along_came_spider
2008-08-30, 13:24
Hi,
I recently ran my Spybot and found two infections of win32.onlinegames, along with amvu virus which i probably contracted from an infected USB drive.
Any help to remove both will be appreciated.
thank you in advance..
Hi
First task is to reformat that infected usb drive. After that follow the instructions below.
Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only
* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
along_came_spider
2008-09-01, 12:52
hi,
Thanks for the reply..heres the hijack this log.. how do i format the usb..i ve tried formating it and clicking on the formatting but the virus seems to hide itself in the drive and reappear after the formatting is done...
just a lil data on my puter, i have bit defender running plus comodo bo clean running as well as spybot tea timer running... i have a double boot ...with my xp installed on the E drive. ..as well as some of my progs are installed on the D drive....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:26 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
D:\Program Files\Nero 7\InCD\InCDsrv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
E:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\Program Files\Nero 7\InCD\InCD.exe
D:\PROGRA~1\Comodo\CBOClean\BOC427.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
d:\Program Files\Comodo\CBOClean\BOCORE.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\PROGRA~1\ESCRIP~1\EDITSC~1\EditScriptProcMon.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Softwin\BitDefender9\vsserv.exe
E:\WINDOWS\system32\wscntfy.exe
d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
d:\PROGRA~1\Comodo\CBOClean\BOC4UPD.EXE
d:\PROGRA~1\Comodo\CBOClean\BOC4UPD.EXE
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Junk\Soft\hijack\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [OpenDNS Update] "d:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [BOC-427] d:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-343818398-152049171-1801674531-1003\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-343818398-152049171-1801674531-1003\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Cisco Systems VPN Client.lnk = E:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\arun s\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7427954A-E75E-4F5D-A7F8-BC20286E5FEF}: NameServer = 208.67.222.222 208.67.220.220
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BOCore - COMODO - d:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EditScript Process Monitor (EditScriptProcMon) - Unknown owner - E:\PROGRA~1\ESCRIP~1\EDITSC~1\EditScriptProcMon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero 7\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - E:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 7232 bytes
how do i format the usb
Hi
This (http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive) should do the trick.
Then to fix.
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
along_came_spider
2008-09-01, 15:42
Hi,
I couldnt install the recovery console because my xp is earlier version and i had installed the service pack2 later...
Is it possible that i run without the recovery console ...but run combofix on my computer in the safe boot mode?
thanks again..
along_came_spider
2008-09-01, 20:35
hi,
i was able to install the recovery console..but when i try to run the combofix...the computer shuts down and reboots.. has happened a few times now..is this normal?
along_came_spider
2008-09-01, 21:29
Hi,
Finally was able to run it to completion...heres the log...
ComboFix 08-08-31.01 - arun s 2008-09-01 23:46:35.5 - FAT32x86
Running from: E:\Documents and Settings\arun s\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
E:\Documents and Settings\arun s\Application Data\macromedia\Flash Player\#SharedObjects\FZKYL8E5\bin.clearspring.com
E:\Documents and Settings\arun s\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
E:\WINDOWS\BM93cdef99.txt
E:\WINDOWS\BM93cdef99.xml
E:\WINDOWS\pskt.ini
E:\WINDOWS\system32\dao350.dll
E:\WINDOWS\system32\MSINET.oca
.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.
