Unsolved

This post is more than 5 years old

12 Posts

1149

August 10th, 2007 15:00

Amaena causing problems - please help

There are popups coming in asking me to install anti virus software. On the top I saw Amaena and looked for it on the net. FOund a ton of similar complaints and understood that you guys can help me. Need some help PLEASE, thanks.

here is my HJT file

Logfile of HijackThis v1.99.1
Scan saved at 12:36:55 PM, on 8/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
\Feb-5fwds61\c$\PROGRA~1\Palm\HOTSYNC.EXE
C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
C:\Program Files\INTERN~1\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O1 - Hosts: 160.3.15.84 MAILNS01
O1 - Hosts: 160.3.15.84 MAILNS01.UGC
O1 - Hosts: 160.3.15.84 MAILNS01.NET.UGC
O1 - Hosts: 160.3.15.84 MAILNS01.HOME.NET.UGC
O1 - Hosts: 160.3.15.85 MAILNS02
O1 - Hosts: 160.3.15.85 MAILNS02.UGC
O1 - Hosts: 160.3.15.85 MAILNS02.NET.UGC
O1 - Hosts: 160.3.15.85 MAILNS02.HOME.NET.UGC
O1 - Hosts: 160.3.15.77 APPNS01
O1 - Hosts: 160.3.15.77 APPNS01.UGC
O1 - Hosts: 160.3.15.77 APPNS01.NET.UGC
O1 - Hosts: 160.3.15.77 APPNS01.HOME.NET.UGC
O1 - Hosts: 160.3.15.78 APPNS02
O1 - Hosts: 160.3.15.78 APPNS02.UGC
O1 - Hosts: 160.3.15.78 APPNS02.NET.UGC
O1 - Hosts: 160.3.15.78 APPNS02.HOME.NET.UGC
O1 - Hosts: 130.10.5.113 ULSDBCI1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {bb9bfd03-3999-4cef-bf84-c49e059552c4} - C:\WINNT\system32\C_2SSO.dll
O2 - BHO: (no name) - {f2b6b1ad-967f-4fee-957b-3f31e89b9003} - C:\WINNT\system32\C_2SSO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186165816592
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O20 - AppInit_DLLs: c:\winnt\system32\awvtsst.dll
O20 - Winlogon Notify: C_2SSO - C:\WINNT\SYSTEM32\C_2SSO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

 

10.4K Posts

August 13th, 2007 12:00

spmad

Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.

CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 13th, 2007 14:00

Thank you so much bamajim. Here is my combofix file.
 
ComboFix 07-08-13.3 - "solai" 2007-08-13 11:40:08.2 - NTFSx86
Microsoft Windows 2000 Professional  5.0.2195.4.1252.1.1033.18.263 [GMT -4:00]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp127A.tmp.exe
C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp127C.tmp.exe
C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp13.tmp.exe
C:\WINNT\system32\dnac2bf4d4.dat

(((((((((((((((((((((((((   Files Created from 2007-07-13 to 2007-08-13  )))))))))))))))))))))))))))))))

