View Full Version : Virtumonde problems and others
greenday1
2007-08-09, 02:57
I have found this on my system and have had quite a bit of trouble getting rid of it. Sometimes it goes away and sometimes it can't remove it. I know it is self replicating and hard to get rid of. Have also had difficulty with Drivecleaner 2006 and a few miscellaneous virus shows up in the online scans. Please see below. Any help would be greatly appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 6:56:16 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\iTunes\iTunesHelper.exe
D:\Java\jdk1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Computer Drivers & Updates\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4abcc743-b5d6-4225-9592-279568d23b29} - C:\WINDOWS\system32\dimite.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp84.tmp.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] D:\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\yabxyx.dll",forkonce
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jdk1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186538664031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186538656562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\mljgdcy.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
eTrust Web Scan
Scan Results: 72219 files scanned. 5 viruses were detected.
File Infection Status Path
file[1].exe Win32/Chepvil!generic infected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\85A709AZ\
file[1].exe Win32/Chepvil!generic infected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\8PY70TMV\
ewoiueoieuqwwq[1].htm JS/MS06-014!exploit infected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\IHTAZYHS\
file[1].exe Win32/Chepvil!generic infected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\WLI7KHEB\
opriewpowerxzcas[1].htm JS/MS06-014!ex
Spybot Log
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-01 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-08-01 Includes\DialerC.sbi
2007-07-11 Includes\Hijackers.sbi
2007-08-01 Includes\HijackersC.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-08-01 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-08-01 Includes\Malware.sbi
2007-08-01 Includes\MalwareC.sbi
2007-07-11 Includes\PUPS.sbi
2007-08-01 Includes\PUPSC.sbi
2007-08-01 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi
2007-08-01 Includes\SecurityC.sbi
2007-08-01 Includes\Spybots.sbi
2007-08-01 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi
2007-08-01 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll
Located: HK_LM:Run, AVG7_CC
command: D:\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: D:\Grisoft\AVGFRE~1\avgcc.exe
size: 416256
MD5: 2200c98c049de1a7638ea0edba1c8882
Located: HK_LM:Run, iTunesHelper
command: "D:\iTunes\iTunesHelper.exe"
file: D:\iTunes\iTunesHelper.exe
size: 270648
MD5: 018c1b1379d326abfaa89eda7e43f95a
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 286720
MD5: 49ccfbe5d5225b9d3cc78c09dee147d0
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 67072
MD5: e622e1b8598029294312eeee9b02b699
Located: HK_LM:Run, SunJavaUpdateSched
command: "D:\Java\jdk1.6.0_02\bin\jusched.exe"
file: D:\Java\jdk1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896e712a34d654a337c8cbb9deb07200
Located: HK_LM:Run, SystemOptimizer
command: rundll32.exe "C:\WINDOWS\yabxyx.dll",forkonce
file: C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff
Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: b53343fe60a33ee765c2476d50d27b26
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: D:\Adobe\Reader 8.0\Reader\reader_sl.exe
file: D:\Adobe\Reader 8.0\Reader\reader_sl.exe
size: 40048
MD5: 54c88bfbd055621e2306534f445c0c8d
Located: Startup (common), Adobe Reader Synchronizer.lnk
command: D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
file: D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
size: 734872
MD5: 169c293ce9460a05646d17dc6aa2fb2c
Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, dimite
command: dimite.dll
file: dimite.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, dimite (DISABLED)
command: dimite.dll
file: dimite.dll
pskelley
2007-08-09, 04:22
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Pinned to the top of the forum and posted above are the instructions. Please read and follow them and post only what is requested.
HJT needs to run from a drive to safly store logs and backups, please move it here: C:\HJT\HijackThis.exe
If you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html
Once you get it moved, rename the .exe, call it greenday1.exe or whatever you wish. That may show hidden files if they exist and will look like this:
C:\HJT\greenday1.exe
Now do this:
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log
in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
greenday1
2007-08-09, 05:26
Thank you so much for the help. Here is the log results.
