Extraordinarily Infected Machine (HJT log included)

« on: August 17, 2007, 04:35:35 PM »

Josiah
Newbie

Karma: 0
Posts: 18

A buddy asked me to fix up his computer. He said it was infected with spyware and OH MY GOD was he right. This machine is probably the most infected this I've ever seen. Nothing on it runs. Two things I've noticed:

1. When I ctrl + alt + delete into the xp pro menu, the button for "task manager" is greyed out, even though his account is an administrator.

2. When I try to install ad aware, I get an error message to the effect of "the system administrator has set policies to prevent this installation"

Anyway, here is his HJT log. Could someone take a look and report back, please?

Logfile of HijackThis v1.99.1
Scan saved at 8:23:21 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
E:\Apps\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [Music Alarm Clock] C:\PROGRA~1\MUSICA~1\mac.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124291200\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win204.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [horycynyf] C:\Program Files\Windows Media Player\horycynyf9.exe
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\WinAntiSpyware 2007 FreeInstall.exe" -nag
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\wmbpvjeb.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotDeletingA8036] command /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9329] cmd /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8356] command /c del "C:\WINDOWS\system32\jkkjk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5062] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6980] command /c del "C:\WINDOWS\system32\byxwvwv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1201] cmd /c del "C:\WINDOWS\system32\byxwvwv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\mlljj.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5883] cmd /c del "C:\WINDOWS\system32\mlljj.dll_tobedeleted_old_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\ASEMBL~1\regsvr32.exe" -vt yazb
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{032D16DA-2BFF-4215-9B62-9BD0194A4F8C}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AA20FDF-7DF8-47FB-BFCB-4530AC00DDB2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE207906-A2AA-48DB-8F0E-E851D533D6BE}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{032D16DA-2BFF-4215-9B62-9BD0194A4F8C}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ekdjroah.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


	Logged

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #1 on: August 19, 2007, 01:15:12 AM »

Josiah
Newbie

Karma: 0
Posts: 18

OK, so 1 day later and much has changed. I've been battling the malware most of the day with a bunch of a half dozen scanners and removal tools, as well as some goood old fashioned reg-editing. Anyway, here is what the file looks like now. I'd still appreciate if someone had a look and pointed out anything I may be missing:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:24 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Apps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {A11476F7-FCC9-47A5-07AD-7BF7789A880A} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {D006D477-B798-43B2-8846-20016C115B43} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{032D16DA-2BFF-4215-9B62-9BD0194A4F8C}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AA20FDF-7DF8-47FB-BFCB-4530AC00DDB2}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE207906-A2AA-48DB-8F0E-E851D533D6BE}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{032D16DA-2BFF-4215-9B62-9BD0194A4F8C}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JMP License Service - SAS Institute Inc. - C:\Program Files\Common Files\SAS Institute Inc Shared\Service\JMPLicSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


	Logged

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #2 on: August 21, 2007, 10:16:59 PM »

Malware Scum, Die!

TeMerc
Countermeasures Leader
Administrator

Karma: 66
Posts: 6146

Hi and welcome to CEXX forums, sorry for the delay in a reply.

Looks like a bot is present on this machine, we'll run the special tool and se what it finds.

Also please advise what tools were used, in what order and post the logs generated.

Download SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


	Logged

Malware Advisor Blog
Ultimate Countermeasures Page

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #3 on: November 15, 2007, 06:58:12 AM »

Arecibo
Newbie

Karma: 0
Posts: 2

SDFix: Version 1.114

Run by Andrew Taylor on Thu 11/15/2007 at 09:33 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
aspimgr

Path:
C:\WINDOWS\system32\aspimgr.exe

aspimgr - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\-11260~1 - Deleted
C:\Program Files\poolsv\YazzleBundle-1549.exe - Deleted
C:\Documents and Settings\Andrew Taylor\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Documents and Settings\Andrew Taylor\Application Data\Install.dat - Deleted
C:\Documents and Settings\Andrew Taylor\Application Data\.rdr.ini - Deleted
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\abc123.pid - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\svhost.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\ws386.ini - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted

Folder C:\Documents and Settings\Andrew Taylor\Application Data\WinTouch - Removed
Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\poolsv - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\brr - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\b02FdUe - Removed
Folder C:\WINDOWS\system32\b06FdUe - Removed
Folder C:\WINDOWS\system32\f06WtR - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 09:43:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Andrew Taylor\Cookies\andrew_taylor@sillaptak[1].txt 267 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 14 Aug 2007 230,400 ..SHR --- "C:\Program Files\s?stem32\??ool32.exe"
Sun 28 Oct 2007 411,511 ..SH. --- "C:\WINDOWS\system32\cdeeg.bak1"
Sun 7 Oct 2007 1,492,120 ..SH. --- "C:\WINDOWS\system32\cfhkj.bak1"
Fri 9 Nov 2007 454,430 ..SH. --- "C:\WINDOWS\system32\dfhkj.bak1"
Tue 4 Apr 2006 340,264 A.SH. --- "C:\WINDOWS\system32\fhkmp.bak1"
Thu 6 Apr 2006 492,259 A.SH. --- "C:\WINDOWS\system32\fhkmp.bak2"
Wed 3 Oct 2007 1,576,417 ..SH. --- "C:\WINDOWS\system32\gjjlm.tmp"
Fri 5 Oct 2007 1,477,538 ..SH. --- "C:\WINDOWS\system32\gjjlm.bak1"
Thu 4 Oct 2007 1,483,107 ..SH. --- "C:\WINDOWS\system32\gjjlm.bak2"
Sun 11 Nov 2007 452,322 ..SH. --- "C:\WINDOWS\system32\kjkkj.bak1"
Fri 14 Sep 2007 8,373 ..SH. --- "C:\WINDOWS\system32\kjllm.bak1"
Wed 10 Oct 2007 679,105 ..SH. --- "C:\WINDOWS\system32\mlnmp.bak1"
Sat 27 Oct 2007 412,411 ..SH. --- "C:\WINDOWS\system32\oqstv.bak1"
Thu 15 Nov 2007 447,510 ..SH. --- "C:\WINDOWS\system32\pstwa.bak1"
Tue 6 Sep 2005 182,172 A.SH. --- "C:\WINDOWS\system32\rttss.bak1"
Mon 5 Sep 2005 179,540 A.SH. --- "C:\WINDOWS\system32\rttss.bak2"
Wed 7 Nov 2007 429,181 ..SH. --- "C:\WINDOWS\system32\sttss.bak1"
Wed 14 Nov 2007 452,293 ..SH. --- "C:\WINDOWS\system32\stvwa.bak1"
Thu 25 Oct 2007 420,016 ..SH. --- "C:\WINDOWS\system32\wybeg.bak1"
Thu 1 Nov 2007 419,348 ..SH. --- "C:\WINDOWS\system32\xybeg.bak1"
Mon 15 Oct 2007 627,919 ..SH. --- "C:\WINDOWS\system32\ybeeg.bak1"
Wed 29 Jun 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 1 Sep 2005 24,064 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0001.tmp"
Wed 26 Sep 2007 33,280 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0002.tmp"
Sun 15 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0005.tmp"
Tue 9 Oct 2007 33,280 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0006.tmp"
Sun 11 Sep 2005 25,088 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0021.tmp"
Sun 11 Sep 2005 28,160 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0056.tmp"
Sun 11 Sep 2005 28,672 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0305.tmp"
Tue 9 Oct 2007 87,040 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0480.tmp"
Sun 11 Sep 2005 26,112 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0485.tmp"
Tue 3 Apr 2007 58,368 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0564.tmp"
Mon 8 Oct 2007 87,040 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0585.tmp"
Sun 11 Sep 2005 28,160 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL0958.tmp"
Sun 11 Sep 2005 27,136 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1307.tmp"
Sat 14 Jan 2006 32,256 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1315.tmp"
Sun 11 Sep 2005 26,624 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1522.tmp"
Mon 12 Nov 2007 3,929,600 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1567.tmp"
Sun 15 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1695.tmp"
Mon 23 Jan 2006 34,304 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL1845.tmp"
Tue 3 Apr 2007 58,368 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL2062.tmp"
Sun 11 Sep 2005 27,648 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL2183.tmp"
Wed 26 Sep 2007 32,768 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL2350.tmp"
Sun 11 Sep 2005 29,696 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL2356.tmp"
Tue 9 Oct 2007 87,040 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL2498.tmp"
Sun 15 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL3085.tmp"
Sun 15 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL3149.tmp"
Tue 9 Oct 2007 33,280 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL3532.tmp"
Sun 11 Sep 2005 27,648 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL3729.tmp"
Sun 11 Sep 2005 25,600 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL3977.tmp"
Sun 11 Sep 2005 24,064 ...H. --- "C:\Documents and Settings\Andrew Taylor\My Documents\~WRL4094.tmp"
Sat 18 Aug 2007 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Fri 28 Sep 2007 407 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1E0.tmp"
Tue 14 Aug 2007 230,400 ..SHR --- "C:\WINDOWS\system32\F?nts\d?dplay.exe"
Wed 4 Jul 2007 840 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Andrew Taylor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Andrew Taylor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Andrew Taylor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Andrew Taylor\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!


