Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

BIG PROBLEM, I have seen this one, but I don't know were to start.

(New)
(!)

mrdogboy's Avatar
mrdogboy mrdogboy is offline
Junior Member with 23 posts.
THREAD STARTER
 
Join Date: Oct 2006
Experience: Einstein
28-Jan-2008, 03:28 PM #1
BIG PROBLEM, I have seen this one, but I don't know were to start.
The machine is 100% CPU. and it every now and then pops up a window about my security, as well has a SHIELD in the TRAY.. I've seen this before in other systems, but I don't remeber the FIX.... Here is my HACKTHIS report..

Please HELP ME !!

Logfile of HijackThis v1.99.1
Scan saved at 2:23:38 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ZG1p\command.exe
c:\srvinst\srvany.exe
D:\D3\D3Programs\D3Vme.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctyyfpqa.exe
c:\program files\drexel ftpservice\ftpservice.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\locator.exe
D:\D3\D3Programs\d3odbcsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\??crosoft\wuauclt.exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\Web Buying\v1.8.6\webbuying.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\Web Buying\v1.8.6\webbuying .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Projects\CallerID\CallerId.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
F:\HJT-CWS.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-1Q5TG.tmp\is-M61FT.tmp
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe
C:\WINDOWS\system32\STEM~1\winlogon .exe
C:\WINDOWS\system32\STEM~1\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.222/
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsrq.exe
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Task Scheduler] C:\WINDOWS\system32\dlha\mstask32.com
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Intel Audio Studio V2.0] C:\WINDOWS\fmideploy.exe
O4 - HKCU\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe
O4 - HKCU\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe
O4 - HKCU\..\Run: [Dreu] "C:\WINDOWS\system32\STEM~1\winlogon.exe" -vt ndrv
O4 - HKCU\..\Run: [Wqktxuxy] C:\WINDOWS\system32\??crosoft\wuauclt.exe
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: Shortcut to CallerId.lnk = C:\Projects\CallerID\CallerId.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.10
O15 - Trusted IP range: http://192.168.1.222
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://www.mercurypay.com/MPS_CustP...pType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Hardware Monitoring Program (ADMService) - OSA Technologies Inc - C:\Program Files\Acer\eManager\admServ.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZG1p\command.exe
O23 - Service: Credit Card Listener - Unknown owner - c:\srvinst\srvany.exe
O23 - Service: D3 ODBC Server (D3odbcsv) - Raining Data - D:\D3\D3Programs\d3odbcsv.exe
O23 - Service: D3 Virtual Machine Environment (D3Vme) - Raining Data - D:\D3\D3Programs\D3Vme.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ctyyfpqa.exe
O23 - Service: DrexelFTPService - - c:\program files\drexel ftpservice\ftpservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Security Service (UXIA) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
28-Jan-2008, 06:39 PM #2
Hello mrdogboy.

Very seriously infected system there. We will do some repairs and adjust as we go, but given the level of infection and the way it has loaded itself there removal of it could possibly lead to a requirement to reinstall the operating system. We have an excellent success rate in this forum, but it is good to give an upfront caution when one is warranted.


You will want to copy or have other access to these steps, as they will be done while offline.

Be sure to temporarily disable any protective software when running the scan tools we use here.

Download SDFix.exe and save it to your desktop.

Download ComboFix.exe from here to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot click on the downloaded ComboFix.exe to run the scan.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Reconnect to net access, and post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.
mrdogboy's Avatar
mrdogboy mrdogboy is offline
Junior Member with 23 posts.
THREAD STARTER
 
Join Date: Oct 2006
Experience: Einstein
29-Jan-2008, 01:44 PM #3
here
here's my SD Report:


SDFix: Version 1.133

Run by Administrator on Tue 01/29/2008 at 12:24 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
cmdService
Network Monitor
ntload

Path:
C:\WINDOWS\ZG1p\command.exe
C:\Program Files\Network Monitor\netmon.exe service
\??\C:\WINDOWS\system32\ntload.sys

cmdService - Deleted
Network Monitor - Deleted
ntload - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\INTERN~1\DIVOVY~1.HTM - Deleted
C:\Documents and Settings\Administrator\Desktop\Online Security Center.URL - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\svcd\svchost.exe - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\update32.exe.tmp - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted
C:\WINDOWS\system32\winsrc.dll - Deleted
C:\WINDOWS\system32\wscmp.dll - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp - Deleted
C:\WINDOWS\TTC-4444.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\svcd - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 12:34:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:IE6"
"C:\\WINDOWS\\system32\\ctyyfpqa.exe"="C:\\WINDOWS\\system32\\cty"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\ntiembed.dll"

Finished!
mrdogboy's Avatar
mrdogboy mrdogboy is offline
Junior Member with 23 posts.
THREAD STARTER
 
Join Date: Oct 2006
Experience: Einstein
29-Jan-2008, 02:00 PM #4
My COMBOfix report:

ComboFix 08-01-29.3 - Administrator 2008-01-29 12:46:16.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -5:00]
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\d3startup\Application Data\NetMon
C:\Documents and Settings\d3startup\Application Data\NetMon\domains.txt
C:\Documents and Settings\d3startup\Application Data\NetMon\log.txt
C:\Documents and Settings\d3startup\Desktop\Online Security Center.URL
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\temp\tn3
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\byxyvtr.dll
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\kpycaqh.dll
C:\WINDOWS\system32\mljjhgh.dll
C:\WINDOWS\system32\nnnnnli.dll
C:\WINDOWS\system32\nrrxpiax.ini
C:\WINDOWS\system32\petaktuu.ini
C:\WINDOWS\system32\qrstv.ini
C:\WINDOWS\system32\qrstv.ini2
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\stem~1\??stem\
C:\WINDOWS\system32\tuvuvuu.dll
C:\WINDOWS\system32\xxyywwt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 12:49 . 2008-01-29 12:49 <DIR> d-------- C:\temp\tn3
2008-01-29 12:48 . 2008-01-29 12:48 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-29 12:23 . 2008-01-29 12:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-28 16:14 . 2008-01-28 16:13 241,664 --a------ C:\techload.dll
2008-01-28 16:13 . 2008-01-28 16:13 241,664 --a------ C:\WINDOWS\certproc32 .exe
2008-01-28 15:38 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-28 15:38 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-28 15:38 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-28 15:37 . 2008-01-28 15:37 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-28 15:37 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-28 15:37 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-28 15:37 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2008-01-28 15:37 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-28 15:37 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-14 13:41 . 2008-01-14 13:41 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-14 13:08 . 2008-01-14 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PrevxCSI
2008-01-14 13:05 . 2008-01-14 13:03 613,432 --a------ C:\PREVXCSIFREE.EXE
2008-01-14 12:45 . 2008-01-25 14:58 245,760 --a------ C:\WINDOWS\system32\Check .exe
2008-01-14 12:45 . 2008-01-25 14:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-14 12:45 . 2008-01-25 14:58 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-14 12:28 . 2007-05-17 07:28 549,376 --------- C:\WINDOWS\system32\oleaut32.dll
2008-01-14 12:26 . 2007-11-07 04:26 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
2008-01-14 12:26 . 2007-04-25 10:21 144,896 --a------ C:\WINDOWS\system32\schannel.dll
2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\ZG1p
2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\ez4
2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-12 18:27 . 2008-01-12 18:27 86,016 --a------ C:\WINDOWS\system32\drivers\ip6fww.sys
2008-01-12 18:26 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-12 18:26 . 2008-01-12 18:26 <DIR> d-------- C:\temp\Ryuan1
2008-01-12 17:47 . 2008-01-12 17:47 34,816 --a------ C:\winiqre.exe
2008-01-05 16:52 . 2008-01-12 17:23 146 --a------ C:\WINDOWS\gtiplus.ini
2007-12-30 12:39 . 2007-12-30 12:40 231,424 --a------ C:\WINDOWS\mapisrv32.dll
2007-12-30 12:39 . 2007-12-30 12:40 10,240 --a------ C:\WINDOWS\jtcres32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 19:52 63 ----a-w C:\ccstat.dat
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
.
Code:
<pre>
----a-w           241,664 2008-01-28 21:13:14  C:\WINDOWS\certproc32 .exe
----a-w           118,784 2008-01-25 19:58:44  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-25 19:58:40  C:\WINDOWS\system32\igfxtray .exe
----a-w           245,760 2008-01-25 19:58:54  C:\WINDOWS\system32\Check .exe
----a-w           176,128 2008-01-25 19:59:42  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
----a-w            59,392 2008-01-15 16:19:22  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-15 16:19:24  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
----a-w           208,952 2008-01-15 16:19:18  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            44,032 2008-01-15 16:19:18  C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE
----a-w            92,160 2008-01-15 16:19:52  C:\Documents and Settings\Administrator\Application Data\PrevxCSI\PrevxCSI .exe
----a-w         1,694,208 2008-01-28 21:13:44  C:\Program Files\Messenger\msmsgs .exe
----a-w            57,344 2008-01-25 20:00:04  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w         1,393,664 2008-01-25 19:59:24  C:\Program Files\acer\eManager\admtray .exe
----a-w            40,960 2008-01-25 19:58:54  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w            32,881 2008-01-25 19:59:16  C:\Program Files\Java\j2re1.4.2_05\bin\jusched .exe
----a-w           241,664 2008-01-25 19:59:46  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w            49,152 2008-01-25 19:59:54  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           323,584 2008-01-25 19:59:48  C:\Program Files\TZO\TZOClient .exe
