Ah, another Virtumonde ComboFix log [Archive]

View Full Version : Ah, another Virtumonde ComboFix log

Jak1997

2008-04-09, 03:36

Hello experts,

Well, SpyBot kept finding Virtumonde, and I read a bunch of posts and followed the instructions for ComboFix. I'm a littled "bugged" that Norton doesn't find this crap (what are we paying good money for, anyway?). And, it seems the more I've done to eliminate these viruses (SpyBot, updating Java to vers. 6, etc.), the more popups and weird messages I get ("System Integrity Scan Wizard. Warning: Your computer may have critical errors in Windows registry and file system," etc.). Hmm. Well, here's the log.

Do I absolutely have to d/l the Kaspersky thing to complete the analysis? Seems like I'm just installing a lot of stuff today!

Thank you in advance for your help!

ComboFix 08-04-08.7 - Tim Sika 2008-04-08 17:00:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -7:00]
Running from: C:\Documents and Settings\Tim Sika\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tim Sika\Desktopblackbird.jpg
C:\Documents and Settings\Tim Sika\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Tim Sika\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Tim Sika\Desktopfilemanagerclient.exe
C:\Documents and Settings\Tim Sika\Desktopfkwp1.5.exe
C:\Documents and Settings\Tim Sika\Desktopfkwp2.0.exe
C:\Documents and Settings\Tim Sika\Desktopfwebd.exe
C:\Documents and Settings\Tim Sika\DesktopFWebdEditor.exe
C:\Documents and Settings\Tim Sika\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Tim Sika\Desktopvirii
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\__c004D708.dat
C:\WINDOWS\system32\__c00640E4.dat
C:\WINDOWS\system32\ijTDNXbc.ini
C:\WINDOWS\system32\ijTDNXbc.ini2
C:\WINDOWS\system32\LRsDefii.ini
C:\WINDOWS\system32\LRsDefii.ini2
C:\WINDOWS\system32\yayaAqqP.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
C:\xcrashdump.dat
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 16:09 . 2008-04-08 16:09 <DIR> d-------- C:\Program Files\Sun
2008-04-08 16:09 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-08 16:05 . 2008-04-08 16:09 <DIR> d-------- C:\Program Files\Java
2008-04-08 16:05 . 2008-04-08 16:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-08 15:14 . 2008-04-08 15:14 269,824 --a------ C:\WINDOWS\system32\cbXNDTji.dll_old
2008-04-08 14:53 . 2008-04-08 16:34 152 --a------ C:\WINDOWS\wininit.ini
2008-04-08 14:21 . 2008-04-08 14:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 13:20 . 2008-04-08 13:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yrgjyneh
2008-04-08 13:17 . 2008-04-08 11:03 241,664 --a------ C:\WINDOWS\qdnkewfa.dll
2008-04-08 13:17 . 2008-04-08 13:17 94,208 --a------ C:\WINDOWS\system32\snshidyv.exe
2008-04-06 01:46 . 2008-04-06 01:46 <DIR> d-------- C:\Program Files\Real
2008-04-06 01:46 . 2008-04-06 01:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-06 01:46 . 2008-04-06 01:46 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-06 01:44 . 2008-04-06 01:48 720 --a------ C:\WINDOWS\mozver.dat
2008-04-05 13:03 . 2008-04-08 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 18:30 . 2008-04-03 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-03-31 14:55 . 2008-03-31 14:55 <DIR> d-------- C:\Program Files\CyberLink
2008-03-31 14:55 . 2008-03-31 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-31 13:38 . 2008-03-31 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sctemp
2008-03-31 12:22 . 2008-03-31 12:22 <DIR> d-------- C:\Program Files\iTunes
2008-03-31 12:22 . 2008-03-31 12:22 <DIR> d-------- C:\Program Files\iPod
2008-03-31 12:22 . 2008-03-31 12:22 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 12:22 . 2008-03-31 13:31 <DIR> d-------- C:\Documents and Settings\Tim Sika\Application Data\Apple Computer
2008-03-31 12:22 . 2008-04-08 13:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-31 12:22 . 2008-03-31 12:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-31 12:21 . 2008-04-08 16:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-31 12:21 . 2008-03-31 12:22 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 12:21 . 2008-03-31 12:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-31 12:21 . 2008-03-31 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-31 12:21 . 2008-03-31 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-29 00:54 . 2008-03-29 00:54 <DIR> d-------- C:\Program Files\Stomp
2008-03-28 20:27 . 2008-03-28 20:27 <DIR> d-------- C:\Program Files\Ace DVD Audio Extractor
2008-03-28 19:53 . 2008-03-28 19:53 <DIR> d-------- C:\Program Files\Sonic Foundry Setup
2008-03-28 19:39 . 2008-03-28 19:50 <DIR> d-------- C:\Program Files\coolpro2
2008-03-28 19:13 . 2008-03-28 20:12 <DIR> d-------- C:\Program Files\Sonic Foundry Noise Reduction Plug-In
2008-03-28 19:13 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-28 18:58 . 2008-03-28 19:00 <DIR> d-------- C:\Program Files\Sonic Foundry
