Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] wowfx.dll


  • This topic is locked This topic is locked
34 replies to this topic

#1 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 05 April 2008 - 10:51 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:50:50 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\All Users\Application Data\pefslehm\fmrczgfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\wind32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\maxpaynowti1.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Documents and Settings\administrator\ie_updates3r.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\LG Software\System Control Manager\edd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\lg_swupdate\Gilautouc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ewml500.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\mxuzadin.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Razor\Razor.exe
C:\Program Files\EA Games\Ultima Online Mondain's Legacy\client.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\administrator\My Documents\UO Stuff\euox.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {0dc86bc9-3d48-6eb0-0399-0421245b8d84} - C:\WINDOWS\system32\izrxvaxi.dll
O2 - BHO: (no name) - {141540B8-E5F7-2873-75B8-06955486C808} - C:\WINDOWS\system32\fgutkkmc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\administrator\cftmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [systemdrive] C:\WINDOWS\system32\maxpaynow1.exe
O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\wind32.exe
O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nivmvkfy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nivmvkfy.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mgsysctrl] C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [lg intelligent update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [kernelfaultcheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ipo3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [drivesystem] C:\WINDOWS\system32\maxpaynowti1.exe
O4 - HKLM\..\Run: [alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [advap32] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\18.tmp"/r
O4 - HKLM\..\Run: [snilclwj] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\snilclwj.dll"
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\administrator\cftmon.exe
O4 - HKCU\..\Run: [windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [service pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [brave-sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKCU\..\Run: [haoqsrkp] C:\WINDOWS\system32\mxuzadin.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://www.mikescomputershop.com
O16 - DPF: {123BBFF5-F9E4-4B0A-A75B-B545AC5AAB91} (DiagClientA Class) - https://mcpe.portal..../DiagClient.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3C9ECC99-D050-4AA2-9D9A-C0EA26252005} (DealerIdentity Class) - https://mcpe.portal....lerIdentity.CAB
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - https://ea-land.ea.c...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201810158652
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.friesenequipment.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\administrator\ie_updates3r.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Evil Driver Daemon (NishService) - Unknown owner - C:\Program Files\LG Software\System Control Manager\edd.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 05 April 2008 - 01:44 PM

Your log shows a large number of malicious files, which I find a little worrying. Is you anti-virus program up-to-date and does it still update?
Death to the salad eaters!

#3 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 05 April 2008 - 03:06 PM

Yes it is current and it still updates although it has reached end life via symantec. The likely problem is that whilst attempting to do other scans I made the unfortunate desicion to disable it for a bit. I notice many more things hopped into my pc at that point.

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 05 April 2008 - 04:35 PM

it still updates although it has reached end life via symantec.

I'm a little confused about the above - if it has reached it's "end life" via Symantec, where are the updates coming from?
Death to the salad eaters!

#5 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 05 April 2008 - 06:58 PM

Symantec is still supplying virus definitions for this but are not updating this version with patches or updating the application other than virus defs.

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 06 April 2008 - 01:05 PM

Download Malwarebytes' Anti-Malware from here and save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.
Death to the salad eaters!

#7 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 06 April 2008 - 01:52 PM

running this now. Just some information for you...i have been looking through other threads and applying some of the solutions from them. i realize thisis not something that is recommended but I feel somewhat confident with them. The pc has been much more usable after running them but there are still many issues to resolve. I wil post the log from the curent scan as soon as it is done. Thank you for proceeding with this.

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 06 April 2008 - 02:16 PM

i have been looking through other threads and applying some of the solutions from them. i realize thisis not something that is recommended but I feel somewhat confident with them

Your confidence isn't the issue. There are a number of reasons why this isn't a good idea:

1) If an infection has one identifier and you remove it, but not the whole infection, it makes it much more difficult to deal with.
2) If a scanner identifies a file as infected, it may choose to delete the file rather than try to disinfect it, which has actually rendered PCs unbootable in the worst of cases.
3) If a scanner falsely identifies a file as infected and it doesn't create a backup, you can't easily undo the damage.

Basically you make the whole task potentially more difficult and perhaps impossible to resolve satisfactorily.
If you have kept logs of scanners run and lists of files, folders and registry keys that have been deleted, i'd like to see them. I'd also like to know what tools you've run.
Death to the salad eaters!

#9 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 06 April 2008 - 02:57 PM

you may get tired of me real quick. i will try to be patient in resolving this as it seems my impatience might be getting the best of me. i have run combo fix, and sd fix. in truth i am not sure either finished successfully. Here is the logs i can find:

C:\QooBox\Quarantine > ( not sure which program genereated this)


-------- 2008-04-05 -------------

file zipped: C:\WINDOWS\system32\wowfx.dll -> catchme.zip -> wowfx.dll ( 18944 bytes )
error: C:\WINDOWS\system32\wowfx.dll is not a PE file
PE file "C:\WINDOWS\system32\wowfx.dll" killed successfully
file zipped: C:\WINDOWS\system32\config\42310694.Evt -> catchme.zip -> 42310694.Evt ( 39680 bytes )
PE file "C:\WINDOWS\system32\config\42310694.Evt" killed successfully


c:sdfix


SDFix: Version 1.166

Run by Administrator on 2008-04-05 at 22:45

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
FCI
Google Online Services
PWD06

Path:
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\Documents and Settings\administrator\ie_updates3r.exe -A
System32\Drivers\Pwd06.sys

FCI - Deleted
Google Online Services - Deleted
PWD06 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Restoring Missing SharedAccess Service
Resetting AppInit_DLLs value


