12:40 <DIR> d--hs---- C:\WINDOWS\U0xU
2007-08-03 13:37 1,726,714 ---hs---- C:\WINDOWS\SYSTEM32\hjiii.bak2
2007-08-02 05:51 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-08-02 05:50 228,960 --a------ C:\WINDOWS\SYSTEM32\iiijh.dll.vir
2007-08-02 05:50 1,726,767 ---hs---- C:\WINDOWS\SYSTEM32\hjiii.bak1
2007-08-02 05:45 31,254 --a------ C:\WINDOWS\SYSTEM32\gebaxyx.dll.vir
2007-08-02 05:45 <DIR> d-------- C:\Temp
2007-08-01 21:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 21:40 --------- d-------- C:\Program Files\Windows NT
2007-08-13 21:19 --------- d-------- C:\Program Files\Viewpoint
2007-08-12 17:41 --------- d-------- C:\Program Files\Dell
2007-08-11 15:46 246 --a------ C:\Program Files\Common Files\laxu197
2007-08-11 11:41 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 11:41 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-11 11:29 --------- d-------- C:\Program Files\Ctrax Player
2007-08-11 09:13 --------- d-------- C:\Program Files\Real
2007-08-11 09:13 --------- d-------- C:\Program Files\Common Files\Real
2007-08-11 09:12 --------- d-------- C:\DOCUME~1\SLT\APPLIC~1\Real
2007-08-11 09:11 --------- d-------- C:\Program Files\QuickTime
2007-08-11 09:10 --------- d-------- C:\DOCUME~1\SLT\APPLIC~1\Lavasoft
2007-07-28 04:06 135 --a------ C:\Program Files\Common Files\prohdy.html
2007-07-19 08:47 --------- d--h----- C:\DOCUME~1\SLT\APPLIC~1\GTek
2007-07-06 09:33 --------- d-------- C:\DOCUME~1\SLT\APPLIC~1\AOL
2007-07-01 21:26 --------- d-------- C:\Program Files\AOL 9.0
2007-07-01 21:24 --------- d-------- C:\Program Files\Common Files\aol
2007-07-01 21:22 --------- d-------- C:\Program Files\Common Files\aolshare
2007-06-21 18:10 --------- d-------- C:\Program Files\AIM6
2007-06-21 09:59 --------- d-------- C:\Program Files\Pure Networks
2007-05-16 10:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF87797-75F1-4773-B946-8B5F793A3E1C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FF9F4C6-392C-48DA-2971-3EB60A40F2EA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52948E4D-C125-40A2-EFB3-3D42F757300F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60C89233-1AF2-4C50-B309-23D35DF6B2F5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\SYSTEM32\pctspk.exe]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 16:47]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []

C:\Documents and Settings\SLT\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 SMC2835W_PCI;SMC2835W 2.4GHz 54 Mbps Wireless Cardbus Driver;C:\WINDOWS\system32\DRIVERS\2835WICB.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 16:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 16:45:58
C:\ComboFix-quarantined-files.txt ... 2007-08-15 16:45
C:\ComboFix2.txt ... 2007-08-13 21:49