2008-03-28 18:58 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-03-28 18:58 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-03-28 18:58 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-03-28 18:58 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-03-28 18:58 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-03-28 18:58 . 2008-03-28 18:58 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-03-27 00:57 . 2008-03-27 00:57 <DIR> d-------- C:\Documents and Settings\Tim Sika\Application Data\IrfanView
2008-03-26 23:50 . 2008-03-26 23:50 <DIR> d-------- C:\Program Files\FLVPlayer
2008-03-26 18:51 . 2008-03-26 18:51 <DIR> d-------- C:\Program Files\WhiteCanyon
2008-03-26 18:51 . 2007-03-23 13:50 1,044,480 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2008-03-26 18:51 . 2007-05-17 10:57 335,872 --a------ C:\WINDOWS\system32\SCshell402.dll
2008-03-26 18:51 . 2007-05-17 10:56 278,528 --a------ C:\WINDOWS\system32\SCService4.dll
2008-03-26 18:50 . 2008-03-31 13:37 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-26 15:11 . 2008-03-26 15:11 <DIR> d-------- C:\Program Files\Seagate
2008-03-26 15:11 . 2008-04-03 18:39 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-26 15:11 . 2008-03-26 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-26 15:06 . 2008-03-26 15:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-26 13:03 . 2008-04-06 17:53 <DIR> d-------- C:\Documents and Settings\Tim Sika\Application Data\AdobeUM
2008-03-26 03:30 . 2008-03-26 03:30 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-26 03:30 . 2008-03-26 01:20 8,471 --a------ C:\WINDOWS\hpdj3600.hi2
2008-03-26 03:30 . 2008-03-26 03:30 3,474 --a------ C:\WINDOWS\hpbvspst.his
2008-03-26 03:30 . 2008-03-26 01:20 1,949 --a------ C:\WINDOWS\hpdj3600.bu2
2008-03-26 03:30 . 2008-03-26 03:30 572 --a------ C:\WINDOWS\hpbvspst.ini
2008-03-26 03:26 . 2008-03-26 03:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-26 03:22 . 2008-03-26 03:25 157,571 --a------ C:\WINDOWS\hpdj3600.hi1
2008-03-26 03:22 . 2008-03-26 03:25 8,786 --a------ C:\WINDOWS\hpdj3600.bu1
2008-03-26 03:06 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-26 03:06 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-26 03:06 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-26 03:06 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-26 03:06 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-26 03:06 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-26 03:06 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-26 03:06 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-26 03:06 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-26 01:19 . 2008-03-26 03:31 121,474 --a------ C:\WINDOWS\hpdj3600.his
2008-03-26 01:19 . 2008-03-26 03:31 7,298 --a------ C:\WINDOWS\hpdj3600.ini
2008-03-26 01:18 . 2008-03-28 19:41 <DIR> d-------- C:\Temp
2008-03-26 01:17 . 2008-03-28 20:28 75 --a------ C:\WINDOWS\AceDVDAudioExtractor.ini
2008-03-26 01:15 . 2008-03-26 01:15 <DIR> d-------- C:\Documents and Settings\Tim Sika\Application Data\Talkback
2008-03-26 01:14 . 2008-03-26 01:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-26 01:08 . 2008-04-03 18:32 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-26 01:07 . 2008-03-26 01:07 <DIR> d-------- C:\Program Files\CCleaner
2008-03-25 23:45 . 2008-03-25 23:46 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-25 23:45 . 2008-03-25 23:46 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-25 23:39 . 2008-03-25 23:49 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-03-25 23:38 . 2008-03-25 23:46 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-25 23:38 . 2008-03-25 23:46 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-25 23:37 . 2008-03-25 23:46 <DIR> d-------- C:\Program Files\Symantec
2008-03-25 23:37 . 2008-04-08 17:01 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-25 23:37 . 2008-04-08 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-25 22:25 . 2008-03-25 22:25 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-25 22:24 . 2008-03-25 22:24 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-25 22:24 . 2008-03-25 22:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-25 22:21 . 2008-03-25 22:21 <DIR> d-------- C:\Documents and Settings\Tim Sika\Application Data\Syntrillium
2008-03-25 22:02 . 2008-03-25 22:39 <DIR> d-------- C:\Program Files\Outlook Express Quick Backup
2008-03-25 22:02 . 2008-03-26 23:46 249,856 --------- C:\WINDOWS\Setup1.exe
2008-03-25 22:02 . 2008-03-26 23:46 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-03-25 20:35 . 2008-03-26 17:27 <DIR> d-------- C:\Program Files\IrfanView
2008-03-25 19:29 . 2008-03-25 19:29 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 19:29 . 2008-03-25 19:29 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-25 19:28 . 2008-03-25 19:29 <DIR> d-------- C:\WINDOWS\ShellNew