2008-09-08 14:31 . 2005-11-14 21:00 383,488 --a------ E:\WINDOWS\system32\midas.dll
2008-09-08 14:31 . 2006-07-28 13:37 101,376 --a------ E:\WINDOWS\system32\PCountBuCME.dll
2008-09-01 23:50 . 2008-09-01 23:50 <DIR> d--hs---- E:\FOUND.018
2008-09-01 23:42 . 2008-09-01 23:42 <DIR> d--hs---- E:\FOUND.017
2008-09-01 20:05 . 2008-09-01 23:35 81,984 --a------ E:\WINDOWS\system32\bdod.bin
2008-09-01 19:58 . 2008-09-01 19:58 <DIR> d--hs---- E:\FOUND.016
2008-09-01 18:50 . 2008-09-01 18:50 <DIR> d--hs---- E:\FOUND.015
2008-09-01 18:43 . 2008-09-01 18:43 <DIR> d--hs---- E:\FOUND.014
2008-08-23 19:14 . 2008-08-23 19:14 <DIR> d--hs---- E:\FOUND.013
2008-08-18 19:54 . 2008-08-18 19:54 <DIR> d--hs---- E:\FOUND.012
2008-08-15 10:23 . 2008-08-15 10:23 <DIR> d--hs---- E:\FOUND.011
2008-08-10 11:04 . 2008-08-10 11:04 <DIR> d--hs---- E:\FOUND.010
2008-08-09 08:46 . 2008-08-09 08:46 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\BOC427
2008-08-09 08:46 . 2008-09-01 23:51 9,310 --a------ E:\WINDOWS\BOC427.INI
2008-08-04 07:19 . 2008-08-04 07:19 <DIR> d-------- E:\Program Files\Common Files\TechSmith Shared
2008-08-04 07:19 . 2008-08-04 07:19 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\TechSmith
2008-08-04 07:19 . 2008-01-18 03:36 107,864 --a------ E:\WINDOWS\system32\tsccvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 12:00 90,112 ----a-w E:\WINDOWS\DUMP7484.tmp
2008-07-13 23:39 212,728 ----a-w E:\WINDOWS\CMDLIC.DLL
2008-07-13 23:39 205,560 ----a-w E:\WINDOWS\UNBOC.EXE
2008-07-07 17:50 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-08-26 18:14 461 ----a-w E:\Program Files\INSTALL.LOG
2007-07-02 14:18 149 --sha-r E:\WINDOWS\Regbak.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-11-10 13:38 77824]
"LVCOMS"="E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39 98304]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"BDSwitchAgent"="E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" [2005-04-06 13:09 33280]
"BDNewsAgent"="E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2006-08-26 23:38 372736]
"OpenDNS Update"="d:\Program Files\OpenDNS Updater\OpenDNS Updater.exe" [2008-05-01 02:43 257536]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"InCD"="D:\Program Files\Nero 7\InCD\InCD.exe" [2006-05-30 15:22 542208]
"BOC-427"="d:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - E:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-10 13:54:09 1421328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.deltawav"= dltwav32.acm
"MSACM.okiadpcm"= okiadp32.acm
"MSACM.g726adpcm"= g726adpm.acm
"MSACM.celp54"= celp5p32.acm
"MSACM.celpp32"= celpp32.acm
"MSVideo1"= CSvidcap.dll
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2006-08-26 23:38 372736 E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-06-09 10:28 9728 E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]
--a------ 2005-04-06 13:09 33280 E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 21:54 1694208 E:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-10 13:38 77824 E:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"InCDsrv"=2 (0x2)
"SLService"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\yazak.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3cc8de-3371-11dc-a3e7-0008a183c26d}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-NWEReboot - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-InCD - E:\Program Files\Nero\Nero 7\InCD\InCD.exe
MSConfigStartUp-MSMSGNER - E:\WINDOWS\system32\aphvcso.exe
MSConfigStartUp-WinampAgent - E:\Program Files\Winamp\winampa.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\arun s\Application Data\Mozilla\Firefox\Profiles\xtmqr1e7.default\
FF -: plugin - E:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - E:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations (Beta) -------
.
txtfile=E:\WINDOWS\NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 23:51:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-01 23:54:10
ComboFix-quarantined-files.txt 2008-09-01 18:24:08
Pre-Run: 1,875,697,664 bytes free
Post-Run: 1,825,005,568 bytes free
140 --- E O F --- 2008-01-10 02:35:17
Hi
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
D:\Program Files\uTorrent
Empty Recycle Bin.
After that:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Upload following files to http://www.virustotal.com and post back the results:
E:\WINDOWS\system32\midas.dll
E:\WINDOWS\system32\PCountBuCME.dll
Start hjt, do a system scan, check (if found):
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
E:\FOUND.018
E:\FOUND.017
E:\FOUND.016
E:\FOUND.015
E:\FOUND.014
E:\FOUND.013
E:\FOUND.012
E:\FOUND.011
E:\FOUND.010
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer'). Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
along_came_spider
2008-09-07, 12:46
Hi,
sorry for the delay but some of the scans took forever...
here are the logs and scan reports u asked for...
