Yet another virtumone

N

novirtu

New member
This is a friends PC. It runs slow, and connects to may bogus web sites with pop-ups. Ran Spybot in normal and safe mode and removed several items, including something called "hotbar" which had an icon in the system tray.

Thanks for helping!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:32 PM, on 9/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [fcfa8db8] rundll32.exe "C:\WINDOWS\System32\atvmlbnw.dll",b
O4 - HKLM\..\Run: [BMffc9be24] Rundll32.exe "C:\WINDOWS\System32\yocpgfam.dll",s
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [A00F327F5E.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F327F5E.exe
O4 - HKCU\..\Run: [A00F313F6C.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F313F6C.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: ecdrqb.dll,C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6130 bytes
 
Hello novirtu

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: [fcfa8db8] rundll32.exe "C:\WINDOWS\System32\atvmlbnw.dll",b
O4 - HKLM\..\Run: [BMffc9be24] Rundll32.exe "C:\WINDOWS\System32\yocpgfam.dll",s
O4 - HKCU\..\Run: [A00F327F5E.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F327F5E.exe
O4 - HKCU\..\Run: [A00F313F6C.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F313F6C.exe

O20 - AppInit_DLLs: ecdrqb.dll,C:\WINDOWS\System32\DBnetlib32.dll




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
 
Hello ken545,

Thanks for helping!

I'm not sure what "extra note" you referred to, but I rebooted the system when prompted to do so. After the reboot, I got a message from RUNDLL that C:\WINDOWS\system32\yocpgfam.dll was not found.

The logs will be in my next post.
 
ken545,

Looks like I'm still getting unsolicited pop-ups. Here are the logs.

Malwarebytes' Anti-Malware 1.28
Database version: 1143
Windows 5.1.2600 Service Pack 1

9/12/2008 5:57:44 PM
mbam-log-2008-09-12 (17-57-44).txt

Scan type: Quick Scan
Objects scanned: 42802
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 61

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\atvmlbnw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLCvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ecdrqb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\rqRKBQkK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\__c00F23F1.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c9fa9f4-fb1e-4644-b615-be1bcaf0e4b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c9fa9f4-fb1e-4644-b615-be1bcaf0e4b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{638d7b07-2306-4c21-b5fd-7b9b8f9c8946} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{638d7b07-2306-4c21-b5fd-7b9b8f9c8946} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrkbqkk (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00f23f1 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmffc9be24 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnllcvt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnllcvt -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\ecdrqb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLCvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TvCLlnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TvCLlnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rqRKBQkK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\atvmlbnw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wnblmvta.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddcAstUo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hhrlosiv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\knfwyfyl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iyjdqawu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\merliaew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qoivcsyc.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ouaopg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rfbdumar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pmnLfefc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bamokamn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\betjotwp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fvlzsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ljJAQKAq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\milokcre.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wvUkLCrq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xgjptqks.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xssgfwmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yeyqvebl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\flqjwgvb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fluqlvco.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iifCtsrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iiffCrqO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iiffDuTJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vihjwwof.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill & Mary\Local Settings\Temporary Internet Files\Content.IE5\R1Y1OAYV\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill & Mary\Local Settings\Temporary Internet Files\Content.IE5\WZ28Z04R\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F23F1.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yocpgfam.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\__c0016484.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00D3184.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00ECCE.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00FF570.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tuvUKBUN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\urqpmMCs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMffc9be24.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMffc9be24.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0024242.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00384DC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c003DD08.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c004AF66.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c005006F.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c005C7DB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c008C4CA.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0093284.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0096C8C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00A2F19.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00AC4CB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00D5A71.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F0E68.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F2DB1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:46 PM, on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5994 bytes
 
Hello,

The error your getting is because a file belonging to a trojan has been deleted but it still wants to run, it will go away as we get into the cleaning.

Remove these with HJT.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll

O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)





Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
Ken,

Wow, thanks for the quick reply! I think we're making progress; I see that the windows update tray icon has returned :-) I'm not getting IE pop-ups, but I currently have the machine behind a firewall that is blocking access to all but this web site.



