View Full Version : ACK! Virtumonde!
everlast556
2008-07-21, 22:52
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:07 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\??curity\r?ndll32.exe
C:\Program Files\Tracker Software\PDF-XChange Lite 3\pdfSaver\pdfSaver3l.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [ace716fb] rundll32.exe "C:\WINDOWS\system32\wjnirmwk.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BMafd42567] Rundll32.exe "C:\WINDOWS\system32\dblixoys.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9304] command /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7350] cmd /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4598] command /c del "C:\WINDOWS\system32\dblixoys.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3843] cmd /c del "C:\WINDOWS\system32\dblixoys.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5936] command /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8502] cmd /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA694] command /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9305] cmd /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\MBOLS~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Gaxajc] C:\WINDOWS\system32\??curity\r?ndll32.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1723] command /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6684] cmd /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9179] command /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6766] cmd /c del "C:\WINDOWS\system32\efcCvVPj.dll"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189521411221
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5718 bytes
random/random
2008-07-22, 23:06
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the combofix log and a new HijackThis log as a reply to this topic.
everlast556
2008-07-25, 15:43
i dont think it got everything, still got command windows popping up after reboot like it just reinstalled itself and then pop ups when in IE.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35, on 2008-07-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: {3f4fe323-fb7f-2e78-e834-702d497bd85a} - {a58db794-d207-438e-87e2-f7bf323ef4f3} - C:\WINDOWS\system32\xmovpt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ace716fb] rundll32.exe "C:\WINDOWS\system32\uyrsmvlm.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaxajc] C:\WINDOWS\system32\??curity\r?ndll32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189521411221
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3526 bytes
COMBO Log
ComboFix 08-07-24.3 - Erouls 2008-07-25 8:24:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.729 [GMT -4:00]
Running from: C:\Documents and Settings\Erouls\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Erouls\My Documents\MCROSO~1
C:\Documents and Settings\Erouls\My Documents\MCROSO~1\M?crosoft\
C:\Documents and Settings\Erouls\My Documents\MCROSO~1\svchost.exe
C:\WINDOWS\BMafd42567.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ajcqorit.dll
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\curity~1\r?ndll32.exe
C:\WINDOWS\system32\dcgnmpag.ini
C:\WINDOWS\system32\efcCvVPj.dll
C:\WINDOWS\system32\eferwsim.ini
C:\WINDOWS\system32\gapmngcd.dll
C:\WINDOWS\system32\jjtkdpur.dll
C:\WINDOWS\system32\kwmrinjw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\miswrefe.dll
C:\WINDOWS\system32\mlvmsryu.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmlkHw.dll
C:\WINDOWS\system32\tsvpnx.dll
C:\WINDOWS\system32\ubnkaj.dll
C:\WINDOWS\system32\vbifuz.dll
C:\WINDOWS\system32\wHklmnmp.ini
C:\WINDOWS\system32\wHklmnmp.ini2
C:\WINDOWS\system32\ypqnonul.dll
----- BITS: Possible infected sites -----
http://lan-noc-03.zipform.local:8530
.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.
2008-07-24 13:03 . 2008-07-24 13:03 83,456 --a------ C:\WINDOWS\system32\uyrsmvlm.dll
2008-07-24 13:00 . 2008-07-24 13:00 105,472 --a------ C:\WINDOWS\system32\xwuwrdyd.dll
2008-07-24 13:00 . 2008-07-24 13:00 105,472 --a------ C:\WINDOWS\system32\xmovpt.dll
2008-07-23 13:00 . 2008-07-23 13:00 105,312 --a------ C:\WINDOWS\system32\rmgmjxho.rlr
2008-07-21 15:45 . 2008-07-21 15:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 10:26 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-21 10:26 . 2008-07-21 10:52 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-07-21 10:25 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-21 09:26 . 2008-07-24 13:21 110,419 --a------ C:\WINDOWS\BMafd42567.xml
2008-07-21 09:19 . 2008-07-21 09:19 <DIR> d-------- C:\WINDOWS\system32\carH01
2008-07-21 09:19 . 2008-07-21 09:19 <DIR> d-------- C:\Temp\btxv15
2008-07-18 08:08 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-14 13:00 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-07-14 13:00 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 09:36 . 2008-02-26 07:59 294,912 --------- C:\WINDOWS\system32\dllcache\msctf.dll
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 12:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 19:06 --------- d-----w C:\Program Files\Google
2008-07-24 16:40 --------- d-----w C:\Program Files\ZipForm Desktop
2008-06-20 19:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-10 20:13 --------- d-----w C:\Program Files\PDF-X
2008-06-03 19:16 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-06-03 19:16 --------- d-----w C:\Program Files\MSECache
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a58db794-d207-438e-87e2-f7bf323ef4f3}]
2008-07-24 13:00 105472 --a------ C:\WINDOWS\system32\xmovpt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gaxajc"="C:\WINDOWS\system32\??curity\r?ndll32.exe" [?]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 17:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 17:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 17:36 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ace716fb"="C:\WINDOWS\system32\uyrsmvlm.dll" [2008-07-24 13:03 83456]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 19:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQLSERVER"=2 (0x2)
