View Full Version : Smitfraud-C/Virtumonde help
LessQQMorePewPew
2008-08-25, 19:43
I've run spybot and it wont get rid of it. i've ran it in safe mode but it still wont go away. heres my log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:40, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: qalkfxor - {18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [a823822d] rundll32.exe "C:\WINDOWS\system32\bpvgjrxy.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: rddfpn.dll ylmldd.dll
O21 - SSODL: pdoskegl - {BF4920B4-730E-44B9-9A5B-DB4CE76EFDDD} - C:\WINDOWS\pdoskegl.dll (file missing)
O21 - SSODL: rqbmvpso - {8558A655-C137-461E-BD0A-9C6683600527} - C:\WINDOWS\rqbmvpso.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3552 bytes
__RiP_ChAiN_
2008-08-26, 20:50
Hello LessQQMorePewPew,
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
LessQQMorePewPew
2008-08-27, 22:12
Hey this is my ComboFix log, then right below it is the HJT log.
ComboFix 08-08-27.01 - haiammike 2008-08-27 14:52:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.465 [GMT -4:00]
Running from: C:\Documents and Settings\haiammike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\haiammike\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\EndUser\Application Data\macromedia\Flash Player\#SharedObjects\ADPBARGY\interclick.com
C:\Documents and Settings\EndUser\Application Data\macromedia\Flash Player\#SharedObjects\ADPBARGY\interclick.com\ud.sol
C:\Documents and Settings\EndUser\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\EndUser\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\bin.clearspring.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\interclick.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\interclick.com\ud.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\RECYCLER\ADAPT_Installer.exe
C:\WINDOWS\etbr.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\system32\amhyjdli.dll
C:\WINDOWS\system32\bIiRtBeg.ini
C:\WINDOWS\system32\bIiRtBeg.ini2
C:\WINDOWS\system32\ddcbCspn.dll
C:\WINDOWS\system32\debpbkto.dll
C:\WINDOWS\system32\eqxuykom.dll
C:\WINDOWS\system32\geBtRiIb.dll
C:\WINDOWS\system32\hdjbqobl.dll
C:\WINDOWS\system32\hnfoha.dll
C:\WINDOWS\system32\hwryvtbk.dll
C:\WINDOWS\system32\irvptjks.dll
C:\WINDOWS\system32\jcbaveun.dll
C:\WINDOWS\system32\kvdkggcr.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nuevabcj.ini
C:\WINDOWS\system32\oilwuc.dll
C:\WINDOWS\system32\otkbpbed.ini
C:\WINDOWS\system32\qartonsu.dll
C:\WINDOWS\system32\rcggkdvk.dll
C:\WINDOWS\system32\rddfpn.dll
C:\WINDOWS\system32\rqoxfu.dll
C:\WINDOWS\system32\rqRKARlk.dll
C:\WINDOWS\system32\rxbofkot.ini
C:\WINDOWS\system32\skjtpvri.ini
C:\WINDOWS\system32\ujjnhu.dll
C:\WINDOWS\system32\vkbyowfc.ini
C:\WINDOWS\system32\vywithew.dll
C:\WINDOWS\system32\ylmldd.dll
C:\WINDOWS\system32\yxrjgvpb.ini
----- BITS: Possible infected sites -----
http://hqsextube08.com
.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-26 17:41 . 2008-08-26 17:41 303,104 --a------ C:\WINDOWS\system32\hsaserem.exe
2008-08-26 17:41 . 2008-08-27 14:53 200,704 --a------ C:\WINDOWS\SysNotifier.exe
2008-08-25 16:32 . 2008-08-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-25 15:55 . 2008-08-25 15:55 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-25 11:23 . 2008-08-25 11:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-25 11:19 . 2008-08-25 11:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 10:48 . 2008-08-25 10:48 <DIR> d-------- C:\Documents and Settings\haiammike\Application Data\Aim
2008-08-25 00:00 . 2008-08-25 00:00 <DIR> d-------- C:\Documents and Settings\haiammike
2008-08-24 22:29 . 2008-08-27 01:27 296 --a------ C:\WINDOWS\wininit.ini
2008-08-24 21:47 . 2008-08-25 12:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-24 21:47 . 2008-08-24 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 21:38 . 2008-08-24 06:45 380,928 --a------ C:\WINDOWS\rodqgpvlkoa.dll
2008-08-24 21:38 . 2008-08-24 21:38 126,976 --a------ C:\WINDOWS\kx60171.dll
2008-08-24 21:38 . 2008-08-24 06:45 86,016 --a------ C:\WINDOWS\rvoelbxt.exe