ComboFix 08-09-12.03 - Bill & Mary 2008-09-12 19:36:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.86 [GMT -7:00]
Running from: C:\Documents and Settings\Bill & Mary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\AHNTAcfe.ini
C:\WINDOWS\SYSTEM32\AHNTAcfe.ini2
C:\WINDOWS\SYSTEM32\AJRXIkkj.ini
C:\WINDOWS\SYSTEM32\AJRXIkkj.ini2
C:\WINDOWS\SYSTEM32\bdgOoUvw.ini
C:\WINDOWS\SYSTEM32\bdgOoUvw.ini2
C:\WINDOWS\system32\cbpubpwn.dll
C:\WINDOWS\system32\cpjndbld.dll
C:\WINDOWS\system32\dhyeasnh.dll
C:\WINDOWS\system32\djelyffh.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\ebdbslsq.dll
C:\WINDOWS\system32\euqabi.dll
C:\WINDOWS\system32\ferthncs.ini
C:\WINDOWS\SYSTEM32\ffhNnnmp.ini
C:\WINDOWS\SYSTEM32\ffhNnnmp.ini2
C:\WINDOWS\system32\fknvstcn.dll
C:\WINDOWS\SYSTEM32\FLSYyyay.ini
C:\WINDOWS\SYSTEM32\FLSYyyay.ini2
C:\WINDOWS\system32\FM20ENU32.dll
C:\WINDOWS\system32\fqcdncub.ini
C:\WINDOWS\SYSTEM32\frisfpws.ini
C:\WINDOWS\SYSTEM32\gQBHgfhk.ini
C:\WINDOWS\SYSTEM32\gQBHgfhk.ini2
C:\WINDOWS\system32\gsfqmotq.dll
C:\WINDOWS\SYSTEM32\hgPsBJlm.ini
C:\WINDOWS\SYSTEM32\hgPsBJlm.ini2
C:\WINDOWS\system32\hhbckeom.dll
C:\WINDOWS\system32\huywgwmx.dll
C:\WINDOWS\SYSTEM32\ihddbgxb.ini
C:\WINDOWS\system32\inbhpt.dll
C:\WINDOWS\system32\kpdaybjx.ini
C:\WINDOWS\system32\lewbaqfy.dll
C:\WINDOWS\system32\lpwknnrh.dll
C:\WINDOWS\system32\lxquyu.dll
C:\WINDOWS\SYSTEM32\moYIkUvw.ini
C:\WINDOWS\SYSTEM32\moYIkUvw.ini2
C:\WINDOWS\SYSTEM32\MpWaGfhk.ini
C:\WINDOWS\SYSTEM32\MpWaGfhk.ini2
C:\WINDOWS\SYSTEM32\OpVwvyxx.ini
C:\WINDOWS\SYSTEM32\OpVwvyxx.ini2
C:\WINDOWS\SYSTEM32\opYJmUtv.ini
C:\WINDOWS\SYSTEM32\opYJmUtv.ini2
C:\WINDOWS\SYSTEM32\pcqcugsb.ini
C:\WINDOWS\SYSTEM32\qvemwsrx.ini
C:\WINDOWS\system32\rpjwvyan.dll
C:\WINDOWS\system32\rsphorcb.dll
C:\WINDOWS\system32\sigpsinf.ini
C:\WINDOWS\system32\smueaq.dll
C:\WINDOWS\system32\svlpxg.dll
C:\WINDOWS\SYSTEM32\sYaacfhk.ini
C:\WINDOWS\SYSTEM32\sYaacfhk.ini2
C:\WINDOWS\system32\tbprvbhc.dll
C:\WINDOWS\system32\tnnbsd.dll
C:\WINDOWS\SYSTEM32\TuCLmnnn.ini
C:\WINDOWS\SYSTEM32\TuCLmnnn.ini2
C:\WINDOWS\SYSTEM32\UuFMoXyb.ini
C:\WINDOWS\SYSTEM32\UuFMoXyb.ini2
C:\WINDOWS\SYSTEM32\vDMUBJlm.ini
C:\WINDOWS\SYSTEM32\vDMUBJlm.ini2
C:\WINDOWS\SYSTEM32\WHhgQqru.ini
C:\WINDOWS\SYSTEM32\WHhgQqru.ini2
C:\WINDOWS\SYSTEM32\XIhgQqss.ini
C:\WINDOWS\SYSTEM32\XIhgQqss.ini2
C:\WINDOWS\SYSTEM32\xqjlwgmj.ini
C:\WINDOWS\system32\xtxudpsd.dll
C:\WINDOWS\system32\yvarqcca.ini
C:\WINDOWS\system32\yxvtec.dll
C:\WINDOWS\system32\zwdnrk.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS


((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.