Rebooting

Service PWD06 - Deleted after Reboot
Service asc3550p - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\37.TMP - Deleted
C:\551000~1 - Deleted
C:\WINDOWS\TEMP\BABKIN~1.EXE - Deleted
C:\WINDOWS\TEMP\RUDKGSSK.EXE - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\d.exe - Deleted
C:\Documents and Settings\administrator\ie_updates3r.exe - Deleted
C:\autoex.dll - Deleted
C:\WINDOWS\system32\msram.dll - Deleted
C:\WINDOWS\system32\svchost.t__ - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\Temp\babkinepaxnut.exe - Deleted
C:\WINDOWS\Temp\codec.exe - Deleted
C:\WINDOWS\Temp\dllsvr32.exe - Deleted
C:\WINDOWS\Temp\sh.exe - Deleted
C:\WINDOWS\winlogon.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\drivers\PWD06.sys - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 28672 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.

#10 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 06 April 2008 - 04:43 PM

Wow, three hours and counting on the scan you asked for...

    Advertisements

Register to Remove


#11 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 06 April 2008 - 06:46 PM

Malwarebytes' Anti-Malware 1.10
Database version: 597

Scan type: Full Scan (C:\|)
Objects scanned: 547783
Time elapsed: 4 hour(s), 57 minute(s), 19 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 26

Memory Processes Infected:
C:\WINDOWS\system32\mxuzadin.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\mxuzadin.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itcoe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\itcoe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itcoe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\grande48 (Rootkit.Srizbi) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\mxuzadin.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcredmta.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zerqxuhm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\2F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\33.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\icxh.exe (Worm.Socks) -> Quarantined and deleted successfully.
C:\idfq.exe (Worm.Socks) -> Quarantined and deleted successfully.
C:\xolkyggk.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\856V41QV\us[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\FC814HUH\us[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pefslehm\fmrczgfy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2Y0U2Q31\notepad[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2Y0U2Q31\notepad[2].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wind32.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\Temp\106.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001094.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001097.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\itcoe.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ibudu.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\toahsxde.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of HijackThis v1.99.1
Scan saved at 17:55, on 2008-04-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LG Software\System Control Manager\edd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\lg_swupdate\Gilautouc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Razor\Razor.exe
C:\Program Files\EA Games\Ultima Online Mondain's Legacy\client.exe
C:\Program Files\UOAM\uoam.exe
C:\Documents and Settings\administrator\My Documents\UO Stuff\euox.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {0dc86bc9-3d48-6eb0-0399-0421245b8d84} - C:\WINDOWS\system32\izrxvaxi.dll
O2 - BHO: (no name) - {141540B8-E5F7-2873-75B8-06955486C808} - C:\WINDOWS\system32\fgutkkmc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mgsysctrl] C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [lg intelligent update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [ipo3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [haoqsrkp] C:\WINDOWS\system32\mxuzadin.exe
O4 - HKCU\..\Run: [ylsrrrxg] C:\WINDOWS\system32\dcredmta.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://www.mikescomputershop.com
O16 - DPF: {123BBFF5-F9E4-4B0A-A75B-B545AC5AAB91} (DiagClientA Class) - https://mcpe.portal..../DiagClient.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3C9ECC99-D050-4AA2-9D9A-C0EA26252005} (DealerIdentity Class) - https://mcpe.portal....lerIdentity.CAB
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - https://ea-land.ea.c...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201810158652
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.friesenequipment.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Evil Driver Daemon (NishService) - Unknown owner - C:\Program Files\LG Software\System Control Manager\edd.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

As far as how computer is running...Not too bad considering all of the above. It is pokey at first to launch anything like a browser or app. but once running is ok.
i am still getting a lot of annoying popups for rouge apps. that might be a little beeter now after the first scan and corrections ( as suggested by you) have completed.

On another note, can you give me an idea as to the frequency of responses I should expect from you? For instance, would you usually be replying on evenings or weekends only? It would be a big help if you could give me some idea as I am usually checking this forum about every haf hour.

Edited by howcho, 07 April 2008 - 09:55 AM.


#12 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 07 April 2008 - 01:23 PM

On another note, can you give me an idea as to the frequency of responses I should expect from you?

GMT evenings - my boss thinks I should be at work during the day!

Combofix should have produced a log C:\ComboFix.txt - copy and paste it into your next reply. Also:

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Death to the salad eaters!

#13 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 07 April 2008 - 02:58 PM

Sorry i think i might have nuked the original combofix.txt. Here is the only one i could find, it was in the path c:\combofix\combofix.txt

ComboFix 08-04-04.1 - Administrator 2008-04-05 21:56:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1083 [GMT -7:00]
Running from: C:\Documents and Settings\administrator\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FYI. First run of gmer.exe ecountered an error and needed to close. Will try again.
.

#14 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 07 April 2008 - 03:57 PM

attempted to run gmer 4 seperate times, failed on every occasion. I have been using my computer very little while the scan was running. i will try to run it again when I do not have to use the machine.

#15 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 07 April 2008 - 10:07 PM

the application gmer.exe is dontinually failing. It is crashing when it gets to this folder: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine within the folder are all the .vbn files which it is hanging on. I am very tempted to delete all the .vbn files as I can always reinstall norton and get the files bckack. Update as to what I am up to... Instead of deleting the files or symantec, I have tried several approaches. 1. i disabled norton via services ( no luck) 2. attempted to delete the .vbn files (could not) 3. went into safe mode with command prompt and renamed the files to .vbm after step three, the program looks as if it might get past that directory.

Edited by howcho, 07 April 2008 - 11:56 PM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users