2008-08-24 07:06 . 2008-08-24 07:06 <DIR> d-------- C:\Temp
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Program Files\Norton PC Checkup
2008-08-21 21:58 . 2008-08-25 17:31 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-21 19:05 . 2008-08-21 19:05 <DIR> d-------- C:\Documents and Settings\EndUser\Application Data\Apple Computer
2008-08-20 21:46 . 2008-08-24 06:51 <DIR> d-------- C:\Fraps
2008-08-20 21:23 . 2008-08-20 21:23 <DIR> d-------- C:\Program Files\Guitar Pro 5
2008-08-20 00:23 . 2008-08-21 18:58 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-20 00:17 . 2008-08-20 00:17 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-08-19 01:38 . 2008-08-19 03:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-28 19:02 . 2008-07-28 19:02 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-28 19:00 . 2008-07-28 19:00 <DIR> d-------- C:\Program Files\VentSrv
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 20:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-24 18:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 11:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 04:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-28 23:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 22:55 --------- d-----w C:\Program Files\World of Warcraft
2008-07-26 23:14 --------- d-----w C:\Documents and Settings\EndUser\Application Data\MSNInstaller
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]
2008-08-26 17:41 299008 --a------ C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72DB2104-BEAC-3D08-AFC0-554316CD0BC4}]
2008-08-24 21:38 126976 --a------ C:\WINDOWS\kx60171.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Camio Viewer.lnk - C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe [2002-02-11 14:59:44 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tfpapi]
2008-08-26 17:41 299008 C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll
HKLM-Run-a823822d - C:\WINDOWS\system32\debpbkto.dll
SSODL-pdoskegl-{BF4920B4-730E-44B9-9A5B-DB4CE76EFDDD} - C:\WINDOWS\pdoskegl.dll
SSODL-rqbmvpso-{8558A655-C137-461E-BD0A-9C6683600527} - C:\WINDOWS\rqbmvpso.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\haiammike\Application Data\Mozilla\Firefox\Profiles\rg3ak8ek.default\
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 15:05:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-27 15:09:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 19:09:37
Pre-Run: 1,269,612,544 bytes free
Post-Run: 1,391,423,488 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
189 --- E O F --- 2008-08-15 07:06:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:04, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3608 bytes
__RiP_ChAiN_
2008-08-28, 01:24
Hello LessQQMorePewPew,
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Could you please go to the folder C:\Program Files\Trend Micro\HijackThis and rename the file HijackThis to Random.
Then I would like you to submit some new looking files real quick.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please go to VirSCAN.org FREE on-line scan service (http://virscan.org/)
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
C:\WINDOWS\system32\hsaserem.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.
Please do this for each file listed below, as well.
C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
C:\WINDOWS\kx60171.dll
----------------------------------------------- Step 2
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\hsaserem.exe
C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
C:\WINDOWS\kx60171.dll
C:\WINDOWS\SysNotifier.exe
C:\WINDOWS\rodqgpvlkoa.dll
C:\WINDOWS\kx60171.dll
C:\WINDOWS\rvoelbxt.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3753B44D-E02F-48B7-81B1-19A377BCCB63}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72DB2104-BEAC-3D08-AFC0-554316CD0BC4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tfpapi]
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
LessQQMorePewPew
2008-08-29, 03:12
VirSCAN.org Scanned Report :
Scanned time : 2008/08/28 20:02:50 (EDT)
Scanner results: 8% Scanner(3/36) found malware!