2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\Bill & Mary\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-12 17:50 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-11 18:44 . 2008-09-11 18:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-11 18:23 . 2008-09-11 18:23 126,976 --a------ C:\WINDOWS\SYSTEM32\DBnetlib32.dll
2008-09-10 22:52 . 2003-10-20 19:34 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\WINDOWS
2008-09-10 22:52 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\Application Data\Sonic
2008-09-10 22:52 . 2008-09-10 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.BILL
2008-09-10 21:16 . 2008-09-10 21:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 21:16 . 2008-09-10 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 23:57 . 2008-09-09 23:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-09 23:57 . 2008-09-09 23:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-09 20:37 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-09-09 20:37 . 2008-09-09 21:07 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-09-09 18:17 . 2008-09-09 21:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 18:17 . 2008-09-10 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 18:13 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\SYSTEM32\PowerToysLicense.rtf
2008-09-09 18:03 . 2008-09-09 18:03 <DIR> d-------- C:\Program Files\Iarsn
2008-09-09 18:03 . 2006-10-24 16:29 17,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 23:23 --------- d-----w C:\Program Files\America Online 8.0
2008-07-31 20:59 1,481,097 --sha-w C:\WINDOWS\SYSTEM32\xkunnxie.tmp
2008-07-08 21:41 118,784 ----a-w C:\WINDOWS\SYSTEM32\fldrclnr32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-20 151597]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 122880]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 200704]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 159744]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [2003-03-21 159744]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.EXE" [2000-06-07 794112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-08-21 135168]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-10-20 36939]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]
2008-09-11 18:23 126976 C:\WINDOWS\SYSTEM32\DBnetlib32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\DBnetlib32.dll

R1 TSKNF700.SYS;TSKNF700.SYS;C:\WINDOWS\System32\Drivers\TSKNF700.SYS [2006-10-24 17928]
S3 NH;NH;C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe [ ]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll
HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.dellnet.com
R1 -: HKCU-Internet Settings,ProxyOverride = hxxp://localhost;
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 19:40:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\DBnetlib32.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\DBnetlib32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LexBceS.exe
C:\WINDOWS\SYSTEM32\Lexpps.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
.
**************************************************************************
.
Completion time: 2008-09-12 19:42:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-13 02:41:59

Pre-Run: 153,968,242,688 bytes free
Post-Run: 153,878,573,056 bytes free

196 --- E O F --- 2007-11-16 02:29:43





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:34 PM, on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6135 bytes
 
Hello,

You need to enable windows to show all files and folders, instructions Here

C:\WINDOWS\SYSTEM32\xkunnxie.tmp <--- Delete this

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
 
xkunnxie.ini <-- Delete this one to

Tsknf700.sys <--Thats fine, I got mixed results on it and as long as you installed it its ok

These two I am sure are bad, but always like to doublecheck before we remove them
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
 
DBnetlib32.dll

Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 TR/Spy.Gen
Authentium 5.1.0.4 2008.09.13 W32/Heuristic-KPP!Eldorado
Avast 4.8.1195.0 2008.09.13 -
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 -
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 DLOADER.Trojan
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6087 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14332.0 2008.09.13 -
Fortinet 3.113.0.0 2008.09.13 -
GData 19 2008.09.14 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 Mal/Behav-027
Sunbelt 3.1.1633.1 2008.09.13 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 Trojan.Spy.Gen
Additional information
File size: 126976 bytes
MD5...: 44ce91355fe8a010fd46cc20a02df8dd
SHA1..: c69d4325315faf9fe52e096da573bd14cbb0fd1d
SHA256: 4de09058e0107ae1b174f84c560d70dfd1dda7b525273aad99d2754a4e62bafa
SHA512: 4a82f9b1da05dccb9a7d49f6e5d01742db68b2afb69c975057b7ca76a7f3d588
9b8d472023882eebd7ea21b08f6c2dfbedf427369cbfb31d5cae02e07e9cd841
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001fad
timedatestamp.....: 0x48c12dd7 (Fri Sep 05 13:02:15 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1370e 0x14000 6.48 bd2565d5b9cdbac29685c34ef97c5813
.rdata 0x15000 0x6099 0x7000 6.19 01b9da7234f3fec043e3affc0615cd9a
.data 0x1c000 0xf38 0x1000 1.99 9c23fa93f4436970b5596ee3e5cc7cb3
.reloc 0x1d000 0x18ca 0x2000 5.56 a06a6e553d179b13b033fd6e2b970200

( 10 imports )
> ntdll.dll: _snprintf, _strnicmp, strlen, tolower, strstr, memcmp, _ui64toa, _itoa, memcpy, _ultoa, _stricmp, _chkstk, _allmul, atoi, memset, _alldiv
> msvcrt.dll: strtok
> WS2_32.dll: -, WSAGetOverlappedResult, WSACreateEvent, WSAIoctl, -, -, -, WSAWaitForMultipleEvents, -, WSASend, WSASocketW, WSARecv, -, -, -, -, -, -
> WININET.dll: InternetCloseHandle, HttpQueryInfoA, InternetOpenUrlA, HttpOpenRequestA, InternetConnectA, HttpAddRequestHeadersA, InternetReadFile, InternetSetOptionA, HttpSendRequestA, InternetOpenA
> KERNEL32.dll: ResetEvent, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, HeapSetInformation, HeapFree, SetNamedPipeHandleState, WaitNamedPipeA, HeapAlloc, TransactNamedPipe, HeapCreate, HeapDestroy, GetVersionExA, FreeLibrary, LoadLibraryA, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ExitProcess, GetFileAttributesA, GetFileAttributesExA, TlsGetValue, CreateEventA, TlsSetValue, TlsAlloc, VirtualFreeEx, OpenProcess, CreateRemoteThread, Process32First, WriteProcessMemory, ProcessIdToSessionId, GetCurrentThreadId, CloseHandle, GetCurrentProcessId, Thread32First, Thread32Next, GetProcAddress, OpenThread, InterlockedIncrement, GetModuleHandleA, InterlockedDecrement, CreateToolhelp32Snapshot, GetLocalTime, SetUnhandledExceptionFilter, OpenMutexA, CreateThread, SystemTimeToFileTime, Sleep, lstrcpyA, GetExitCodeThread, GetCurrentProcess, OpenEventA, LeaveCriticalSection, WaitForSingleObject, ReadFile, InterlockedCompareExchange, GetModuleFileNameW, WaitForMultipleObjects, SetEvent, GetModuleFileNameA, lstrcatA, GetCurrentThread, VirtualFree, FlushFileBuffers, CreateMutexA, GetLastError, WriteFile, OutputDebugStringA, CreateFileA, DuplicateHandle, GetFileSize, lstrcmpiA, EnterCriticalSection, ReleaseMutex, InitializeCriticalSection, lstrlenA, GetFileInformationByHandle, TerminateThread, Process32Next, GetSystemTime, CreateNamedPipeA, PeekNamedPipe, ConnectNamedPipe, DisconnectNamedPipe, SetFilePointer, GetTempPathA, SetEndOfFile, GetTempFileNameA, lstrcmpA, DeleteCriticalSection, FlushInstructionCache, VirtualAlloc, VirtualProtect, GetThreadContext, SuspendThread, SetThreadContext, ResumeThread, VirtualQuery, SetLastError, lstrcmpW, MultiByteToWideChar, GetTickCount, DeleteFileA, CreateProcessA, VirtualAllocEx
> USER32.dll: PeekMessageA, SetForegroundWindow, ShowWindow, WaitForInputIdle, MsgWaitForMultipleObjects, GetSystemMetrics, wsprintfA, DispatchMessageA
> ADVAPI32.dll: RegDeleteKeyA, OpenSCManagerA, CloseServiceHandle, OpenServiceA, RegCreateKeyExA, ChangeServiceConfigA, RegOpenKeyExA, ControlService, RegQueryInfoKeyA, RegEnumKeyExA, RegCloseKey, RegQueryValueExA, RegSetValueExA
> SHELL32.dll: ShellExecuteA
> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -

( 2 exports )
DllGetClassObject, EventStartup
 
Task700.sys

Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.13 -
Avast 4.8.1195.0 2008.09.13 -
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 -
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 -
F-Secure 8.0.14332.0 2008.09.14 -
Fortinet 3.113.0.0 2008.09.13 -
GData 19 2008.09.14 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 -
Sunbelt 3.1.1633.1 2008.09.13 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 -
Additional information
File size: 17928 bytes
MD5...: b9075b97e75639239a17a964d1f86484
SHA1..: a8d6d8b009b840759e2f6e0f537a3100fa329644
SHA256: 83c765651b76dd5da8d59e32a863c7f3067adc6724e3a2b10f018bd1272bb5ff
SHA512: 22ebc4376c68980544f69e94da94fda06b2c624f8475eaac01b61810a3b1f5d2
714528de7fbf4a2fd64bbf4f8c64923d3914e3589097affb51d323cd21e36aac
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10e12
timedatestamp.....: 0x453b9714 (Sun Oct 22 16:06:44 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x1fde 0x1fe0 6.19 1bc45890d68ec2c0ac01c4ee2db3bd81
.data 0x2260 0x108 0x120 2.12 b81d5ed79355b8a26ddaf2cbfe96ac63
INIT 0x2380 0x2d0 0x2e0 5.09 fab41bf37c3d42b4facb20d75d8a9e9c
.rsrc 0x2660 0x380 0x380 3.36 7174631557f1b1361a8a9b72af08c98c
.reloc 0x29e0 0x2f4 0x300 4.94 e73b6986df3924b04c1b4062c5e06008

( 1 imports )
> ntoskrnl.exe: IoCreateDevice, ExFreePool, ExAllocatePoolWithTag, MmMapLockedPages, MmUnlockPages, MmUnmapLockedPages, MmProbeAndLockPages, ObfDereferenceObject, MmCreateMdl, IoGetCurrentProcess, ObReferenceObjectByHandle, ZwQuerySystemInformation, KeServiceDescriptorTable, IoDeleteDevice, IoCreateSymbolicLink, RtlInitUnicodeString, IofCompleteRequest, IoDeleteSymbolicLink, ZwClose, ZwCreateFile, ObQueryNameString, ZwQueryObject, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, ZwDuplicateObject, ProbeForWrite, RtlUnwind

( 0 exports )
 
fldrclnr32.dll

Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 TR/Spy.Gen
Authentium 5.1.0.4 2008.09.13 W32/Heuristic-KPP!Eldorado
Avast 4.8.1195.0 2008.09.13 Win32:Spyware-gen
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 Trojan.Generic.528741
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 DLOADER.Trojan
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14332.0 2008.09.14 Trojan-Downloader.Win32.Agent.afky
Fortinet 3.113.0.0 2008.09.13 PossibleThreat
GData 19 2008.09.14 Trojan-Downloader.Win32.Agent.afky
Ikarus T3.1.1.34.0 2008.09.13 Trojan-Spy
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 Trojan-Downloader.Win32.Agent.afky
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 Win32/Agent.OAF
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 Password Stealer
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 Mal/Behav-027
Sunbelt 3.1.1633.1 2008.09.13 Trojan.Spy.Gen
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 Trojan.Spy.Gen
Additional information
File size: 118784 bytes
MD5...: 1a6b5624c4980c16cd9bbab7f43b6fc9
SHA1..: 90d1e1c775a54649045f655b7521191bc5097ea2
SHA256: d671d1faf7406faf323d080fac4458ec7070cd4a2ef2937b1cc3593f3127db8d
SHA512: 3d2dd6f23fb9c94e6cab9ce4f9fcbec0f3a8fa7318e9c7c41e373544eca1da43
aff03e05b82313868d44e464884067535c60919d0a9a0b019c85a05ef3bcabab
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10002084
timedatestamp.....: 0x4872808a (Mon Jul 07 20:46:02 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12f60 0x13000 6.58 e75a0354e85877eccf8f79d4057e5b30
.rdata 0x14000 0x5dc9 0x6000 6.72 ab131db3f08f26bf91aecbe8fdbffcb0
.data 0x1a000 0xf38 0x1000 2.14 69d4c416b5f05622a8d0cda0a997bc8a
.reloc 0x1b000 0x1836 0x2000 5.48 f2b9ac7a2f9130475786390e61cde514