ComboFix 07-08-09.3 - "Mike" 2007-08-08 21:19:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\bold.log
C:\DOCUME~1\Mike\APPLIC~1\tmp82.tmp.exe
C:\WINDOWS\system32\dn28e50079.dat
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\xmlhelper4.dll
C:\WINDOWS\xyxbay.ini
C:\WINDOWS\yabxyx.dll
((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))
2007-08-08 21:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 21:16 <DIR> d-------- C:\HJT
2007-08-07 21:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-07 21:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-07 21:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-07 21:04 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-07 21:04 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-07 19:55 <DIR> d-------- C:\DOCUME~1\Mike\.housecall6.6
2007-08-06 21:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-08-06 20:54 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-06 20:53 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 21:15 24,128 --a------ C:\WINDOWS\system32\pD3V2431.exe
2007-07-29 19:18 <DIR> d-------- C:\Program Files\QuickTime
2007-07-29 19:17 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-29 19:17 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-29 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-24 17:16 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\DivX
2007-07-24 16:18 3,276,176 --a------ C:\Temp\DivXCodec.exe
2007-07-24 16:18 <DIR> d-------- C:\Program Files\DivX
2007-07-21 10:28 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\Lavasoft
2007-07-21 10:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-13 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-09 14:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-09 14:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 14:05 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-09 14:05 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-09 14:05 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-09 14:05 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-09 14:05 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-09 14:05 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-04 09:03 --------- d-------- C:\DOCUME~1\Mike\APPLIC~1\Apple Computer
2007-07-29 19:18 --------- d-------- C:\Program Files\iPod
2007-07-29 19:17 --------- d-------- C:\Program Files\Apple Software Update
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4abcc743-b5d6-4225-9592-279568d23b29}]
C:\WINDOWS\system32\dimite.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-22 04:23]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="D:\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="D:\Java\jdk1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\mljgdcy.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efd77458-ad88-11db-b71c-806d6172696f}]
AutoRun\command- M:\setup.exe
Contents of the 'Scheduled Tasks' folder
2007-08-08 18:08:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At19.job
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At20.job
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 03:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At35.job
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At38.job
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At46.job
2007-08-08 03:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\7Cxv7sRf.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At49.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At53.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At55.job
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At56.job
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At57.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At59.job
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At60.job
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At63.job
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At64.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At65.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At69.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At70.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 03:00:00 C:\WINDOWS\Tasks\At71.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At72.job - C:\WINDOWS\system32\D6K8oeF2.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At73.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At74.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At75.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At76.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At77.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At78.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At79.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At80.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At81.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At82.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At83.job
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At84.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At85.job
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At86.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At87.job
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At88.job
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At89.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\l8akocj2.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At90.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At91.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At92.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At93.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At94.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 03:00:00 C:\WINDOWS\Tasks\At95.job - C:\WINDOWS\system32\pD3V2431.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At96.job - C:\WINDOWS\system32\pD3V2431.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 21:21:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-08 21:22:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 21:21
--- E O F ---
and
Logfile of HijackThis v1.99.1
Scan saved at 9:23:28 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\iTunes\iTunesHelper.exe
D:\Java\jdk1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\greenday1.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4abcc743-b5d6-4225-9592-279568d23b29} - C:\WINDOWS\system32\dimite.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jdk1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186538664031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186538656562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: c:\windows\system32\mljgdcy.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
pskelley
2007-08-09, 12:23
Thanks for returning your information. Have a look at that combofix log, could you take a look in your "scheduled tasks" folder and see if that junk is valid or not.
C:\WINDOWS\Tasks\ <<< that folder. You can use one or more of these free online scanners to check the files.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
C:\WINDOWS\system32\l8akocj2.exe <<< when I Google I get no information > http://www.google.com/search?hl=en&q=l8akocj2.exe&btnG=Google+Search
Here is what it is: http://support.microsoft.com/kb/308569
If you did not schedule them and the files scan as bad, then delete them.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\mljgdcy.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {4abcc743-b5d6-4225-9592-279568d23b29} - C:\WINDOWS\system32\dimite.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\mljgdcy.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
c:\windows\system32\mljgdcy.dll <<< delete that file (should be gone)
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log, let me know what those "tasks" were and how the computer is running now.
Thanks
greenday1
2007-08-10, 02:39
I looked at those "scheduled tasks", did not setup any of them, and can't think of any program that would have. Each task is also scheduled to run every hour, of every day of the week consecutively. I would think that has to be bogus. I have not deleted yet.
I also attempted to use the Delete on Reboot tool in HJT but could not locat file C:\windows\system32\mljgdcy.dll. I also tried using the ADS scan in HJT and it couldn't find it. However HJT would come up with that file when I would do a scan. I already had my file and folder settings set to view all files and folders too.