File Name : hsaserem.exe
File Size : 303104 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3c147d0ca780d5073dd8349c9af28afd
SHA1 : 6b4e99a7e2c6152e83d1a5903aade48e4ca8ccb9
Online report : http://virscan.org/report/a3818aa00f2a145bcb42bc70b213106d.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.27 2008-08-27 5.42 -
AhnLab V3 2008.08.29.00 2008.08.29 2008-08-29 0.90 -
AntiVir 7.8.1.23 7.0.6.88 2008-08-28 2.25 -
Arcavir 1.0.5 200808281354 2008-08-28 1.21 -
AVAST! 3.0.1 080828-0 2008-08-28 0.71 Win32:Trojan-gen {Other}
AVG 7.5.51.442 270.6.12/1640 2008-08-28 1.55 SHeur.CEQJ
BitDefender 7.60825.1660182 7.20712 2008-08-29 3.76 -
CA (VET) 9.0.0.143 31.6.6054 2008-08-28 5.57 -
ClamAV 0.93.3 8112 2008-08-29 0.06 -
Comodo 2.11 2.0.0.630 2008-08-28 0.43 -
CP Secure 1.1.0.715 2008.08.29 2008-08-29 6.55 -
Dr.Web 4.44.0.9170 2008.08.28 2008-08-28 3.14 -
ewido 4.0.0.2 2008.08.28 2008-08-28 4.17 -
F-Prot 4.4.4.56 20080828 2008-08-28 1.07 -
F-Secure 5.51.6100 2008.08.29.01 2008-08-29 0.06 -
Fortinet 2.81-3.11 9.481 2008-08-28 1.76 -
ViRobot 20080828 2008.08.28 2008-08-28 0.41 -
Ikarus T3.1.01.34 2008.08.28.71358 2008-08-28 3.25 -
JiangMin 11.0.706 2008.08.28 2008-08-28 2.29 -
Kaspersky 5.5.10 2008.08.28 2008-08-28 0.05 -
KingSoft 2008.1.14.15 2008.8.28.17 2008-08-28 1.35 -
McAfee 5.3.00 5371 2008-08-27 2.11 -
Microsoft 1.3807 2008.08.28 2008-08-28 4.59 -
mks_vir 2.01 2008.08.25 2008-08-25 2.68 -
Norman 5.93.01 5.93.00 2008-08-28 4.96 W32/Malware.DPFL
Panda 9.05.01 2008.08.28 2008-08-28 2.27 -
Trend Micro 8.700-1004 5.506.02 2008-08-28 0.04 -
Quick Heal 9.50 2008.08.26 2008-08-26 1.77 -
Rising 20.0 20.59.31.00 2008-08-28 1.09 -
Sophos 2.78.0 4.33 2008-08-29 1.67 -
Sunbelt 3.1.1582.1 2204 2008-08-25 0.59 -
Symantec 1.3.0.24 20080828.003 2008-08-28 0.10 -
nProtect 2008-08-28.00 1982990 2008-08-28 3.90 -
The Hacker 6.3.0.6 v00064 2008-08-27 0.41 -
VBA32 3.12.8.4 20080828.0615 2008-08-28 2.24 -
VirusBuster 4.5.11.10 10.84.14/623168 2008-08-28 0.93 -
VirSCAN.org Scanned Report :
Scanned time : 2008/08/28 20:07:22 (EDT)
Scanner results: 33% Scanner(12/36) found malware!
File Name : tfpapi.dll
File Size : 299008 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : d8fa54f0b61428f42b43aa40fb2972ac
SHA1 : 8505f1adc3c76def653af86a62b30d4da333b60d
Online report : http://virscan.org/report/4080bef4d3fca951cb0f2caa24aa07a7.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.27 2008-08-27 2.52 -
AhnLab V3 2008.08.29.00 2008.08.29 2008-08-29 0.89 -
AntiVir 7.8.1.23 7.0.6.88 2008-08-28 2.25 PHISH/FraudTool.XPShield.H
Arcavir 1.0.5 200808281354 2008-08-28 1.21 Riskware.Fraudtool.Xpshield.H