2007-08-13 11:40 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_37c.dat
2007-08-13 11:37 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_5c0.dat
2007-08-13 11:37 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_5b8.dat
2007-08-13 11:37 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_53c.dat
2007-08-13 10:51 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-07 02:08   d-------- C:\WINNT\SYSTEM32\Windows Media
2007-08-07 02:07   d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-08-07 02:07   d-------- C:\WINNT\msiinst.tmp
2007-08-07 02:05   d--h-c--- C:\WINNT\$SQLUninstallMDAC28-KB927779-x86-ENU$
2007-08-07 02:02   d-------- C:\Program Files\MSXML 4.0
2007-08-06 08:13 44,032 --------- C:\WINNT\SYSTEM32\DLLCACHE\msxml3r.dll
2007-08-06 08:09 86,288 --------- C:\WINNT\SYSTEM32\DLLCACHE\srvsvc.dll
2007-08-06 08:05 2,174,976 --------- C:\WINNT\SYSTEM32\DLLCACHE\wmvcore.dll
2007-08-06 08:03 840,976 --------- C:\WINNT\SYSTEM32\DLLCACHE\mmcndmgr.dll
2007-08-03 15:10   d-------- C:\WINNT\SYSTEM32\BITS
2007-08-03 14:30 549,720 --a------ C:\WINNT\SYSTEM32\wuapi.dll
2007-08-03 14:30 43,352 --a------ C:\WINNT\SYSTEM32\wups2.dll
2007-08-03 14:30 33,624 --a------ C:\WINNT\SYSTEM32\wups.dll
2007-08-03 14:30 325,976 --a------ C:\WINNT\SYSTEM32\wucltui.dll
2007-08-03 14:30   d-------- C:\WINNT\SoftwareDistribution
2007-08-03 09:38 2,379,776 --ah----- C:\DOCUME~1\SOLAI~1.FEB\NTUSER.DAT
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\SapWorkDir
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\pnlinks
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Sonic
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Real
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Murasu
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Microsoft Web Folders
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Leadertech
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Lavasoft
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\ICAClient
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Help
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Google
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Arcsoft
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\AdobeUM
2007-08-03 09:38   d---s---- C:\DOCUME~1\SOLAI~1.FEB\UserData
2007-08-03 09:38   d-------- C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\AdwareAlert
2007-08-02 12:26   d-------- C:\DOCUME~1\solai\APPLIC~1\AdwareAlert
2007-08-02 12:07 58,798 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp7B.tmp.exe
2007-08-01 11:46 58,798 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp26.tmp.exe
2007-07-31 11:46 58,798 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp19.tmp.exe
2007-07-31 10:27 499,712 --a------ C:\WINNT\SYSTEM32\msvcp71.dll
2007-07-31 10:27 1,060,864 --a------ C:\WINNT\SYSTEM32\mfc71.dll
2007-07-30 10:55 78,623 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp13.tmp.exe
2007-07-30 10:55 58,798 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp10.tmp.exe
2007-07-30 10:55 125,141 --a------ C:\DOCUME~1\solai\APPLIC~1\tmp11.tmp.exe
2007-07-28 10:58 93,814 --a------ C:\WINNT\SYSTEM32\C_2SSO.dll
2007-07-28 10:58 17,120 --a------ C:\WINNT\SYSTEM32\awvtsst.dll
2007-07-23 15:05   d-------- C:\WINNT\Cache

