I have an infection that I can't shake. Ad-aware shows it as "win32.Trojandownloader.zlob" and "Cmd Services" below are my Hijackthis and combofix logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:15 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\downloads\HiJackThis\HijackThis.exe
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fcsdkagp.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - d:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 2972 bytes
ComboFix 07-11-08.1 - Some Body 2007-11-15 12:36:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1616 [GMT -6:00]
Running from: D:\downloads\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Some Body\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Some Body\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Some Body\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\fcsdkagp.dllbox
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\pac.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 12:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 22:18 145,984 --a------ C:\WINDOWS\system32\fcsdkagp.dll
2007-11-14 22:17 145,984 --a------ C:\WINDOWS\system32\yjpqolpp.dll
2007-11-14 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-14 21:26 85,056 --a------ C:\WINDOWS\system32\ruikljvd.dll
2007-11-14 21:20 75,475 --a------ C:\WINDOWS\system32\rcpbcbjy.dll
2007-11-13 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-13 20:30 145,984 --a------ C:\WINDOWS\system32\yqlsyifo.dll
2007-11-13 20:29 <DIR> d-------- C:\Program Files\Cool
2007-11-12 21:10 <DIR> d--hs---- C:\WINDOWS\c29tZSBib2R5
2007-11-12 21:07 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-12 21:07 36,352 --a------ C:\WINDOWS\system32\cbxyyww.dll
2007-11-12 21:06 <DIR> d-------- C:\quarantine
2007-11-09 22:07 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-01 21:28 1,094 --a------ C:\WINDOWS\checkip.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 17:27 --------- d-----w C:\Program Files\Google
2007-11-15 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 22:47 --------- d-----w C:\Program Files\QuickTime
2007-10-11 03:41 --------- d-----w C:\Documents and Settings\Some Body\Application Data\Shareaza
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\c29tZSBib2R5\wZ6Qtm12vZlc.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-12 21:07 36352 --a------ C:\WINDOWS\system32\cbxyyww.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E343395-91CE-4D97-BE05-C2386CA4B582}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-14 22:18 145984 --a------ C:\WINDOWS\system32\fcsdkagp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B230E8FC-15A8-427F-8DE6-DDBEEB10466C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fcsdkagp.dll [2007-11-14 22:18 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fcsdkagp.dll [2007-11-14 22:18 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11]
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\cbxyyww.dll [2007-11-12 21:07 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyww]
cbxyyww.dll 2007-11-12 21:07 36352 C:\WINDOWS\system32\cbxyyww.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcsdkagp]
fcsdkagp.dll 2007-11-14 22:18 145984 C:\WINDOWS\system32\fcsdkagp.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhh.dll
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\system32\DRIVERS\NETR33X.SYS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 22:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 12:46:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 12:49:16 - machine was rebooted
.
--- E O F ---
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hi,
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
QUOTE
File::
C:\WINDOWS\system32\fcsdkagp.dll
C:\WINDOWS\system32\yjpqolpp.dll
C:\WINDOWS\system32\ruikljvd.dll
C:\WINDOWS\system32\rcpbcbjy.dll
C:\WINDOWS\system32\yqlsyifo.dll
C:\WINDOWS\system32\cbxyyww.dll
Folder::
C:\Program Files\Cool
C:\WINDOWS\c29tZSBib2R5
C:\WINDOWS\system32\rMa02yy
C:\quarantine
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E343395-91CE-4D97-BE05-C2386CA4B582}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B230E8FC-15A8-427F-8DE6-DDBEEB10466C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyww]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcsdkagp]
C:\WINDOWS\system32\fcsdkagp.dll
C:\WINDOWS\system32\yjpqolpp.dll
C:\WINDOWS\system32\ruikljvd.dll
C:\WINDOWS\system32\rcpbcbjy.dll
C:\WINDOWS\system32\yqlsyifo.dll
C:\WINDOWS\system32\cbxyyww.dll
Folder::
C:\Program Files\Cool
C:\WINDOWS\c29tZSBib2R5
C:\WINDOWS\system32\rMa02yy
C:\quarantine
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E343395-91CE-4D97-BE05-C2386CA4B582}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B230E8FC-15A8-427F-8DE6-DDBEEB10466C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyww]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcsdkagp]
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Ok, here's my new hijack and combofix logs. thanks for taking to time to look at them....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:17 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\downloads\HiJackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - d:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 3059 bytes
ComboFix 07-11-08.1 - Some Body 2007-11-15 13:42:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1653 [GMT -6:00]
Running from: D:\downloads\combofixlog\ComboFix.exe
Command switches used :: D:\downloads\combofixlog\cfscript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\cbxyyww.dll
C:\WINDOWS\system32\fcsdkagp.dll
C:\WINDOWS\system32\rcpbcbjy.dll
C:\WINDOWS\system32\ruikljvd.dll
C:\WINDOWS\system32\yjpqolpp.dll
C:\WINDOWS\system32\yqlsyifo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\quarantine
C:\WINDOWS\c29tZSBib2R5
C:\WINDOWS\c29tZSBib2R5\wZ6Qtm12vZlc.vbs
C:\WINDOWS\system32\rMa02yy
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 13:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-13 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-09 22:07 <DIR> d-------- C:\Program Files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 17:27 --------- d-----w C:\Program Files\Google
2007-11-15 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 22:47 --------- d-----w C:\Program Files\QuickTime
2007-10-11 03:41 --------- d-----w C:\Documents and Settings\Some Body\Application Data\Shareaza
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_12.47.38.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 18:46:37 170,353 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-15 19:40:57 170,353 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11]
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\system32\DRIVERS\NETR33X.SYS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 22:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 13:45:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 13:46:26
C:\ComboFix2.txt ... 2007-11-15 13:41
C:\ComboFix3.txt ... 2007-11-15 12:49
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:17 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\downloads\HiJackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - d:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 3059 bytes
ComboFix 07-11-08.1 - Some Body 2007-11-15 13:42:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1653 [GMT -6:00]
Running from: D:\downloads\combofixlog\ComboFix.exe
Command switches used :: D:\downloads\combofixlog\cfscript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\cbxyyww.dll
C:\WINDOWS\system32\fcsdkagp.dll
C:\WINDOWS\system32\rcpbcbjy.dll
C:\WINDOWS\system32\ruikljvd.dll
C:\WINDOWS\system32\yjpqolpp.dll
C:\WINDOWS\system32\yqlsyifo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\quarantine
C:\WINDOWS\c29tZSBib2R5
C:\WINDOWS\c29tZSBib2R5\wZ6Qtm12vZlc.vbs
C:\WINDOWS\system32\rMa02yy
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 13:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-13 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-09 22:07 <DIR> d-------- C:\Program Files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 17:27 --------- d-----w C:\Program Files\Google
2007-11-15 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 22:47 --------- d-----w C:\Program Files\QuickTime
2007-10-11 03:41 --------- d-----w C:\Documents and Settings\Some Body\Application Data\Shareaza
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_12.47.38.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 18:46:37 170,353 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-15 19:40:57 170,353 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11]
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\system32\DRIVERS\NETR33X.SYS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 22:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 13:45:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 13:46:26
C:\ComboFix2.txt ... 2007-11-15 13:41
C:\ComboFix3.txt ... 2007-11-15 12:49
.
--- E O F ---
Hi,
This looks OK again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
This looks OK again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
Miekiemoes, my friend..... Things are going quite well now. I have yet to see any of the fake pop-ups from the sys tray or in Internet Explorer.
Thanks a million; looks like you saved me from having to do a full system restore.
Dustybum
Thanks a million; looks like you saved me from having to do a full system restore.
Dustybum
Glad I could help.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.
Everyone else please begin a New Topic.
Thank you !
If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.
Everyone else please begin a New Topic.
Thank you !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.