( 10 imports )
> ntdll.dll: _ui64toa, _atoi64, strncpy, strlen, _strnicmp, tolower, strstr, memcmp, memcpy, _snprintf, atoi, _itoa, _ultoa, _stricmp, _allmul, _chkstk, memset, _alldiv
> msvcrt.dll: strtok
> WS2_32.dll: -, -, WSARecv, WSASocketW, WSASend, -, -, WSAGetOverlappedResult, -, -, -, WSAWaitForMultipleEvents, -, -, -, -, WSAIoctl, WSACreateEvent
> WININET.dll: HttpAddRequestHeadersA, HttpSendRequestA, InternetOpenA, HttpOpenRequestA, InternetConnectA, HttpQueryInfoA, InternetReadFile, InternetOpenUrlA, InternetCloseHandle
> KERNEL32.dll: GetFileInformationByHandle, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, HeapSetInformation, HeapFree, HeapAlloc, HeapCreate, HeapDestroy, GetVersionExA, LoadLibraryA, FreeLibrary, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ExitProcess, GetFileAttributesExA, CreateEventA, TlsSetValue, TlsAlloc, TlsGetValue, CreateRemoteThread, Process32First, WriteProcessMemory, ProcessIdToSessionId, Process32Next, VirtualAllocEx, VirtualFreeEx, OpenProcess, GetFileAttributesA, DeleteFileA, GetTickCount, CreateProcessA, MultiByteToWideChar, GetCurrentThreadId, CloseHandle, GetCurrentProcessId, Thread32First, Thread32Next, GetProcAddress, OpenThread, InterlockedIncrement, GetModuleHandleA, InterlockedDecrement, CreateToolhelp32Snapshot, OpenMutexA, CreateThread, lstrcpyA, GetCurrentProcess, GetExitCodeThread, LeaveCriticalSection, OpenEventA, WaitForSingleObject, InterlockedCompareExchange, ReadFile, SetEvent, GetModuleFileNameW, WaitForMultipleObjects, lstrcatA, GetCurrentThread, VirtualFree, GetModuleFileNameA, FlushFileBuffers, CreateFileA, WriteFile, CreateMutexA, GetLastError, GetFileSize, lstrcmpiA, DuplicateHandle, InitializeCriticalSection, EnterCriticalSection, lstrlenA, ReleaseMutex, TerminateThread, lstrcmpW, SetUnhandledExceptionFilter, ResetEvent, SystemTimeToFileTime, GetSystemTime, GetLocalTime, Sleep, lstrcmpA, DeleteCriticalSection, SetFilePointer, SetEndOfFile, GetTempPathA, GetTempFileNameA, FlushInstructionCache, VirtualAlloc, VirtualProtect, GetThreadContext, SuspendThread, SetThreadContext, ResumeThread, VirtualQuery, SetLastError
> USER32.dll: GetSystemMetrics, wsprintfA, DispatchMessageA, PeekMessageA, ShowWindow, SetForegroundWindow, MsgWaitForMultipleObjects
> ADVAPI32.dll: ChangeServiceConfigA, ControlService, OpenSCManagerA, OpenServiceA, RegCreateKeyExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyExA, RegQueryInfoKeyA, RegCloseKey, RegQueryValueExA, RegSetValueExA
> SHELL32.dll: ShellExecuteA
> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -

( 2 exports )
DllGetClassObject, EventStartup
 
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


Code: 
File::
C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe 

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
I'm having trouble running the script. I keep getting a dialog box that says:
Were you trying to run CFScript?
The name, CFScript appears to be incorrectly spelt.

The file name is CFScript.txt and the text looks like it pasted right.
 
Drag Combofix to the trash as it may be getting a bit old, its updated almost every day and grab a fresh copy and try the script again. It looks like you typed it correctly.

Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1
Link 2
Link 3
 
Still no joy. I downloaded from the first link. (Actually I'm downloading everything on a healthy system and writing them to a CD-RW.) I copied it to the desktop and dragged the same CFScript.txt file to the icon. This time the progress bar appears but, as soon as it's done, combofix exits and it doesn't leave a c:\combofix.txt file.
 
Good Morning,

Are you not able to get internet on the infected computer ? Post a new HJT log and lets see if it got it.
 
Yes the infected computer does have internet access. I just thought it best to minimize it's use for now.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:43 AM, on 9/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5867 bytes
 
REGEDIT4

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Click to expand...

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this
reg.jpg







Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\fldrclnr32.dll
    C:\WINDOWS\SYSTEM32\DBnetlib32.dll
    C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post the OTMoveIt log and a new HJT log please
 
You must log in or register to reply here.
Back
Top