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
07-08-13 11:37  --------- d-------- C:\Program Files\Symantec AntiVirus
07-06-25 16:55  22592 --a------ C:\WINNT\system32\JHfEDA6I.exe
03-07-10 15:54  271 --ah----- C:\Program Files\DESKTOP.INI
03-07-10 15:54  21952 --ah----- C:\Program Files\FOLDER.HTT
03-06-20 09:00  32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb9bfd03-3999-4cef-bf84-c49e059552c4}]
07-07-28 10:58  93814 --a------ C:\WINNT\system32\C_2SSO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2b6b1ad-967f-4fee-957b-3f31e89b9003}]
07-07-28 10:58  93814 --a------ C:\WINNT\system32\C_2SSO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 09:00  C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-08-20 17:55 ]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-08-20 17:51 ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04-04-26 10:04 ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [04-01-07 03:01 ]
"dla"="C:\WINNT\system32\dla\tfswctrl.exe" [04-08-13 03:05 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04-02-29 17:44 ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04-03-12 16:18 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [04-02-12 14:38 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04-05-12 16:18 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-05-05 12:44 ]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [03-08-01 19:28 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [04-05-12 01:03 ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office97\Office\OSA.EXE [1997-07-11 01:00:00]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-02-16 09:46:18]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\C_2SSO]
C_2SSO.dll 07-07-28 10:58  93814 C:\WINNT\SYSTEM32\C_2SSO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\winnt\system32\awvtsst.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\oracle\ora81\BIN\ONRSD.EXE
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
Contents of the 'Scheduled Tasks' folder
2007-08-02 16:26:44 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert\AdwareAlert.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At1.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-13 13:00:30 C:\WINNT\Tasks\At10.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-13 14:00:30 C:\WINNT\Tasks\At11.job
2007-08-10 15:00:30 C:\WINNT\Tasks\At12.job
2007-08-10 16:00:30 C:\WINNT\Tasks\At13.job
2007-08-10 17:00:30 C:\WINNT\Tasks\At14.job
2007-08-10 18:00:30 C:\WINNT\Tasks\At15.job
2007-08-10 19:00:30 C:\WINNT\Tasks\At16.job
2007-08-10 20:00:30 C:\WINNT\Tasks\At17.job
2007-08-09 21:00:30 C:\WINNT\Tasks\At18.job
2007-08-07 22:01:08 C:\WINNT\Tasks\At19.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At2.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At20.job
2007-08-07 06:11:29 C:\WINNT\Tasks\At21.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At22.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At23.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At24.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At3.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At4.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At5.job
2007-08-07 06:11:29 C:\WINNT\Tasks\At6.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At7.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-07 06:11:29 C:\WINNT\Tasks\At8.job - C:\WINNT\system32\JHfEDA6I.exe
2007-08-13 12:01:34 C:\WINNT\Tasks\At9.job - C:\WINNT\system32\JHfEDA6I.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 11:42:47
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-13 11:43:22
C:\ComboFix-quarantined-files.txt ... 07-08-13 11:43
 --- E O F ---

 

10.4K Posts

August 13th, 2007 15:00

spmad

You are most welcome.

You have a suspicious file I would like to look at

Please go HERE

Put Your Name, and Dell HJT forum

and In the file to submit box, click Browse.Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the file
  • C:\WINNT\system32\JHfEDA6I.exe

In the comments tell them that I asked you to upload the file
Then Select Send File.

CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 13th, 2007 17:00

Hello bamajim
 
Just sent the file you requested through the other site. I am not sure if i mentioned your name as "bamajim" or "bamajin", so I may resend the file again. Thanks for all the help. Thanks

10.4K Posts

August 13th, 2007 20:00

spmad

Got the file. It's bad

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

  • File::
    C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job
    C:\WINNT\Tasks\At1.job
    C:\WINNT\Tasks\At10.job
    C:\WINNT\Tasks\At11.job
    C:\WINNT\Tasks\At12.job
    C:\WINNT\Tasks\At13.job
    C:\WINNT\Tasks\At14.job
    C:\WINNT\Tasks\At15.job
    C:\WINNT\Tasks\At16.job
    C:\WINNT\Tasks\At17.job
    C:\WINNT\Tasks\At18.job
    C:\WINNT\Tasks\At19.job
    C:\WINNT\Tasks\At2.job
    C:\WINNT\Tasks\At20.job
    C:\WINNT\Tasks\At21.job
    C:\WINNT\Tasks\At22.job
    C:\WINNT\Tasks\At23.job
    C:\WINNT\Tasks\At24.job
    C:\WINNT\Tasks\At3.job
    C:\WINNT\Tasks\At4.job
    C:\WINNT\Tasks\At5.job
    C:\WINNT\Tasks\At6.job
    C:\WINNT\Tasks\At7.job
    C:\WINNT\Tasks\At8.job
    C:\WINNT\Tasks\At9.job
    C:\WINNT\system32\JHfEDA6I.exe
    C:\WINNT\SYSTEM32\awvtsst.dll
    C:\WINNT\SYSTEM32\C_2SSO.dll
    C:\DOCUME~1\solai\APPLIC~1\tmp13.tmp.exe
    C:\DOCUME~1\solai\APPLIC~1\tmp10.tmp.exe
    C:\DOCUME~1\solai\APPLIC~1\tmp11.tmp.exe
    C:\DOCUME~1\solai\APPLIC~1\tmp7B.tmp.exe
    C:\DOCUME~1\solai\APPLIC~1\tmp26.tmp.exe
    C:\DOCUME~1\solai\APPLIC~1\tmp19.tmp.exe
    C:\Program Files\AdwareAlert\AdwareAlert.exe

    Folder::
    C:\Program Files\AdwareAlert

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb9bfd03-3999-4cef-bf84-c49e059552c4}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2b6b1ad-967f-4fee-957b-3f31e89b9003}]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\C_2SSO]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=-



Save the File as CFScript (Just as indicated no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 14th, 2007 15:00

Thanks bamajim. Looks like it is working allright now. You are just too good. Here is the hijackthis file. Please let me know what else i need to do.
 
Logfile of HijackThis v1.99.1
Scan saved at 12:55, on 2007-08-14
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
\Feb-5fwds61\c$\PROGRA~1\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\INTERN~1\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\solai.FEBLO_PDC\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted IP range: 192.168.10.85
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186165816592
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feblo.hlgllc.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
 

12 Posts

August 14th, 2007 15:00

Hi bamajim
 
I submitted the malaware file to bleeping computes, thanks.

10.4K Posts

August 14th, 2007 15:00

spmad
 
Good job. Could I see a fresh Hijackthis log
 
CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 14th, 2007 15:00

Bamajim,
I am amazed as to how you do this but thanks anyway. I had some difficulty as the Combofix froze. I had to click the mouse as Spybot was popping up some stuff. Disabled and then had to run the combofix. here is the file you requested. Thanks.
 
ComboFix 07-08-13.3 - "solai" 2007-08-14 11:50:41.4 - NTFSx86
Microsoft Windows 2000 Professional  5.0.2195.4.1252.1.1033.18.278 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\solai.FEBLO_PDC\Desktop\CFScript.txt
FILE::
C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job
C:\WINNT\Tasks\At1.job
C:\WINNT\Tasks\At10.job
C:\WINNT\Tasks\At11.job
C:\WINNT\Tasks\At12.job
C:\WINNT\Tasks\At13.job
C:\WINNT\Tasks\At14.job
C:\WINNT\Tasks\At15.job
C:\WINNT\Tasks\At16.job
C:\WINNT\Tasks\At17.job
C:\WINNT\Tasks\At18.job
C:\WINNT\Tasks\At19.job
C:\WINNT\Tasks\At2.job
C:\WINNT\Tasks\At20.job
C:\WINNT\Tasks\At21.job
C:\WINNT\Tasks\At22.job
C:\WINNT\Tasks\At23.job
C:\WINNT\Tasks\At24.job
C:\WINNT\Tasks\At3.job
C:\WINNT\Tasks\At4.job
C:\WINNT\Tasks\At5.job
C:\WINNT\Tasks\At6.job
C:\WINNT\Tasks\At7.job
C:\WINNT\Tasks\At8.job
C:\WINNT\Tasks\At9.job
C:\WINNT\system32\JHfEDA6I.exe
C:\WINNT\SYSTEM32\awvtsst.dll
C:\WINNT\SYSTEM32\C_2SSO.dll
C:\DOCUME~1\solai\APPLIC~1\tmp13.tmp.exe
C:\DOCUME~1\solai\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\solai\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\solai\APPLIC~1\tmp7B.tmp.exe
C:\DOCUME~1\solai\APPLIC~1\tmp26.tmp.exe
C:\DOCUME~1\solai\APPLIC~1\tmp19.tmp.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmpD5.tmp.exe
C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmpD7.tmp.exe
C:\WINNT\SYSTEM32\C_2SSO.dll

(((((((((((((((((((((((((   Files Created from 2007-07-14 to 2007-08-14  )))))))))))))))))))))))))))))))