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 22:16 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3E0D1C2-9345-4A04-9857-F2F14DD648DE}]
C:\WINDOWS\system32\iifeDsRL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECD119E2-EE96-419D-80D7-944EBA311136}]
C:\WINDOWS\system32\cbXNDTji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"aazcyqpu"="C:\WINDOWS\system32\snshidyv.exe" [2008-04-08 13:17 94208]
"monnyaqg"="C:\WINDOWS\system32\jqlcneja.exe" [2008-04-08 17:11 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 00:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22 26248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 05:23 172032]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 16:21 169328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SecureClean4Tray"="C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe" [2007-05-17 11:16 1525248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-06 01:46 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"aQveka0qsM"= C:\Documents and Settings\All Users\Application Data\yrgjyneh\ehixsnqx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PrxComponent"= {ffea7c35-3ce2-4629-83bc-f3e61a4f8cbc} - C:\WINDOWS\Resources\PrxComponent.dll [2008-04-08 13:17 12330]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaAqqP]
yayaAqqP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-04 02:06 282624 C:\Documents and Settings\Tim Sika\Desktop\Data Recovery\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4RegManager]
--a------ 2007-05-17 11:14 1428992 C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4Tray]
--a------ 2007-05-17 11:16 1525248 C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCWatch 4.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 16:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{067209eb-f9f1-11dc-8bc5-b4397c463da7}]
\Shell\AutoRun\command - J:\Info.exe folder.htt 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 03:00:16 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Tim Sika.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 17:10:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\jqlcneja.exe 106496 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-04-08 17:12:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 00:12:37
Pre-Run: 256,726,679,552 bytes free
Post-Run: 256,772,050,944 bytes free
.
2008-03-27 08:35:25 --- E O F ---

Jak1997

2008-04-09, 06:49

I went ahead and got/ran HijackThis (so glad I didn'yhave to install it!). Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\yrgjyneh\ehixsnqx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\snshidyv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim Sika\Desktop\HijackThis - analyzer\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3E0D1C2-9345-4A04-9857-F2F14DD648DE} - C:\WINDOWS\system32\iifeDsRL.dll (file missing)
O2 - BHO: (no name) - {ECD119E2-EE96-419D-80D7-944EBA311136} - C:\WINDOWS\system32\cbXNDTji.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [aazcyqpu] C:\WINDOWS\system32\snshidyv.exe
O4 - HKCU\..\Run: [monnyaqg] C:\WINDOWS\system32\jqlcneja.exe
O4 - HKCU\..\Run: [fhgizbwi] C:\WINDOWS\system32\apehyzup.exe
O4 - HKLM\..\Policies\Explorer\Run: [aQveka0qsM] C:\Documents and Settings\All Users\Application Data\yrgjyneh\ehixsnqx.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206497775234
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O20 - Winlogon Notify: yayaAqqP - yayaAqqP.dll (file missing)
O21 - SSODL: PrxComponent - {ffea7c35-3ce2-4629-83bc-f3e61a4f8cbc} - C:\WINDOWS\Resources\PrxComponent.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\TIMSIK~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8719 bytes

steamwiz

2008-04-13, 23:14

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\system32\cbXNDTji.dll_old
C:\WINDOWS\system32\iifeDsRL.dll
C:\WINDOWS\system32\cbXNDTji.dll
C:\WINDOWS\system32\snshidyv.exe
C:\WINDOWS\system32\jqlcneja.exe
C:\WINDOWS\system32\apehyzup.exe
C:\WINDOWS\qdnkewfa.dll
C:\Documents and Settings\All Users\Application Data\yrgjyneh\ehixsnqx.exe

Folder::
C:\Documents and Settings\All Users\Application Data\yrgjyneh

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3E0D1C2-9345-4A04-9857-F2F14DD648DE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECD119E2-EE96-419D-80D7-944EBA311136}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aazcyqpu"=-
"monnyaqg"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"aQveka0qsM"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaAqqP]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam