Pls Help !!!

A

angel84cecil

New member
Logfile of HijackThis v1.99.1
Scan saved at 11:33:27 AM, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LorraineSpy] C:\WINDOWS\LorraineSpyingOnCecilia.vbs
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iuqcqwosrvc.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168476246375
O16 - DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} (SFClientFree Object) - https://skyfexfree.net/Client/ClientFree.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games/files/606/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C99D4C47-DB9A-4BC0-BFA9-E6DDFDACDC62}: NameServer = 202.75.129.101,202.75.129.102
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: appmgr - appmgr32.dll (file missing)
O20 - Winlogon Notify: atmmgr - atmmgr32.dll (file missing)
O20 - Winlogon Notify: clicsaml - C:\WINDOWS\system32\clicsaml.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wmadmsst - C:\WINDOWS\system32\wmadmsst.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
 
Hi and welcome to the Board

I'm Blade and I am going to try to help you with your problem. Please take a note of five things.

  1. I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine
  3. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  4. If you don't know, stop and ask! Don't keep going on.
  5. Please reply to this thread. Do not start a new topic.


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
 
Okay, let's start. :)

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload this file to Virustotal and post the results:
c:\windows\system32\iuqcqwosrvc.dll


1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall


Generate startuplist log
-----------------------
*Open HijackThis.
*Click on "Open Misc Tools Section"
*Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt.

It will produce a log in Notepad. I need you to copy the entire contents of that Notepad and paste it here.


Post:
-a fresh hjt log
-combofix log
-startuplist log and
-Virustotal results concerning of c:\windows\system32\iuqcqwosrvc.dll file.
 
Virustotal results concerning of c:\windows\system32\iuqcqwosrvc.dll file

STATUS: SCANNINGFile "iuqcqwosrvc.dll" received on 05.24.2007 at 02:11:31 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.23.2007 Win-Trojan/Xema.21504.C
AntiVir 7.4.0.27 05.23.2007 TR/Vqten.A.2
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 Win32:Agent-GPJ
AVG 7.5.0.467 05.23.2007 Generic3.VAZ
BitDefender 7.2 05.24.2007 Trojan.Vqten.A
CAT-QuickHeal 9.00 05.23.2007 Trojan.Agent.afg
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.23.2007 Trojan.Vqten
eSafe 7.0.15.0 05.21.2007 Win32.Agent.afg
eTrust-Vet 30.7.3658 05.24.2007 Win32/Netvq!generic
Ewido 4.0 05.23.2007 Trojan.Vqten
FileAdvisor 1 05.24.2007 no virus found
Fortinet 2.85.0.0 05.23.2007 W32/Agent.AFG!tr
F-Prot 4.3.2.48 05.23.2007 no virus found


Aditional Information
File size: 21504 bytes
MD5: 9d6736be110d48223d606988a3fed3a9
SHA1: e03cace136d6423c27c722cafff495546283eec1

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
 
combofix log

"Cecilia" - 2007-05-24 8:18:56 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\"

Rootkit driver pe386 is present. A rootkit scan is required

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\wpcjmd.log
C:\WINDOWS\system32\nvstatld.dll
C:\WINDOWS\system32\iuqcqwosrvc.dll
C:\WINDOWS\system32\sgl.dll
C:\cp1469.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "c:\I386\NDIS.SY_"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTLDR.SYS
-------\ntldr.sys


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))


2007-05-24 08:13 1,092,328 --a------ C:\ComboFix.exe
2007-05-22 11:32 218,112 --a------ C:\HijackThis.exe
2007-05-22 08:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-11 16:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-11 14:57 53,248 --ah----- C:\WINDOWS\system32\confnss.dll
2007-05-11 14:57 45,056 --ah----- C:\WINDOWS\system32\nssprf32.dll
2007-05-11 14:57 40,960 --ah----- C:\WINDOWS\system32\nssperf.exe
2007-04-25 16:10 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-04-25 14:10 1,413,120 --a------ C:\WinsockFix.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-15 06:54:31 -------- d-----w C:\DOCUME~1\Cecilia\APPLIC~1\Skype
2007-05-11 07:45:15 4 ----a-w C:\WINDOWS\system32\sfcfdmsc.dat
2007-04-26 03:31:04 -------- d-----w C:\Program Files\PC Tools AntiVirus
2007-04-25 08:10:32 -------- d-----w C:\Program Files\Skype
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 01:20:45 74,752 ----a-w C:\WINDOWS\in32.exe
2007-04-16 08:33:19 0 ----a-w C:\WINDOWS\cdi1okj.dll
2007-04-11 00:59:12 0 ----a-w C:\WINDOWS\tcsrahrk2.reg
2007-04-03 04:10:18 -------- d-----w C:\Program Files\AgentRansack
2007-03-29 05:07:04 0 ----a-w C:\WINDOWS\x0h7bh.reg
2007-03-22 05:29:00 110,592 ----a-w C:\WINDOWS\system32\3T387.dll
2007-03-21 09:39:50 114,688 ----a-w C:\WINDOWS\system32\IoCNAW2v.dll
2007-03-21 07:29:06 114,688 ----a-w C:\WINDOWS\system32\i2VKVg.dll
2007-03-21 07:08:52 0 ----a-w C:\WINDOWS\r81j7l4g.pif
2007-03-21 07:00:35 0 ----a-w C:\WINDOWS\9ergx.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 07:26:24 -------- d-----w C:\Program Files\Charm Tale
2007-03-14 07:24:48 -------- d-----w C:\Program Files\ReflexiveArcade
2007-03-14 06:41:59 -------- d-----w C:\DOCUME~1\Cecilia\APPLIC~1\AdobeUM
2007-03-14 05:58:01 0 ----a-w C:\WINDOWS\adc.dat
2007-03-12 11:04:19 -------- d-----w C:\Program Files\DesignPro
2007-03-12 11:02:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-06 08:18:11 -------- d-----w C:\Program Files\MSN Messenger
2007-03-06 06:26:01 -------- d-----w C:\Program Files\Windows Defender
2007-03-06 02:08:52 -------- d-----w C:\DOCUME~1\Cecilia\APPLIC~1\Reallusion
2007-02-27 07:36:31 0 ----a-w C:\WINDOWS\odfvf.dat
2007-02-14 06:22:33 16 ----a-w C:\WINDOWS\sqhos32.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-05-27 10:01 C:\WINDOWS\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" []
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-14 05:34 C:\WINDOWS\system32\ico.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 20:20]
"LorraineSpy"="C:\WINDOWS\LorraineSpyingOnCecilia.vbs" [2006-11-02 17:55]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-21 21:07]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7F76815-E647-4BCE-B21A-600CE626E5D8}"="C:\WINDOWS\system32\nvstatld.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\appmgr]
appmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmmgr]
atmmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\clicsaml]
C:\WINDOWS\system32\clicsaml.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfcfdmsc]
C:\WINDOWS\system32\sfcfdmsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wmadmsst]
C:\WINDOWS\system32\wmadmsst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=e1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli pwdmon


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appdiag]


Contents of the 'Scheduled Tasks' folder
2007-05-24 00:01:24 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 08:32:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pe386]
"ImagePath"="\??\C:\WINDOWS\system32:lzx32.sys"

Completion time: 2007-05-24 8:35:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-24 08:35

--- E O F ---
 
I'm truly sorry. :oops: I should have instructed you to use lspfix first.




You'll need a computer with internet connection to download Lspfix. Save the file to diskette or memory stick and copy it then to infected computer. Extract(unzip) file to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of iuqcqwosrvc.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.


After that we can start cleaning process.


1. Download - rustbfix.exe ...and save it to your desktop.
2. Double click on rustbfix.exe to run the tool.
1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.
 
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuiaqwvh

*******************

Script file located at: \??\C:\WINDOWS\rygvpbwb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuiaqwvh

*******************

Script file located at: \??\C:\WINDOWS\rygvpbwb.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuiaqwvh

*******************

Script file located at: \??\C:\WINDOWS\rygvpbwb.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuiaqwvh

*******************

Script file located at: \??\C:\WINDOWS\rygvpbwb.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuiaqwvh

*******************

Script file located at: \??\C:\WINDOWS\rygvpbwb.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
 
************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
25/05/2007 11:29:05.81

No Rustock.b-rootkits found

******************************* End of Logfile ********************************
 
*New HijackThis Log*

Logfile of HijackThis v1.99.1
Scan saved at 11:37:00 AM, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LorraineSpy] C:\WINDOWS\LorraineSpyingOnCecilia.vbs
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jbiqcwkxunjhb.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168476246375
O16 - DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} (SFClientFree Object) - https://skyfexfree.net/Client/ClientFree.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games/files/606/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C99D4C47-DB9A-4BC0-BFA9-E6DDFDACDC62}: NameServer = 202.75.129.101,202.75.129.102
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: appmgr - appmgr32.dll (file missing)
O20 - Winlogon Notify: atmmgr - atmmgr32.dll (file missing)
O20 - Winlogon Notify: clicsaml - C:\WINDOWS\system32\clicsaml.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wmadmsst - C:\WINDOWS\system32\wmadmsst.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
 
Okay, let's continue cleaning. I recommend printing/saving following instructions 'cos these are quite long.


Scan following file at Virustotal and post the results:
C:\WINDOWS\in32.exe



Disable Windows Defender's realtime protection.
  • Open Windows Defender
  • Click on
    Tools
  • Click on
    General Settings
  • Scroll down to
    Real-time protection options
  • Uncheck
    Turn on Real-time protection (recommended)
  • Click
    Save
  • Exit the program.



Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close browsers and other windows. Click fix checked.



Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7F76815-E647-4BCE-B21A-600CE626E5D8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\appmgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmmgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\clicsaml]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sfcfdmsc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wmadmsst]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appdiag]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)



Please download the Killbox © Option^Explicit.
Unzip it to the desktop but do NOT run it yet.

Copy the text to a Notepad file and save it to your desktop! We will need the file later.



Run LSPFix (download it here again if needed). Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of iuqcqwosrvc.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish.


Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

Code: 
C:\WINDOWS\system32\confnss.dll
C:\WINDOWS\system32\nssprf32.dll
C:\WINDOWS\system32\nssperf.exe
C:\WINDOWS\cdi1okj.dll
C:\WINDOWS\tcsrahrk2.reg
C:\WINDOWS\x0h7bh.reg
C:\WINDOWS\system32\3T387.dll
C:\WINDOWS\system32\IoCNAW2v.dll
C:\WINDOWS\system32\i2VKVg.dll
C:\WINDOWS\r81j7l4g.pif
C:\WINDOWS\9ergx.dat
C:\WINDOWS\odfvf.dat
C:\WINDOWS\sqhos32.dat
C:\WINDOWS\adc.dat
C:\WINDOWS\system32\sfcfdmsc.dat
c:\windows\system32\jbiqcwkxunjhb.dll
C:\WINDOWS\system32\e1.dll
C:\WINDOWS\system32\appmgr32.dll
C:\WINDOWS\system32\atmmgr32.dll
C:\WINDOWS\system32\clicsaml.dll
C:\WINDOWS\system32\sfcfdmsc.dll
C:\WINDOWS\system32\wmadmsst.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..


Run combofix again and post its log. Post also a fresh hjt log and results from Virustotal concerning C:\WINDOWS\in32.exe file
 
STATUS: FINISHEDComplete scanning result of "in32.exe", received in VirusTotal at 05.28.2007, 03:22:28 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.27.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.27.2007 no virus found
AVG 7.5.0.467 05.27.2007 no virus found
BitDefender 7.2 05.28.2007 no virus found
CAT-QuickHeal 9.00 05.26.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.28.2007 no virus found
DrWeb 4.33 05.27.2007 no virus found
eSafe 7.0.15.0 05.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.27.2007 no virus found
FileAdvisor 1 05.28.2007 no virus found
Fortinet 2.85.0.0 05.28.2007 suspicious
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.28.2007 no virus found
Ikarus T3.1.1.8 05.27.2007 no virus found
Kaspersky 4.0.2.24 05.28.2007 no virus found
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.28.2007 no virus found
NOD32v2 2293 05.27.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.27.2007 Suspicious file
Prevx1 V2 05.28.2007 no virus found
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.28.2007 Backdoor.Rustock.B
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 no virus found
VirusBuster 4.3.23:9 05.27.2007 no virus found
Webwasher-Gateway 6.0.1 05.27.2007 Win32.Malware.gen!84 (suspicious)


Aditional Information
File size: 74752 bytes
MD5: 090812ff94855c14d741f31c4bead5af
SHA1: 926a97909ad79227574ff429992012d38d734b69

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
 
Hi

Could you post also a fresh Combofix log and hjt log, please? :)
 
If you can't run it in safe mode then you can try to run it in normal mode. But if possible run in safe mode.
 
hi,

I got problem where i cannot surf the internet after running killbox...do help?:sad:i restore my computer again....


Kindly explain:
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
 
You must log in or register to reply here.
Back
Top