2007-08-13 10:51 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-07 02:08   d-------- C:\WINNT\SYSTEM32\Windows Media
2007-08-07 02:07   d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-08-07 02:07   d-------- C:\WINNT\msiinst.tmp
2007-08-07 02:05   d--h-c--- C:\WINNT\$SQLUninstallMDAC28-KB927779-x86-ENU$
2007-08-07 02:02   d-------- C:\Program Files\MSXML 4.0
2007-08-06 08:13 44,032 --------- C:\WINNT\SYSTEM32\DLLCACHE\msxml3r.dll
2007-08-06 08:09 86,288 --------- C:\WINNT\SYSTEM32\DLLCACHE\srvsvc.dll
2007-08-06 08:05 2,174,976 --------- C:\WINNT\SYSTEM32\DLLCACHE\wmvcore.dll
2007-08-06 08:03 840,976 --------- C:\WINNT\SYSTEM32\DLLCACHE\mmcndmgr.dll
2007-08-03 15:10   d-------- C:\WINNT\SYSTEM32\BITS
2007-08-03 14:30 549,720 --a------ C:\WINNT\SYSTEM32\wuapi.dll
2007-08-03 14:30 43,352 --a------ C:\WINNT\SYSTEM32\wups2.dll
2007-08-03 14:30 33,624 --a------ C:\WINNT\SYSTEM32\wups.dll
2007-08-03 14:30 325,976 --a------ C:\WINNT\SYSTEM32\wucltui.dll
2007-08-03 14:30   d-------- C:\WINNT\SoftwareDistribution
2007-08-03 09:38 2,379,776 --ah----- C:\DOCUME~1\SOLAI~1.FEB\NTUSER.DAT
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\SapWorkDir
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\pnlinks
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Sonic
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Real
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Murasu
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Microsoft Web Folders
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Leadertech
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Lavasoft
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\ICAClient
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Help
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Google
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\Arcsoft
2007-08-03 09:38   d-a------ C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\AdobeUM
2007-08-03 09:38   d---s---- C:\DOCUME~1\SOLAI~1.FEB\UserData
2007-08-03 09:38   d-------- C:\DOCUME~1\SOLAI~1.FEB\APPLIC~1\AdwareAlert
2007-08-02 12:26   d-------- C:\DOCUME~1\solai\APPLIC~1\AdwareAlert
2007-07-31 10:27 499,712 --a------ C:\WINNT\SYSTEM32\msvcp71.dll
2007-07-31 10:27 1,060,864 --a------ C:\WINNT\SYSTEM32\mfc71.dll
2007-07-23 15:05   d-------- C:\WINNT\Cache

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
07-08-14 11:53  --------- d-------- C:\Program Files\Symantec AntiVirus
03-07-10 15:54  271 --ah----- C:\Program Files\DESKTOP.INI
03-07-10 15:54  21952 --ah----- C:\Program Files\FOLDER.HTT
03-06-20 09:00  32528 --a------ C:\WINNT\inf\WBFIRDMA.SYS

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 09:00  C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-08-20 17:55 ]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-08-20 17:51 ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04-04-26 10:04 ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [04-01-07 03:01 ]
"dla"="C:\WINNT\system32\dla\tfswctrl.exe" [04-08-13 03:05 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04-02-29 17:44 ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04-03-12 16:18 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [04-02-12 14:38 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04-05-12 16:18 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-05-05 12:44 ]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [03-08-01 19:28 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [04-05-12 01:03 ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\solai.FEBLO_PDC\Start Menu\Programs\Startup\
HotSync Manager.lnk - \\Feb-5fwds61\c$\PROGRA~1\Palm\HOTSYNC.EXE [2003-03-07 18:46:14]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office97\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office97\Office\OSA.EXE [1997-07-11 01:00:00]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-02-16 09:46:18]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\oracle\ora81\BIN\ONRSD.EXE

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 11:55:58
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-14 11:57:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-14 11:57
C:\ComboFix2.txt ... 07-08-13 11:43
 --- E O F ---
 

10.4K Posts

August 14th, 2007 17:00

spmad

Thank you for the compliment

1. Rerun Hijackthis ( scan only) and place checks beside the following entries
  • R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab

Close all other open windows except Hijackthis and Select " Fix checked"

Close Hijackthis and reboot your PC

2. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.

