MichaelCaditz
2009-01-08, 00:46
Spybot with latest updates detects Refpron, Virtumonde.prx, Win32.Delf.rtk but fails to remove them:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:48 PM, on 1/7/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msnboed.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udxfytw.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://apc.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7e6a7ef8-7aba-46a0-9533-69795d8650b8} - C:\WINDOWS\system32\nayisuja.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPM23e3b1ea] Rundll32.exe "C:\WINDOWS\system32\wisibowe.dll",a
O4 - HKLM\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180643906709
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180642993682
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = highmountainweb.com
O17 - HKLM\Software\..\Telephony: DomainName = highmountainweb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8AB5444-9AAD-4412-B998-5A2C5AD28A2E}: NameServer = 192.168.1.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E94A96D9-B013-4113-BBC2-7ECA6EFA26C2}: NameServer = 12.96.199.28
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = highmountainweb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = highmountainweb.com
O20 - AppInit_DLLs: c:\windows\system32\mebokewe.dll c:\windows\system32\pufarake.dll c:\windows\system32\rehehate.dll C:\WINDOWS\system32\dadumuja.dll c:\windows\system32\ c:\windows\system32\wisibowe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisibowe.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisibowe.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Ms File Manager Services (mscecosd) - Unknown owner - C:\WINDOWS\system32\msceco.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: PowerChute Network Shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
--
End of file - 6447 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:48 PM, on 1/7/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\jvm\bin\java.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msnboed.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udxfytw.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://apc.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7e6a7ef8-7aba-46a0-9533-69795d8650b8} - C:\WINDOWS\system32\nayisuja.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPM23e3b1ea] Rundll32.exe "C:\WINDOWS\system32\wisibowe.dll",a
O4 - HKLM\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rezojinapa] Rundll32.exe "C:\WINDOWS\system32\gufikuya.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180643906709
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180642993682
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = highmountainweb.com
O17 - HKLM\Software\..\Telephony: DomainName = highmountainweb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8AB5444-9AAD-4412-B998-5A2C5AD28A2E}: NameServer = 192.168.1.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E94A96D9-B013-4113-BBC2-7ECA6EFA26C2}: NameServer = 12.96.199.28
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = highmountainweb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = highmountainweb.com
O20 - AppInit_DLLs: c:\windows\system32\mebokewe.dll c:\windows\system32\pufarake.dll c:\windows\system32\rehehate.dll C:\WINDOWS\system32\dadumuja.dll c:\windows\system32\ c:\windows\system32\wisibowe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisibowe.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wisibowe.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Ms File Manager Services (mscecosd) - Unknown owner - C:\WINDOWS\system32\msceco.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: PowerChute Network Shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
--
End of file - 6447 bytes