"msftesql"=2 (0x2)
"IISADMIN"=2 (0x2)
"W3SVC"=2 (0x2)
"SMTPSVC"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-xloadnet - C:\Program Files\xloadnet\xloadnet.exe
HKCU-Run-Tair - C:\DOCUME~1\Erouls\MYDOCU~1\MCROSO~1\svchost.exe
HKLM-Run-BMafd42567 - C:\WINDOWS\system32\pffgjrab.dll
MSConfigStartUp-DVDLauncher - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://hub.zipform.net/map/index.htm
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 08:30:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\mlvmsryu.ini 294 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-25 8:34:30 - machine was rebooted [Erouls]
ComboFix-quarantined-files.txt 2008-07-25 12:34:26
Pre-Run: 21,605,158,912 bytes free
Post-Run: 21,751,496,704 bytes free
147 --- E O F --- 2008-07-15 07:01:56
random/random
2008-07-25, 16:46
You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:
AVG (http://free.grisoft.com/doc/1)
Avast! (http://www.avast.com/eng/avast_4_home.html)
Antivir (http://www.free-av.com/)
Note: The above programs are free only for personal, non-commercial use.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
http://forums.spybot.info/showthread.php?t=31331
Collect::
C:\WINDOWS\system32\uyrsmvlm.dll
C:\WINDOWS\system32\xwuwrdyd.dll
C:\WINDOWS\system32\xmovpt.dll
C:\WINDOWS\system32\rmgmjxho.rlr
C:\WINDOWS\BMafd42567.xml
C:\WINDOWS\system32\mlvmsryu.ini
Folder::
C:\WINDOWS\system32\carH01
C:\Temp\btxv15
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a58db794-d207-438e-87e2-f7bf323ef4f3}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gaxajc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ace716fb"=-
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
everlast556
2008-07-28, 15:10
here are the new logs, it had me submit some files to bleeping computers
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:07, on 2008-07-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REFN\PDF-X\PDFSAVER.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189521411221
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
--
End of file - 3212 bytes
ComboFix 08-07-24.3 - Erouls 2008-07-28 8:01:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.822 [GMT -4:00]
Running from: C:\Documents and Settings\Erouls\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erouls\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\btxv15
C:\Temp\btxv15\carH.log
C:\WINDOWS\BMafd42567.xml
C:\WINDOWS\system32\carH01
C:\WINDOWS\system32\carH01\carH011065.exe
C:\WINDOWS\system32\mlvmsryu.ini
C:\WINDOWS\system32\rmgmjxho.rlr
C:\WINDOWS\system32\xwuwrdyd.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.
2008-07-25 08:54 . 2008-07-25 08:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 13:03 . 2008-07-24 13:03 83,456 --------- C:\WINDOWS\system32\htshlenm.ppj
2008-07-24 13:00 . 2008-07-24 13:00 105,472 --------- C:\WINDOWS\system32\hlyhqoss.jam
2008-07-21 15:45 . 2008-07-21 15:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 10:26 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-21 10:26 . 2008-07-21 10:52 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-07-21 10:25 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-18 08:08 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-14 13:00 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-07-14 13:00 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 09:36 . 2008-02-26 07:59 294,912 --------- C:\WINDOWS\system32\dllcache\msctf.dll
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 19:06 --------- d-----w C:\Program Files\Google
2008-07-24 16:40 --------- d-----w C:\Program Files\ZipForm Desktop
2008-06-21 03:11 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 19:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 19:22 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-10 20:13 --------- d-----w C:\Program Files\PDF-X
2008-06-03 19:16 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-06-03 19:16 --------- d-----w C:\Program Files\MSECache
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-25_ 8.34.09.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 19:02:27 116,808 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-25 12:34:22 116,808 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-24 19:02:27 579,230 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-25 12:34:22 579,230 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 17:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 17:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 17:36 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 07:00 158208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaxajc]
C:\WINDOWS\system32\??curity\r?ndll32.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 19:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQLSERVER"=2 (0x2)
"msftesql"=2 (0x2)
"IISADMIN"=2 (0x2)
"W3SVC"=2 (0x2)
"SMTPSVC"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-ace716fb - C:\WINDOWS\system32\uyrsmvlm.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 08:03:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2008-07-28 8:05:18
ComboFix-quarantined-files.txt 2008-07-28 12:04:57
ComboFix2.txt 2008-07-25 12:34:31
Pre-Run: 21,445,242,880 bytes free
Post-Run: 21,608,787,968 bytes free
120 --- E O F --- 2008-07-15 07:01:56
random/random
2008-07-28, 17:00
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
http://forums.spybot.info/showthread.php?t=31331
Collect::
C:\WINDOWS\system32\htshlenm.ppj
C:\WINDOWS\system32\hlyhqoss.jam
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
everlast556
2008-07-30, 15:04
submitted more...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:58, on 2008-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REFN\PDF-X\PDFSAVER.EXE
C:\Program Files\Tracker Software\PDF-XChange Lite 3\pdfSaver\pdfSaver3l.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189521411221