	Logged

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #4 on: November 15, 2007, 03:09:56 PM »

Malware Scum, Die!

TeMerc
Countermeasures Leader
Administrator

Karma: 66
Posts: 6146

Welcome back.

After a few months I'm glad you had the presence of mind to get the latest version of SDFix.

Download combofix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HJT log as well

Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Also post a fresh HJT log as well, thanks.


	Logged

Malware Advisor Blog
Ultimate Countermeasures Page

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #5 on: November 17, 2007, 06:06:39 AM »

Arecibo
Newbie

Karma: 0
Posts: 2

I am not sure how to obtain a HJT log but the log from combofix is as follows:

ComboFix 07-11-08.1 - Andrew Taylor 2007-11-16 20:05:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT -5:00]
Running from: C:\Documents and Settings\Andrew Taylor\Desktop\ComboFix.exe
* Created a new restore point
.

   Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Administrator\Application Data\.rdr.ini
C:\Documents and Settings\Administrator\Application Data\CROSOF~1
C:\Documents and Settings\Administrator\Application Data\CROSOF~1\??crosoft\
C:\Documents and Settings\Administrator\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Andrew Taylor\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Andrew Taylor\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\LocalService\Application Data\.rdr.ini
C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\LocalService\Application Data\WNSXS~1
C:\Documents and Settings\LocalService\Desktop\weather.lnk
C:\Documents and Settings\NetworkService\Application Data\.rdr.ini
C:\Documents and Settings\NetworkService\Application Data\Install.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\n.ini
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\ystem3~1
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\dns\x.bmp
C:\Program Files\ini.ini\
C:\Program Files\mbols~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sstem3~1
C:\Program Files\sstem3~1\??ool32.exe
C:\Program Files\svhost
C:\Program Files\Ultimate Cleaner
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1192496036.old
C:\Program Files\WinBudget\bin\crap.1193880677.old
C:\Program Files\WinBudget\bin\crap.1194661904.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll.1193880676.old
C:\Program Files\WinBudget\bin\matrix.dll.1194661904.old
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\bass.exe
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0000
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0001
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0002
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0003
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0004
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0005
C:\WINDOWS\dobe~1\DOBE~1\ctxad-558.0006
C:\WINDOWS\ecurit~1
C:\WINDOWS\g32.txt
C:\WINDOWS\gs32.txt
C:\WINDOWS\icroso~1.net
C:\WINDOWS\racle~1
C:\WINDOWS\system32\aclheqpd.exe
C:\WINDOWS\system32\aeqliqdk.exe
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\bejdfalb.exe
C:\WINDOWS\system32\bibclfre.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cmhyuyeo.exe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dkrdyint.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drvrotr.dll
C:\WINDOWS\system32\earakbif.exe
C:\WINDOWS\system32\ebtpfilh.exe
C:\WINDOWS\system32\ekaeckjb.exe
C:\WINDOWS\system32\ekbeohyj.exe
C:\WINDOWS\system32\eprawxhn.exe
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\ffgyoume.exe
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\d?dplay.exe
C:\WINDOWS\system32\fo-remove.exe
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\ghrmvtfx.exe
C:\WINDOWS\system32\gipcmgtc.exe
C:\WINDOWS\system32\gvwaokpa.exe
C:\WINDOWS\system32\hneptujk.exe
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\ihtkdcrr.exe
C:\WINDOWS\system32\jbbjulyv.exe
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jxvhvcmr.exe
C:\WINDOWS\system32\kfquwpqa.exe
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.tmp
C:\WINDOWS\system32\kpmiqkkn.exe
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\lfdcrjap.exe
C:\WINDOWS\system32\ljjighf.dll
C:\WINDOWS\system32\ljtggivc.exe
C:\WINDOWS\system32\mhhafbbg.exe
C:\WINDOWS\system32\mhidlkfc.exe
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mstlactx.exe
C:\WINDOWS\system32\nnnkigf.dll
C:\WINDOWS\system32\ntpvkdvx.exe
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmvwruta.exe
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\psvdjpqw.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qurlpcxh.exe