--- E O F ---

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 15 August 2007 - 09:41 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\lojegaau.exe
C:\WINDOWS\SYSTEM32\tjrijufc.exe
C:\WINDOWS\SYSTEM32\tclwymcf.exe
C:\WINDOWS\SYSTEM32\fyogjfyy.exe
C:\WINDOWS\SYSTEM32\ghctgnhb.exe
C:\WINDOWS\SYSTEM32\iwypmbkn.exe
C:\WINDOWS\SYSTEM32\bfkikqtm.exe
C:\WINDOWS\SYSTEM32\fgwsvvrl.exe
C:\WINDOWS\SYSTEM32\dhhdddir.exe
C:\WINDOWS\SYSTEM32\pqglfcus.exe
C:\WINDOWS\SYSTEM32\uisvbghq.exe
C:\WINDOWS\SYSTEM32\meiyqenx.exe
C:\WINDOWS\SYSTEM32\jjlmscsp.exe
C:\WINDOWS\SYSTEM32\rrqenjym.exe
C:\WINDOWS\SYSTEM32\hjiii.ini2
C:\WINDOWS\SYSTEM32\DRIVERS\alpnyrjtaphl.sys
C:\WINDOWS\SYSTEM32\npxntmle.exe
C:\WINDOWS\SYSTEM32\yonwgepa.exe
C:\WINDOWS\SYSTEM32\rfhnkfen.exe
C:\WINDOWS\SYSTEM32\vkdpllki.exe
C:\Program Files\Common Files\prohdy.html
C:\Program Files\Common Files\fqwq
C:\WINDOWS\SYSTEM32\hjiii.bak2
C:\WINDOWS\SYSTEM32\iiijh.dll.vir
C:\WINDOWS\SYSTEM32\hjiii.bak1
C:\WINDOWS\SYSTEM32\gebaxyx.dll.vir

Folder::
C:\Program Files\Viewpoint
C:\WINDOWS\fqwq
C:\WINDOWS\U0xU
C:\Program Files\Common Files\laxu197

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF87797-75F1-4773-B946-8B5F793A3E1C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FF9F4C6-392C-48DA-2971-3EB60A40F2EA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52948E4D-C125-40A2-EFB3-3D42F757300F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60C89233-1AF2-4C50-B309-23D35DF6B2F5}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 smoosh

smoosh

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 16 August 2007 - 05:02 PM

I ran the CFScript in ComboFix & another Hijckthis log; here they are...

ComboFix 07-08-09.3 - "SLT" 2007-08-16 16:38:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.24 [GMT -5:00]
Command switches used :: C:\Documents and Settings\SLT\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\lojegaau.exe
C:\WINDOWS\SYSTEM32\tjrijufc.exe
C:\WINDOWS\SYSTEM32\tclwymcf.exe
C:\WINDOWS\SYSTEM32\fyogjfyy.exe
C:\WINDOWS\SYSTEM32\ghctgnhb.exe
C:\WINDOWS\SYSTEM32\iwypmbkn.exe
C:\WINDOWS\SYSTEM32\bfkikqtm.exe
C:\WINDOWS\SYSTEM32\fgwsvvrl.exe
C:\WINDOWS\SYSTEM32\dhhdddir.exe
C:\WINDOWS\SYSTEM32\pqglfcus.exe
C:\WINDOWS\SYSTEM32\uisvbghq.exe
C:\WINDOWS\SYSTEM32\meiyqenx.exe
C:\WINDOWS\SYSTEM32\jjlmscsp.exe
C:\WINDOWS\SYSTEM32\rrqenjym.exe
C:\WINDOWS\SYSTEM32\hjiii.ini2
C:\WINDOWS\SYSTEM32\DRIVERS\alpnyrjtaphl.sys
C:\WINDOWS\SYSTEM32\npxntmle.exe
C:\WINDOWS\SYSTEM32\yonwgepa.exe
C:\WINDOWS\SYSTEM32\rfhnkfen.exe
C:\WINDOWS\SYSTEM32\vkdpllki.exe
C:\Program Files\Common Files\prohdy.html
C:\Program Files\Common Files\fqwq
C:\WINDOWS\SYSTEM32\hjiii.bak2
C:\WINDOWS\SYSTEM32\iiijh.dll.vir
C:\WINDOWS\SYSTEM32\hjiii.bak1
C:\WINDOWS\SYSTEM32\gebaxyx.dll.vir


***************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 5:43:04 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\AOL\1183342695\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\SLT\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://osu.facebook....php?id=12410031
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 August 2007 - 05:18 PM

Please post the entire ComboFix.txt. You will find it at C:\ComboFix.txt Thanks Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 21 August 2007 - 11:23 PM

I hope you are well and not experiencing any difficulties carrying out my last set of instructions. If you are, do not hesitate to ask for further explanations. If however, your problem has been solved or you no longer require our assistance, please advise us accordingly and we will archive your topic.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 September 2007 - 02:46 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users