AVAST! 3.0.1 080828-0 2008-08-28 0.71 Win32:Trojan-gen {Other}
AVG 7.5.51.442 270.6.12/1640 2008-08-28 1.55 -
BitDefender 7.60825.1660182 7.20712 2008-08-29 3.19 -
CA (VET) 9.0.0.143 31.6.6054 2008-08-28 5.10 -
ClamAV 0.93.3 8112 2008-08-29 0.07 -
Comodo 2.11 2.0.0.630 2008-08-28 0.43 -
CP Secure 1.1.0.715 2008.08.29 2008-08-29 6.52 -
Dr.Web 4.44.0.9170 2008.08.28 2008-08-28 3.15 -
ewido 4.0.0.2 2008.08.28 2008-08-28 2.56 -
F-Prot 4.4.4.56 20080828 2008-08-28 0.99 Possible W32/Heuristic-KPP!Eldorado (not disinfectable)
F-Secure 5.51.6100 2008.08.29.01 2008-08-29 3.17 -
Fortinet 2.81-3.11 9.481 2008-08-28 1.75 -
ViRobot 20080828 2008.08.28 2008-08-28 0.40 -
Ikarus T3.1.01.34 2008.08.28.71358 2008-08-28 3.19 Trojan-Downloader.Win32.Renos.Z
JiangMin 11.0.706 2008.08.28 2008-08-28 1.19 -
Kaspersky 5.5.10 2008.08.28 2008-08-28 0.04 not-a-virus:FraudTool.Win32.XPShield.h
KingSoft 2008.1.14.15 2008.8.28.17 2008-08-28 0.58 -
McAfee 5.3.00 5371 2008-08-27 2.09 -
Microsoft 1.3807 2008.08.28 2008-08-28 4.28 TrojanDownloader:Win32/Renos.gen!Z
mks_vir 2.01 2008.08.25 2008-08-25 2.60 -
Norman 5.93.01 5.93.00 2008-08-28 5.00 -
Panda 9.05.01 2008.08.28 2008-08-28 2.04 Adware/XP-Shield
Trend Micro 8.700-1004 5.506.02 2008-08-28 0.02 TROJ_RENOS.AEZ
Quick Heal 9.50 2008.08.26 2008-08-26 1.67 FraudTool.XPShield.h (Not a Virus)
Rising 20.0 20.59.31.00 2008-08-28 0.74 -
Sophos 2.78.0 4.33 2008-08-29 1.65 -
Sunbelt 3.1.1582.1 2204 2008-08-25 0.42 XPShield
Symantec 1.3.0.24 20080828.003 2008-08-28 0.05 -
nProtect 2008-08-28.00 1982990 2008-08-28 3.62 -
The Hacker 6.3.0.6 v00064 2008-08-27 0.38 Aplicacion/XPShield.h (Unwanted)
VBA32 3.12.8.4 20080828.0615 2008-08-28 2.15 -
VirusBuster 4.5.11.10 10.84.14/623168 2008-08-28 0.96 -
VirSCAN.org Scanned Report :
Scanned time : 2008/08/28 20:09:45 (EDT)
Scanner results: 36% Scanner(13/36) found malware!
File Name : kx60171.dll
File Size : 126976 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 89ce75de6e2ff0c78d34d7616c39620a
SHA1 : 4a9b4b0efe5cb9e9a027c2507aee90b6458bb935
Online report : http://virscan.org/report/eba01039fec10b0be56979a8b5e94e5d.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.27 2008-08-27 2.51 -
AhnLab V3 2008.08.29.00 2008.08.29 2008-08-29 0.90 Win-Trojan/Xema.126976.C
AntiVir 7.8.1.23 7.0.6.88 2008-08-28 2.25 TR/BHO.Agent.NGR
Arcavir 1.0.5 200808281354 2008-08-28 1.21 Trojan.Downloader.Agent.Adfi
AVAST! 3.0.1 080828-0 2008-08-28 0.01 Win32:Trojan-gen {Other}
AVG 7.5.51.442 270.6.12/1640 2008-08-28 1.54 BHO.FHD
BitDefender 7.60825.1660182 7.20712 2008-08-29 2.92 -
CA (VET) 9.0.0.143 31.6.6054 2008-08-28 6.14 Win32/Pripecs.ALV trojan.