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
--
End of file - 3339 bytes
ComboFix 08-07-24.3 - Erouls 2008-07-30 7:52:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.796 [GMT -4:00]
Running from: C:\Documents and Settings\Erouls\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erouls\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hlyhqoss.jam
C:\WINDOWS\system32\htshlenm.ppj
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-07-25 08:54 . 2008-07-25 08:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-21 15:45 . 2008-07-21 15:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 10:26 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-21 10:26 . 2008-07-21 10:52 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-07-21 10:25 . 2008-07-22 14:08 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-18 08:08 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-14 13:00 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-07-14 13:00 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 09:36 . 2008-02-26 07:59 294,912 --------- C:\WINDOWS\system32\dllcache\msctf.dll
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-08 09:36 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 17:44 . 2008-02-20 01:32 45,568 --------- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-06-10 16:13 . 2008-06-10 16:13 <DIR> d-------- C:\Program Files\PDF-X
2008-06-03 15:16 . 2008-06-03 15:16 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 18:04 --------- d-----w C:\Program Files\ZipForm Desktop
2008-07-25 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 19:06 --------- d-----w C:\Program Files\Google
2008-06-21 03:11 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 19:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 19:22 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-03 19:16 --------- d-----w C:\Program Files\MSECache
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-25_ 8.34.09.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 19:02:27 116,808 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-25 12:34:22 116,808 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-24 19:02:27 579,230 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-25 12:34:22 579,230 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 17:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 17:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 17:36 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 07:00 158208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaxajc]
C:\WINDOWS\system32\??curity\r?ndll32.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 19:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQLSERVER"=2 (0x2)
"msftesql"=2 (0x2)
"IISADMIN"=2 (0x2)
"W3SVC"=2 (0x2)
"SMTPSVC"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 07:54:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2008-07-30 7:56:36
ComboFix-quarantined-files.txt 2008-07-30 11:56:13
ComboFix2.txt 2008-07-28 12:05:19
ComboFix3.txt 2008-07-25 12:34:31
Pre-Run: 21,521,489,920 bytes free
Post-Run: 21,528,621,056 bytes free
117 --- E O F --- 2008-07-15 07:01:56
random/random
2008-07-31, 19:47
You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:
Avast! (http://www.avast.com/eng/avast_4_home.html)
Antivir (http://www.free-av.com/)
Note: The above programs are free only for personal, non-commercial use.
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.
everlast556
2008-08-01, 15:54
I have Zone alarm but have closed it during these scans
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3317 (20080801)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7a158fcb0aafc940b99abec98008aaf1
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-01 12:41:16
# local_time=2008-08-01 08:41:16 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=248784
# found=9
# scan_time=1990
C:\QooBox\Quarantine\C\Documents and Settings\Erouls\My Documents\MCROSO~1\svchost.exe.vir probably a variant of Win32/TrojanDownloader.PurityScan trojan C400B89A9A425FC78041EF9876D40C1B
C:\QooBox\Quarantine\C\WINDOWS\system32\jjtkdpur.dll.vir Win32/BHO.NFH trojan B9811A6699911556608799913D79C85A
C:\QooBox\Quarantine\C\WINDOWS\system32\miswrefe.dll.vir Win32/Adware.Virtumonde application 7640C065E6930F5B8072CD716BF57DC7
C:\QooBox\Quarantine\C\WINDOWS\system32\ubnkaj.dll.vir probably a variant of Win32/Adware.PurityScan application 92B0B02057790E4CC01E177DF42BC98A
C:\QooBox\Quarantine\C\WINDOWS\system32\carH01\carH011065.exe.vir a variant of Win32/TrojanDownloader.VB.AW trojan 48CCD418F57E4885661A561A708E6C3E
C:\QooBox\Quarantine\C\WINDOWS\system32\CURITY~1\r?ndll32.exe.vir probably a variant of Win32/Adware.PurityScan application EE941880BC07C8035C9769ECBECA3375
C:\RECYCLER\S-1-5-21-1195451000-1883382936-1539857752-1329\Dc6.zip multiple infiltrations 3E57417B226B933DD398CF9655EC3779
C:\RECYCLER\S-1-5-21-1195451000-1883382936-1539857752-1329\Dc6.zip »ZIP »hlyhqoss.jam Win32/BHO.NFH trojan 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1195451000-1883382936-1539857752-1329\Dc6.zip »ZIP »htshlenm.ppj Win32/Adware.Virtumonde application 00000000000000000000000000000000
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:57 AM, on 08/01/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REFN\PDF-X\PDFSAVER.EXE
C:\Program Files\Tracker Software\PDF-XChange Lite 3\pdfSaver\pdfSaver3l.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189521411221
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
--
End of file - 3469 bytes
random/random
2008-08-01, 16:40
You now appear to be clean. Congratulations!
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Online armor (http://www.tallemu.com/online_armor_free.html)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
everlast556
2008-08-01, 17:03
Thanks a lot guys! you are the best. Couldn't of done it without you!:present:
random/random
2008-08-02, 21:32
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.