C:\WINDOWS\system32\qwbylgfy.exe
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\rbuyvihh.exe
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S3
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S5
C:\WINDOWS\system32\S9
C:\WINDOWS\system32\sptll.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\sxcaktix.exe
C:\WINDOWS\system32\tfotevcl.exe
C:\WINDOWS\system32\tuvvwww.dll
C:\WINDOWS\system32\txisxgte.exe
C:\WINDOWS\system32\uufxpcuy.exe
C:\WINDOWS\system32\vhrbskkc.exe
C:\WINDOWS\system32\vturpol.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\xjnkqnfv.exe
C:\WINDOWS\system32\xlswaofc.exe
C:\WINDOWS\system32\xmyccrxe.exe
C:\WINDOWS\system32\xwsohrcv.exe
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.ini
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\ypejkdvt.exe
C:\WINDOWS\system32\ypwqaffc.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\Z9
C:\WINDOWS\tsks~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASC3550U
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_NPF
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\DomainService
-------\Net Agent
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-16 20:01   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-11-15 09:31   <DIR>   d--------   C:\WINDOWS\ERUNT
2007-11-14 18:11   71,232   --a------   C:\WINDOWS\system32\kowvjrui.exe
2007-11-13 18:11   71,232   --a------   C:\WINDOWS\system32\gdujyvqv.exe
2007-11-13 14:57   71,232   --a------   C:\WINDOWS\system32\pvfbtxxe.exe
2007-11-12 14:56   71,232   --a------   C:\WINDOWS\system32\wkcolacu.exe
2007-11-11 18:49   88,128   --a------   C:\WINDOWS\system32\yqijwguo.dll
2007-11-11 18:46   71,232   --a------   C:\WINDOWS\system32\ocohennd.exe
2007-11-10 18:45   71,232   --a------   C:\WINDOWS\system32\chvsyyee.exe
2007-11-09 21:29   88,128   --a------   C:\WINDOWS\system32\ybjkobyr.dll
2007-11-09 21:27   71,232   --a------   C:\WINDOWS\system32\kpbhghnc.exe
2007-11-07 18:43   71,232   --a------   C:\WINDOWS\system32\fyxttgys.exe
2007-11-07 01:52   86,080   --a------   C:\WINDOWS\system32\iqyxldxj.dll
2007-11-07 01:52   71,232   --a------   C:\WINDOWS\system32\byvvoots.exe
2007-11-06 22:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-28 13:44   51,088   -ra------   C:\WINDOWS\system32\drivers\hpzid412.sys
2007-10-28 13:44   16,496   -ra------   C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-10-28 13:43   21,744   -ra------   C:\WINDOWS\system32\drivers\HPZius12.sys
2007-10-28 13:42   278,584   --a------   C:\WINDOWS\system32\HPZidr12.dll
2007-10-28 13:42   204,800   --a------   C:\WINDOWS\system32\HPZipr12.dll
2007-10-28 13:42   94,208   --a------   C:\WINDOWS\system32\HPZipt12.dll
2007-10-28 13:42   65,536   --a------   C:\WINDOWS\system32\HPZipm12.exe
2007-10-28 13:42   61,440   --a------   C:\WINDOWS\system32\HPZinw12.exe
2007-10-28 13:42   57,344   --a------   C:\WINDOWS\system32\HPZisn12.dll
2007-10-28 13:39   <DIR>   d--------   C:\Program Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 03:33   ---------   d-----w   C:\Documents and Settings\Andrew Taylor\Application Data\AVG7
2007-11-17 01:01   ---------   d-----w   C:\Program Files\DC++
2007-10-11 10:33   ---------   d-----w   C:\Program Files\Apoint
2007-09-29 01:06   ---------   d-----w   C:\Program Files\InterActual
2007-08-18 18:09   66   ----a-w   C:\Program Files\ini.ini
2007-08-12 08:56   384   ----a-w   C:\Documents and Settings\Andrew Taylor\Application Data\internaldb6334.dat
2007-08-11 23:31   212   ----a-w   C:\Documents and Settings\Andrew Taylor\Application Data\internaldb8467.dat
2007-08-11 23:31   18,432   ----a-w   C:\Documents and Settings\Andrew Taylor\Application Data\internaldb41.dat
2007-08-02 13:43   282,624   ----a-w   C:\Program Files\TTC.dll
2007-08-02 13:43   282,624   ----a-w   C:\Program Files\Common Files\hokem4444.dll
2007-07-28 09:06   135   ----a-w   C:\Program Files\page.html
2007-05-11 00:58   40   ----a-w   C:\Documents and Settings\Andrew Taylor\language.dat
2006-11-25 07:57   482   ----a-w   C:\Program Files\Del.js
2005-09-06 16:36:18   182,172   -csha-w   C:\WINDOWS\system32\rttss.bak1
2005-09-05 16:36:14   179,540   -csha-w   C:\WINDOWS\system32\rttss.bak2
2007-08-10 00:31:47   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007072320070730\index.dat
2007-08-10 01:05:33   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080920070810\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 155,648 2004-09-13 21:33:20 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 26,636 2007-10-11 10:28:49 C:\Program Files\Apoint\Apoint.exe

----a-w 292,152 2007-08-11 22:48:56 C:\Program Files\BillP Studios\WinPatrol\bak\winpatrol.exe
----a-w 26,636 2007-10-11 10:28:49 C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

----a-w 421,888 2007-09-13 21:25:19 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 579,072 2007-11-15 14:17:07 C:\Program Files\Grisoft\AVG7\avgcc.exe

----a-w 132,760 2007-06-14 22:32:40 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 26,636 2007-10-11 10:28:49 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFC4BB9E-DCDA-4494-B683-8367423DE276}]
         C:\WINDOWS\system32\mljjg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-10-11 05:28]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-15 09:17]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-11 05:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-10-11 05:28]
"bce14e1d"="C:\WINDOWS\system32\oeaglsha.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tair"="C:\WINDOWS\DOBE~1\taskmgr.exe" -vt yazb
"Huk"=C:\WINDOWS\system32\F?nts\d?dplay.exe
"DNS"=C:\Program Files\Common Files\mc-110-12-0000344.exe

C:\Documents and Settings\LocalService\Start Menu\Programs\Startup\
Weather.lnk - C:\Program Files\Weather\Weather.exe [2006-05-02 04:51:32]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01f5dd64-5ba2-11db-b7d0-0012f08fcfd9}]
\Shell\AutoRun\command - E:\travel&work.exe
\Shell\Shell00\Command - E:\travel&work.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e56df340-cc5b-11db-b7d9-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 22:33:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 22:39:08 - machine was rebooted
.
   --- E O F ---


	Logged

Re: Extraordinarily Infected Machine (HJT log included)

« Reply #6 on: November 17, 2007, 09:57:44 PM »

Malware Scum, Die!

TeMerc
Countermeasures Leader
Administrator

Karma: 66
Posts: 6146

Ok, looks like there are still some Vundo files laying around. Mad

Lets run VundoFix, as it's just been updated after a huge file cache was discovered.

Please download VundoFix.exe to your desktop.

Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.
After VundoFix has run and rebooted, run ComboFix yet again and post that log too.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button" when VundoFix appears at reboot.


	Logged

Malware Advisor Blog
Ultimate Countermeasures Page

Pages: [1]

« previous next »

cexx.org - Support Forums