ClamAV 0.93.3 8112 2008-08-29 0.05 -
Comodo 2.11 2.0.0.630 2008-08-28 0.43 -
CP Secure 1.1.0.715 2008.08.29 2008-08-29 6.51 -
Dr.Web 4.44.0.9170 2008.08.28 2008-08-28 3.13 -
ewido 4.0.0.2 2008.08.28 2008-08-28 2.59 -
F-Prot 4.4.4.56 20080828 2008-08-28 1.08 -
F-Secure 5.51.6100 2008.08.29.01 2008-08-29 3.17 Trojan-Downloader.Win32.Agent.adfi [AVP]
Fortinet 2.81-3.11 9.481 2008-08-28 1.78 -
ViRobot 20080828 2008.08.28 2008-08-28 0.41 -
Ikarus T3.1.01.34 2008.08.28.71358 2008-08-28 3.19 Trojan.BHO.Agent.NGR
JiangMin 11.0.706 2008.08.28 2008-08-28 2.67 -
Kaspersky 5.5.10 2008.08.28 2008-08-28 0.04 Trojan-Downloader.Win32.Agent.adfi
KingSoft 2008.1.14.15 2008.8.28.17 2008-08-28 0.61 Win32.TrojDownloader.Agent.126976
McAfee 5.3.00 5371 2008-08-27 2.10 -
Microsoft 1.3807 2008.08.28 2008-08-28 4.14 Trojan:Win32/Startpage.CZ
mks_vir 2.01 2008.08.25 2008-08-25 2.62 -
Norman 5.93.01 5.93.00 2008-08-28 4.95 -
Panda 9.05.01 2008.08.28 2008-08-28 7.25 -
Trend Micro 8.700-1004 5.506.02 2008-08-28 0.03 -
Quick Heal 9.50 2008.08.26 2008-08-26 1.96 -
Rising 20.0 20.59.31.00 2008-08-28 0.82 -
Sophos 2.78.0 4.33 2008-08-29 1.70 -
Sunbelt 3.1.1582.1 2204 2008-08-25 1.25 -
Symantec 1.3.0.24 20080828.003 2008-08-28 0.05 Trojan.Adclicker
nProtect 2008-08-28.00 1982990 2008-08-28 4.30 -
The Hacker 6.3.0.6 v00064 2008-08-27 0.50 -
VBA32 3.12.8.4 20080828.0615 2008-08-28 1.15 Trojan-Downloader.Win32.Agent.adfi
VirusBuster 4.5.11.10 10.84.14/623168 2008-08-28 0.94 -
LessQQMorePewPew
2008-08-29, 03:27
i had to exit out of firefox, sorry for the double posts :\. but above is the virscan logs and this is the combofix. and can i run spybot during all of this? or should i just wait until we're done with cleansing out my computer.
ComboFix 08-08-27.01 - haiammike 2008-08-28 20:16:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.736 [GMT -4:00]
Running from: C:\Documents and Settings\haiammike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\haiammike\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
C:\WINDOWS\kx60171.dll
C:\WINDOWS\rodqgpvlkoa.dll
C:\WINDOWS\rvoelbxt.exe
C:\WINDOWS\SysNotifier.exe
C:\WINDOWS\system32\hsaserem.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\EndUser\Application Data\Help\tfpapi.dll
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\bin.clearspring.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\interclick.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\#SharedObjects\WLQP879R\interclick.com\ud.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\haiammike\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\kx60171.dll
C:\WINDOWS\rodqgpvlkoa.dll
C:\WINDOWS\rvoelbxt.exe
C:\WINDOWS\SysNotifier.exe
C:\WINDOWS\system32\hsaserem.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-25 16:32 . 2008-08-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-25 15:55 . 2008-08-25 15:55 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-25 11:23 . 2008-08-25 11:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-25 11:19 . 2008-08-25 11:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 10:48 . 2008-08-25 10:48 <DIR> d-------- C:\Documents and Settings\haiammike\Application Data\Aim
2008-08-25 00:00 . 2008-08-25 00:00 <DIR> d-------- C:\Documents and Settings\haiammike
2008-08-24 22:29 . 2008-08-27 01:27 296 --a------ C:\WINDOWS\wininit.ini
2008-08-24 21:47 . 2008-08-25 12:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-24 21:47 . 2008-08-24 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 07:06 . 2008-08-24 07:06 <DIR> d-------- C:\Temp
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Program Files\Norton PC Checkup
2008-08-21 21:58 . 2008-08-27 17:31 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-21 19:05 . 2008-08-21 19:05 <DIR> d-------- C:\Documents and Settings\EndUser\Application Data\Apple Computer
2008-08-20 21:46 . 2008-08-24 06:51 <DIR> d-------- C:\Fraps
2008-08-20 21:23 . 2008-08-20 21:23 <DIR> d-------- C:\Program Files\Guitar Pro 5
2008-08-20 00:23 . 2008-08-21 18:58 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-20 00:17 . 2008-08-20 00:17 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-08-19 01:38 . 2008-08-19 03:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 20:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-24 18:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 11:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 04:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-28 23:02 --------- d-----w C:\Program Files\Ventrilo
2008-07-28 23:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 23:00 --------- d-----w C:\Program Files\VentSrv
2008-07-28 22:55 --------- d-----w C:\Program Files\World of Warcraft
2008-07-26 23:14 --------- d-----w C:\Documents and Settings\EndUser\Application Data\MSNInstaller
.