  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

3. Run an online virus scan called Kaspersky from HERE.
  • 1. Click on " Kaspersky Online Scanner"
    2. A new smaller window will pop up. Press on " Accept". After reading the contents.
    3. Now Kaspersky will update the anti-virus database. Let it run.
    4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
    5. Then click on " My Computer". And the scan will start.
    6. Once finished, save a log as ". txt" to the desktop.

Copy and post the results of the Kaspersky Online scan

CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 15th, 2007 11:00

Hello bamajim, here is my Kaspersky report.
 
-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 2007-08-15 08:31
 Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
 Kaspersky Online Scanner version: 5.0.93.0
 Kaspersky Anti-Virus database last update: 14/08/2007
 Kaspersky Anti-Virus database records: 381197
-------------------------------------------------------------------------------
Scan Settings:
 Scan using the following antivirus database: extended
 Scan Archives: true
 Scan Mail Bases: true
Scan Target - My Computer:
 A:\
 C:\
 D:\
 E:\
 F:\
 G:\
 H:\
 I:\
 J:\
 L:\
 M:\
 N:\
 T:\
Scan Statistics:
 Total number of scanned objects: 102900
 Number of viruses found: 14
 Number of infected objects: 42
 Number of suspicious objects: 0
 Duration of the scan process: 01:46:50
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04100000.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04100001.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04140000.VBN Infected: Virus.Win32.Delf.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04140001.VBN Infected: Virus.Win32.Delf.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04200000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04280001.VBN Infected: Virus.Win32.Delf.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04280002.VBN Infected: Virus.Win32.Delf.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04480000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06600000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\FCSS5D3E\installdrivecleanerstart_tbn[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.m skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\S1UVSPU7\dedamisha[1] Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\S1UVSPU7\installdrivecleanerstart[1].cab/UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.m skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\S1UVSPU7\installdrivecleanerstart[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\SPQFKLEV\dedamisha[1] Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\UBGRQVU9\ErrorSafeNewReleaseInstall[1].cab/UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\solai\Local Settings\Temporary Internet Files\Content.IE5\UBGRQVU9\ErrorSafeNewReleaseInstall[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\solai.FEBLO_PDC\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\Desktop\[4]-Submit_Tue 2007-08-14_115039.27.zip/C_2SSO.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\Documents and Settings\solai.FEBLO_PDC\Desktop\[4]-Submit_Tue 2007-08-14_115039.27.zip ZIP: infected - 1 skipped
C:\Documents and Settings\solai.FEBLO_PDC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\solai.FEBLO_PDC\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\VPTray.exe Infected: Trojan.Win32.Patched.af skipped
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\QooBox\Quarantine\C\DOCUME~1\solai\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\solai\APPLIC~1\tmp19.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\solai\APPLIC~1\tmp26.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\solai\APPLIC~1\tmp7B.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp2BD.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmp8.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmpB3.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\SOLAI~1.FEB\APPLIC~1\tmpD4.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINNT\DOWNLO~1\UDC6_0001_D19M1908NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.m skipped
C:\QooBox\Quarantine\C\WINNT\DOWNLO~1\UERS_9999_N91S2507NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\awvtsqo.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\QooBox\Quarantine\C\WINNT\SYSTEM32\JHfEDA6I.exe.vir Infected: Trojan-Downloader.Win32.Firu.b skipped
C:\QooBox\Quarantine\C\WINNT\WebAssist.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\QooBox\Quarantine\C\WINNT\xhelper.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.db skipped
C:\QooBox\Quarantine\C\WINNT\xmlhelper2.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.db skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\CSC\00000002 Object is locked skipped
C:\WINNT\CSC\00000003 Object is locked skipped
C:\WINNT\CSC\D2\00000011 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped
C:\WINNT\SYSTEM32\dla\tfswctrl.exe Infected: Trojan.Win32.Patched.af skipped
C:\WINNT\SYSTEM32\hkcmd.exe Infected: Trojan.Win32.Patched.af skipped
C:\WINNT\SYSTEM32\igfxtray.exe Infected: Trojan.Win32.Patched.af skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_504.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_568.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_588.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
T:\ASN Folder\GM ASNS (Inbounds).xls Object is locked skipped
T:\DIRECT SHIP FILES\LTL\OTTW 08-14.xls Object is locked skipped
T:\DIRECT SHIP FILES\LTL\PROD\FEBLIV1150466 08-14.xls Object is locked skipped
T:\software\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
T:\software\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
T:\software\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
Scan process completed.