virus total report
midas.dll
Antivirus Version Last Update Result
AhnLab-V3 2008.9.2.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 -
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.01 -
BitDefender 7.2 2008.09.01 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 -
F-Secure 7.60.13501.0 2008.09.01 -
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.01 -
Ikarus T3.1.1.34.0 2008.09.01 -
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.01 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3405 2008.09.01 -
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.08.31 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.01 -
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.01 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.01 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 -
Additional information
File size: 383488 bytes
MD5...: 435ca1eedc24bc725c43067b77f9bedc
SHA1..: b883c724dcda89a41fa31bfb5bf7cc1e2a8ef497
SHA256: 6ce2ec2d1b790334767c4833f5f98c90bd542f100ac2df7c429f40a8c5ab0dfe
SHA512: fe2659076fd4f5a5ad3cd002d04b7274c88b5747003114fa4efcfeb7aa6c6783
991c73da905648257e5b7de434fa84dee6ed1c72f7be3fa297734937792253ad
PEiD..: -
TrID..: File type identification
Windows OCX File (78.8%)
DOS Executable Borland C++ (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
Generic Win/DOS Executable (1.2%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4dae10ec
timedatestamp.....: 0x438246e7 (Mon Nov 21 22:15:03 2005)
machinetype.......: 0x14c (I386)
( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4d000 0x4c400 6.50 565cb50a3eb5b48ee17775214b30a15e
.data 0x4e000 0x10000 0xb600 4.42 1090fc465b8c9f3e23e6b529bc354f79
.tls 0x5e000 0x1000 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.idata 0x5f000 0x1000 0xa00 4.53 193366ab8b8e1ef99eea191fa7a35b90
.edata 0x60000 0x1000 0x200 3.14 85325942312e101ccef1f59af381ce35
.rsrc 0x61000 0x2000 0x1e00 3.80 851827d2cd96afea0e319edf16b592e1
.reloc 0x63000 0x3000 0x2e00 6.59 d89fd8ff5274f35d6bf334002f7828d0
( 5 imports )
> ADVAPI32.DLL: RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegOpenKeyExA, RegSetValueExA
> KERNEL32.DLL: CloseHandle, CompareStringA, CreateFileA, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCurrentThreadId, GetEnvironmentStrings, GetFileAttributesA, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetUserDefaultLCID, GetVersion, GetVersionExA, GlobalMemoryStatus, HeapAlloc, HeapFree, InitializeCriticalSection, InterlockedExchange, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, OutputDebugStringA, RaiseException, ReadFile, RtlUnwind, SetConsoleCtrlHandler, SetFilePointer, SetHandleCount, SetLastError, SetThreadLocale, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile, lstrcatA, lstrcmpA, lstrcmpiA, lstrcpyA, lstrcpynA, lstrlenA
> USER32.DLL: CharLowerA, CharUpperA, EnumThreadWindows, LoadStringA, MessageBoxA, wsprintfA
> OLE32.DLL: StringFromGUID2
> OLEAUT32.DLL: -, -, -, -, -, -, -, -, -
( 9 exports )
DllCanUnloadNow, DllGetClassObject, DllGetDataSnapClassObject, DllRegisterServer, DllUnregisterServer, ExitAlchemy, InitAlchemy, WEP, ___CPPdebugHook
pccount.dll
Antivirus Version Last Update Result
AhnLab-V3 2008.9.2.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 -
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.01 -
BitDefender 7.2 2008.09.01 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.09.01 Suspicious File
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 -
F-Secure 7.60.13501.0 2008.09.01 -
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.01 -
Ikarus T3.1.1.34.0 2008.09.01 -
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.01 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3405 2008.09.01 -
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.08.31 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.01 -
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.01 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.01 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.08.31 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 -
Additional information
File size: 101376 bytes
MD5...: 918ccda99ad2a498a3d2bb9e09724baa
SHA1..: 2437477fa756e9c33de15312ef7f73e931f94b0f
SHA256: 5ad195f714408cdd6a86f1444916a4db9648419bb45870a4ac02d557863c6cc8
SHA512: 76922959b941ca29e2fc56653284fc489a3c1849e89097afa1ab761fcd34f132
0e908610dc5c3f4f33c892513e7f104c56918b8f8213cf54221d1e1cf0f1c22e
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x439001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x26000 0x10600 7.99 f8671381915ecff9e29aabd306a3c5d3
DATA 0x27000 0x1000 0x600 7.28 2a6239454293b10b5ee14d07043b909b
BSS 0x28000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x29000 0x2000 0x800 7.07 11a1e0e3b3b9948f849df0241d4b9519
.edata 0x2b000 0x1000 0x200 1.99 8f7d9f499d8d1acabb8c72d1488902a1
.reloc 0x2c000 0x3000 0x2000 7.90 8cdc606d5c4a0ca9dc13c003e3549191
.rsrc 0x2f000 0xa000 0x3c00 7.52 cf15219d02db516606db967cc4bbf05c
.aspack 0x39000 0x2000 0x1600 5.68 7bd6750dcdb741913da74db8afab216a
.adata 0x3b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
( 12 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegSetValueExA
> gdi32.dll: UnrealizeObject
> user32.dll: ReleaseDC
> ole32.dll: ReleaseStgMedium
> oleaut32.dll: CreateErrorInfo
> ole32.dll: IsEqualGUID
> oleaut32.dll: SafeArrayPtrOfIndex
> shell32.dll: DragQueryFileA
( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
packers (Kaspersky): ASPack
packers (F-Prot): Aspack
Kaspersky report....