((((((((((((((((((((((((((((( snapshot@2008-08-27_15.08.33.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2008-07-19 02:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
- 2007-07-30 23:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-19 02:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2007-07-30 23:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2008-07-19 02:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-30 23:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-19 02:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2004-08-04 12:00:00 1,134,592 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-19 02:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2004-08-04 12:00:00 112,640 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-19 02:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-07-30 23:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 02:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2004-08-04 12:00:00 120,320 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-19 02:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2008-08-27 19:04:14 1,540,064 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-08-29 00:00:39 1,540,096 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-08-25 20:32:25 41,360 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-29 00:05:26 41,360 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-25 20:32:25 315,476 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-29 00:05:26 315,476 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 02:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 02:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
- 2007-07-30 23:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2008-07-19 02:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-07-30 23:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2008-07-19 02:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2008-07-19 02:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-07-30 23:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2008-07-19 02:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2008-07-19 02:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-07-19 02:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-07-30 23:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2008-07-19 02:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Camio Viewer.lnk - C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe [2002-02-11 14:59:44 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 20:22:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-28 20:25:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 00:25:20
ComboFix2.txt 2008-08-27 19:09:53
Pre-Run: 1,355,259,904 bytes free
Post-Run: 1,353,834,496 bytes free
161 --- E O F --- 2008-08-15 07:06:22
__RiP_ChAiN_
2008-08-29, 06:24
Hello LessQQMorePewPew,
and can i run spybot during all of this? or should i just wait until we're done with cleansing out my computer.
You can run spybot, just make sure TeaTimer isn't running.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
LessQQMorePewPew
2008-08-29, 21:03
Hey this is the mbam log. and how do i disable teatimer?
Malwarebytes' Anti-Malware 1.25
Database version: 1095
Windows 5.1.2600 Service Pack 2
1:59:39 PM 8/29/2008
mbam-log-08-29-2008 (13-59-39).txt
Scan type: Quick Scan
Objects scanned: 41960
Time elapsed: 3 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\qalkfxor.bpqk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
__RiP_ChAiN_
2008-08-30, 11:19
Hello LessQQMorePewPew,
Hey this is the mbam log. and how do i disable teatimer?
It doesn't look like you installed it, you shouldn't have to worry about disabling it.
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
LessQQMorePewPew
2008-09-01, 07:27
Scanning Report
Sunday, August 31, 2008 23:07:43 - 00:25:08
Computer name: ENDUSER-0067D75
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 12 malware found
TrackingCookie.2o7 (spyware)
* System
TrackingCookie.Adrevolver (spyware)
* System
TrackingCookie.Advertising (spyware)
* System
TrackingCookie.Atdmt (spyware)
* System
TrackingCookie.Atwola (spyware)
* System
TrackingCookie.Doubleclick (spyware)
* System
TrackingCookie.Mediaplex (spyware)
* System
TrackingCookie.Questionmarket (spyware)
* System
TrackingCookie.Revsci (spyware)
* System
TrackingCookie.Specificclick (spyware)
* System
TrackingCookie.Yieldmanager (spyware)
* System
Trojan.Win32.BHO.fdj (virus)
* C:\PROGRAM FILES\ADOBE\FLASH\FLASH32.DLL (Renamed & Submitted)
Statistics
Scanned:
* Files: 46968
* System: 2955
* Not scanned: 10
Actions:
* Disinfected: 0
* Renamed: 1
* Deleted: 0
* None: 11
* Submitted: 1
Files not scanned:
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\HAIAMMIKE\LOCAL SETTINGS\TEMP\ETILQS_F0FAC68HIXPWPAGBRRQR
* C:\DOCUMENTS AND SETTINGS\HAIAMMIKE\DESKTOP\ADBEPHSPCS3_WWE.EXE
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\85D9057FBE5A79BF2C82F219B049A5E4_E566CFF2-D814-41F3-8698-2FB48BA64866
Options
Scanning engines:
* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-30
* F-Secure AVP: 7.0.171, 2008-08-31
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
__RiP_ChAiN_
2008-09-02, 18:42
Hello LessQQMorePewPew,
Please post back with a new HijackThis log, and an update on how your computer is running.
__RiP_ChAiN_
2008-09-08, 21:32
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.