10.4K Posts

August 15th, 2007 13:00

spmad

We have a few things to do.

1. Please download the Killbox.
  • 1)Save it to the desktop
    2) Rt Click->>Extract all->.Extract it to your Desktop
    3) Double Click Killbox.exe to run it
    4)At the main window Select Tools ->> Delete Temp Files
    5)At the next window uncheck XP Prefetch
    Leave the other boxes checked
    6)Select " Delete Selected Temp Files"
    Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes)
    Select " Exit"
    Then Select " Exit" again to close Killbox
2. Empty Norton Quarantine folder

If you use Norton AntiVirus 2006
  • 1 Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet
    Security, then start that program and click Norton AntiVirus.
    2 In the left pane, click Reports.
    3 Click View Norton Quarantined and Restore.
    4 In the left pane, select the type of risk that you want to remove.
    5 In the right pane, select the files that you want to remove.
    6 Click Delete Item.
    7 When you see the message "Warning! Are you sure that you want to remove this
    item from Quarantine," click Yes.
    8 Close the Quarantine window, and then exit Norton AntiVirus.

If you use Norton AntiVirus 2005
  • 1 Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet
    Security, then start that program and click Norton AntiVirus.
    2 In the left pane, click Reports.
    3 Click View Quarantined Items.
    4 In the right pane, select the files that you want to remove.
    5 Click Delete Item.
    6 When you see the message "Warning! Are you sure that you want to remove this
    item from Quarantine," click Yes.
    7 Close the Quarantine window, and then exit Norton AntiVirus.

If you use Norton AntiVirus 2004/2003
  • 1 Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet
    Security, then start that program and click Norton AntiVirus.
    2 In the left pane, click Reports.
    3 In the right pane, click View Report to the right of Quarantined Items.
    4 In the right pane, select the files that you want to remove.
    5 Click Delete Item.
    6 When you see the message "Warning! Are you sure that you want to remove this
    item from Quarantine," click Yes.
    7 Close the Quarantine window, and then exit Norton AntiVirus.

3. Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate this folder and Delete it
  • C:\QooBox\Quarantine

4. You have some files on your PC that have been damaged by the infection, do you have a copy of the Windows OS (operating System) disk?

CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 15th, 2007 17:00

bamajim,
I haven't done any of these steps yet because I do not have the Windows OS disk with me right now but I can get it tomorrow. On the other hand I have the I386 folder on my C drive that has a lot of this backup information. Can we use that? Also can i do the other steps right now and wait for the OS disk till tomorrow if I can't use the information on the I386 folder? Thanks

10.4K Posts

August 15th, 2007 17:00

spmad
 
It would be better to use the OS disk if you have it.
 
Once you have it, go ahead and complete the steps I've outlined in my previous post, then let me know when you are ready. :smileyhappy:
 
CastleCops Instructor

MRU Graduate


"The world is what you make of it"

12 Posts

August 16th, 2007 15:00

bamajim
Have done the steps per your instructions. I did not have Norton but had Symantec in my computer. I went into the quarantine list and deleted them, hope this is ok. Also, i deleted the "QooBox" and this is in the "Recycle bin", should i delete it?
I have the OS disk with me now. Please let me know what I should do, thanks.
No Events found!

Top