Sunday, September 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, September 07, 2008 06:50:54
Records in database: 1199925
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Files scanned 99935
Threat name 6
Infected objects 22
Suspicious objects 0
Duration of the scan 01:58:51
File name Threat name Threats count
C:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
C:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
D:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
D:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
E:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
E:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
E:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
E:\System Volume Information\_restore{588A5772-364E-4463-8FF0-4D5B053C57C6}\RP133\A0082838.dll Infected: Trojan-PSW.Win32.OnLineGames.zll 1
E:\System Volume Information\_restore{588A5772-364E-4463-8FF0-4D5B053C57C6}\RP133\A0082839.dll Infected: Trojan-PSW.Win32.OnLineGames.zll 1
E:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
E:\FOUND.015\FILE0018.CHK Infected: EICAR-Test-File 1
E:\FOUND.016\FILE0208.CHK Infected: EICAR-Test-File 1
E:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
F:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
F:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
G:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
G:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
H:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
H:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
I:\aub0wb8.cmd Infected: Trojan-PSW.Win32.OnLineGames.wev 1
I:\b.com Infected: Trojan-PSW.Win32.OnLineGames.tot 1
I:\antivirus softwares\virtumondegeneric\VundoFix.exe Infected: Trojan-Downloader.Win32.Delf.llp 1
The selected area was scanned.
combofix log
ComboFix 08-08-31.01 - arun s 2008-09-02 13:40:34.6 - FAT32x86 MINIMAL
Running from: E:\Documents and Settings\arun s\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.
2008-09-08 14:31 . 2005-11-14 21:00 383,488 --a------ E:\WINDOWS\system32\midas.dll
2008-09-08 14:31 . 2006-07-28 13:37 101,376 --a------ E:\WINDOWS\system32\PCountBuCME.dll
2008-09-02 13:32 . 2008-09-02 13:32 <DIR> d--hs---- E:\FOUND.020
2008-09-02 13:20 . 2008-09-02 13:20 <DIR> d--hs---- E:\FOUND.019
2008-09-01 23:50 . 2008-09-01 23:50 <DIR> d--hs---- E:\FOUND.018
2008-09-01 23:42 . 2008-09-01 23:42 <DIR> d--hs---- E:\FOUND.017
2008-09-01 20:05 . 2008-09-02 13:27 81,984 --a------ E:\WINDOWS\system32\bdod.bin
2008-09-01 19:58 . 2008-09-01 19:58 <DIR> d--hs---- E:\FOUND.016
2008-09-01 18:50 . 2008-09-01 18:50 <DIR> d--hs---- E:\FOUND.015
2008-09-01 18:43 . 2008-09-01 18:43 <DIR> d--hs---- E:\FOUND.014
2008-08-23 19:14 . 2008-08-23 19:14 <DIR> d--hs---- E:\FOUND.013
2008-08-18 19:54 . 2008-08-18 19:54 <DIR> d--hs---- E:\FOUND.012
2008-08-15 10:23 . 2008-08-15 10:23 <DIR> d--hs---- E:\FOUND.011
2008-08-10 11:04 . 2008-08-10 11:04 <DIR> d--hs---- E:\FOUND.010
2008-08-09 08:46 . 2008-08-09 08:46 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\BOC427
2008-08-09 08:46 . 2008-09-02 13:29 9,448 --a------ E:\WINDOWS\BOC427.INI
2008-08-04 07:19 . 2008-08-04 07:19 <DIR> d-------- E:\Program Files\Common Files\TechSmith Shared
2008-08-04 07:19 . 2008-08-04 07:19 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\TechSmith
2008-08-04 07:19 . 2008-01-18 03:36 107,864 --a------ E:\WINDOWS\system32\tsccvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 12:00 90,112 ----a-w E:\WINDOWS\DUMP7484.tmp
2008-07-13 23:39 212,728 ----a-w E:\WINDOWS\CMDLIC.DLL
2008-07-13 23:39 205,560 ----a-w E:\WINDOWS\UNBOC.EXE
2008-07-07 17:50 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-08-26 18:14 461 ----a-w E:\Program Files\INSTALL.LOG
2007-07-02 14:18 149 --sha-r E:\WINDOWS\Regbak.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-01_23.53.50.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-01 13:24:08 1,632 ----a-w E:\WINDOWS\SoftwareDistribution\EventCache\{3BABE710-175F-41B1-A924-D3C5E6113FAB}.bin
+ 2008-09-02 01:16:54 270,336 ----a-w E:\WINDOWS\SoftwareDistribution\EventCache\{3BABE710-175F-41B1-A924-D3C5E6113FAB}.bin
- 2007-09-24 17:00:28 135,168 ----a-w E:\WINDOWS\system32\java.exe
+ 2008-06-09 19:51:02 135,168 ----a-w E:\WINDOWS\system32\java.exe
- 2007-09-24 17:00:30 135,168 ----a-w E:\WINDOWS\system32\javaw.exe
+ 2008-06-09 19:51:04 135,168 ----a-w E:\WINDOWS\system32\javaw.exe
- 2007-09-24 18:01:42 139,264 ----a-w E:\WINDOWS\system32\javaws.exe
+ 2008-06-09 21:02:34 139,264 ----a-w E:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-11-10 13:38 77824]