I checked the three files you indicated in HJT and upon selecting the "fix checked" button received the following error.
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\windows\system32\mljgdcy.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
All checked items did delete please see the following log
Logfile of HijackThis v1.99.1
Scan saved at 6:26:16 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\iTunes\iTunesHelper.exe
D:\Java\jdk1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\HJT\greenday1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jdk1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186538664031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186538656562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
I still need to delete those tasks but wanted to get your feedback first.
Thanks again.
pskelley
2007-08-10, 03:05
If those were on my computer, and I did not set them, and I just went through a malware infection, I would delete them. I would delete those files also, remember they go to the recycle bin. Allow them to set there for a few days, then dump them. It may be sUBs just started showing that area to us in combofix or some new way the hackers have found to mess with your computer.
When we are remove malware, stuff that does not belong on the computer, we are always getting error messages, BSOD's, etc. I guess that's why they call it "malware". Let's see what the HJT log looks like.
The HJT log is clean of malware, let's run a a good scan to make sure nothing is hiding. Make sure you delete combofix and backups or quarantines because the scan will see those as infections.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
greenday1
2007-08-10, 04:22
Ok here is my scan results from Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 09, 2007 8:21:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/08/2007
Kaspersky Anti-Virus database records: 354407
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\
Scan Statistics:
Total number of scanned objects: 62866
Number of viruses found: 2
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 00:50:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\10.tmp.bac_a01456/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\10.tmp.bac_a01456 NSIS: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\10.tmp.bac_a01456 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\16.tmp.bac_a01456/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\16.tmp.bac_a01456 NSIS: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\16.tmp.bac_a01456 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\3E.tmp.bac_a01456/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\3E.tmp.bac_a01456 NSIS: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\3E.tmp.bac_a01456 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\44.tmp.bac_a01456/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\44.tmp.bac_a01456 NSIS: infected - 1 skipped
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\44.tmp.bac_a01456 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pD3V2431.exe Infected: Trojan.Win32.Agent.avd skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Thanks
greenday1
2007-08-12, 01:34
When you have a minute pskelley can you take a look at my last log and post?
I need to try to get a bunch of patches and updates to my system but don't wnt to persue untill we are done.
Thanks
pskelley
2007-08-12, 02:30
I apologize, if you are talking about the Kaspersky scan results you posted on 2007-08-09, 21:22 then
I did not get my notification when you posted. Sometimes thet fail and I am helping a load of folks at the same time, so I really depend on them.
If that should happen again, click my name and send me a PM, I always respond within eight hours allowing time for sleep.
KASPERSKY ONLINE SCANNER REPORT Thursday, August 09, 2007 8:21:07 PM
Number of infected objects: 13 (12 in housecall quarantine)
C:\Documents and Settings\Mike\.housecall6.6\Quarantine\ <<< delete the contents of that quarantine folder
C:\WINDOWS\system32\pD3V2431.exe <<< delete that file and that is a trojan
Were able to clean the scheduled tasks folder without any issues? Post a last HJT log, let me know how the computer is running and I'll post closing information to help you.
Tkanks...Phil
greenday1
2007-08-12, 06:05
I figured you were probable just busy. NP.
I was able to delete the scheduled tasks without any problems. I also deleted everything in the Quarantine folder. I cannot find the file pD3V2431.exe anywhere. Here is alos my latest hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:49 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\iTunes\iTunesHelper.exe
D:\Java\jdk1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\greenday1.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jdk1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jdk1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186538664031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186538656562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
greenday1
2007-08-12, 06:07
Sorry, and yes my system is running much better. Pending your final thoughts I hope I'm ready to start patching my system.
pskelley
2007-08-12, 14:13
I cannot find the file pD3V2431.exe anywhere.
C:\WINDOWS\system32\pD3V2431.exe <<< trojan
It is very important you make sure that trojan is not on your computer. Hidden Files and folders must be enabled:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Use Search Companion: Start > Search > All Files and folders > Copy/paste the files exactly as posted and click Search. Be patient, there are a lot of files to search. Of Search Canpanion stops running without locating the files, then I would say not to be concerned with it.
Finish like this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
greenday1
2007-08-12, 17:26
:bigthumb:
I found that AVG had already removed the pD3V2431.exe file. Thank you so much for the help Pskelley. I appreciate all your assistance.
pskelley
2007-08-18, 03:18
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.