"LVCOMS"="E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39 98304]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BDSwitchAgent"="E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe" [2005-04-06 13:09 33280]
"BDNewsAgent"="E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2006-08-26 23:38 372736]
"OpenDNS Update"="d:\Program Files\OpenDNS Updater\OpenDNS Updater.exe" [2008-05-01 02:43 257536]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"InCD"="D:\Program Files\Nero 7\InCD\InCD.exe" [2006-05-30 15:22 542208]
"BOC-427"="d:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - E:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-11-10 13:54:09 1421328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.deltawav"= dltwav32.acm
"MSACM.okiadpcm"= okiadp32.acm
"MSACM.g726adpcm"= g726adpm.acm
"MSACM.celp54"= celp5p32.acm
"MSACM.celpp32"= celpp32.acm
"MSVideo1"= CSvidcap.dll
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2006-08-26 23:38 372736 E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-06-09 10:28 9728 E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]
--a------ 2005-04-06 13:09 33280 E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 21:54 1694208 E:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-10 13:38 77824 E:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"InCDsrv"=2 (0x2)
"SLService"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\yazak.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3cc8de-3371-11dc-a3e7-0008a183c26d}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\arun s\Application Data\Mozilla\Firefox\Profiles\xtmqr1e7.default\
FF -: plugin - E:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - E:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations (Beta) -------
.
txtfile=E:\WINDOWS\NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 13:42:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-09-02 13:42:40
ComboFix-quarantined-files.txt 2008-09-02 08:12:38
ComboFix2.txt 2008-09-01 18:24:12
Pre-Run: 2,956,877,824 bytes free
Post-Run: 2,942,435,328 bytes free
139 --- E O F --- 2008-01-10 02:35:17
hijak this log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:00 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
D:\Program Files\Nero 7\InCD\InCDsrv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
E:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\Nero 7\InCD\InCD.exe
D:\PROGRA~1\Comodo\CBOClean\BOC427.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
d:\Program Files\Comodo\CBOClean\BOCORE.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\PROGRA~1\ESCRIP~1\EDITSC~1\EditScriptProcMon.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Program Files\Softwin\BitDefender9\vsserv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
d:\PROGRA~1\Comodo\CBOClean\BOC4UPD.EXE
E:\Program Files\GlobalSCAPE\CuteFTP\cutftp32.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\MediPro2001\MediPro2001.exe
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
F:\Junk\Soft\hijack\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "E:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] E:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [OpenDNS Update] "d:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [BOC-427] d:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-343818398-152049171-1801674531-1003\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: Cisco Systems VPN Client.lnk = E:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\arun s\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7427954A-E75E-4F5D-A7F8-BC20286E5FEF}: NameServer = 208.67.222.222 208.67.220.220
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BOCore - COMODO - d:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EditScript Process Monitor (EditScriptProcMon) - Unknown owner - E:\PROGRA~1\ESCRIP~1\EDITSC~1\EditScriptProcMon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero 7\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - E:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - E:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 7056 bytes
thnx again for all the help..
Hi
As I told you earlier, you have to reformat all your USB storage drives used on this infected machines. Otherwise we won't make any progress.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\aub0wb8.cmd
C:\b.com
D:\aub0wb8.cmd
D:\b.com
E:\aub0wb8.cmd
E:\b.com
F:\aub0wb8.cmd
F:\b.com
G:\b.com
G:\aub0wb8.cmd
H:\aub0wb8.cmd
H:\b.com
I:\aub0wb8.cmd
I:\b.com
Folder::
E:\FOUND.020
E:\FOUND.019
E:\FOUND.018
E:\FOUND.017
E:\FOUND.016
E:\FOUND.015
E:\FOUND.014
E:\FOUND.013
E:\FOUND.012
E:\FOUND.011
E:\FOUND.010
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer') again. Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.