----a-w           469,824 2008-01-25 19:59:50  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
----a-w           282,624 2008-01-25 20:00:00  C:\Program Files\QuickTime\qttask   .exe
----a-w         1,831,936 2008-01-25 20:00:10  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w            68,856 2008-01-28 21:13:42  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w         1,503,232 2008-01-28 21:13:50  C:\Program Files\Spyware Doctor\swdoctor .exe
----a-w           108,160 2008-01-28 21:13:40  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           372,736 2008-01-25 19:59:00  C:\Acer\PSM .EXE
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94F9AB49-6EAC-382F-DA5C-4BE604870F91}]
C:\WINDOWS\system32\agyqlxm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD51DB68-9160-43B3-3186-6EB948D028C0}]
C:\Program Files\Internet Explorer\zymihazu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D68F6CAC-FE0A-4960-8E41-2F8A2CE6AD38}]
C:\WINDOWS\system32\vtsrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliMouse Explorer V2.3"="C:\WINDOWS\netpefr32.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Shortcut to CallerId.lnk - C:\Projects\CallerID\CallerId.exe [2005-07-11 16:31:01 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 03:19:24 237568]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 10:36:08 960032]
QuickBooks Database Server Manager.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe [2006-09-19 10:31:58 149024]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggedec]
hggedec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 ip6fww;ip6fww;C:\WINDOWS\system32\drivers\ip6fww.sys [2008-01-12 18:27]
R2 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-02-24 10:19]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-09-20 17:37]
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 10:32]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2001-07-24 10:15]
S2 UXIA;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 Credit Card Listener;Credit Card Listener;c:\srvinst\srvany.exe [2002-05-03 08:29]
S3 D3odbcsv;D3 ODBC Server ;D:\D3\D3Programs\d3odbcsv.exe [2005-01-04 16:01]
S3 D3Vme;D3 Virtual Machine Environment;D:\D3\D3Programs\D3Vme.exe [2005-01-04 16:01]
S3 int15.sys;int15.sys;C:\Program Files\acer\erecovery\int15.sys [2004-11-03 09:06]
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2004-06-07 18:32]
S3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-15 14:57]
S4 DrexelFTPService;DrexelFTPService;c:\program files\drexel ftpservice\ftpservice.exe [2005-09-30 12:04]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Audio Studio V2.8]
C:\WINDOWS\flsmontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\IntelliMouse Explorer V2.3]
C:\WINDOWS\netpefr32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 17:33:54 C:\WINDOWS\Tasks\DMIBackUp.job"
- C:\PROGRA~1\DMIBAC~1\DMIBAC~1.EXE
"2008-01-29 12:01:02 C:\WINDOWS\Tasks\deltmp.job"
- C:\chuck\deltmp.bat
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 12:49:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Projects\CallerID\CallerId.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-01-29 12:50:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 17:50:30
.
2008-01-28 20:31:59 --- E O F ---
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
29-Jan-2008, 07:19 PM #5
bad news is that all of your startup files have been replaced by malware copies, and something has already caused sufficient damage (perhaps some scan done) that appears to have removed the actual registry startup entries for them. This indicates all will require reinstallation of the softwares (as opposed to just locating and returning legit copies after cleaning is done). The services removed already by those two scans done were info stealers, so you can assume all personal and security data such as passwords and key info has been compromised. You will want to either contact any banking/credit accounts ever accessed on this system, or closely monitor them for the near future, and from a different system change all secure logons/passwords.

These next few repair steps will require aggressive removal procedures, so i want to be sure we err as little as possible. Do you recognize either of these two services or their software?

drexel ftpservice
Credit Card Listener
mrdogboy's Avatar
mrdogboy mrdogboy is offline
Junior Member with 23 posts.
THREAD STARTER
 
Join Date: Oct 2006
Experience: Einstein
31-Jan-2008, 04:47 PM #6
f
drexel ftp and CC Listen are our applications. It's OK..
I ran the fixes then I ran the AVAST scan and everything is back to normal.
I removed everything from the registery that started in the RUN under local machine and Local user.. I sent the computer back to the customer. I'm sure I will be seeing again, but this time it will get a total reformatting.. They needed the machine to get the quickbooks and the W2 for the employees.


Thanks for your help !!

-lee
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
31-Jan-2008, 06:54 PM #7
Unlikely the Avast database would include any of the rootkit activity showing here. And as all the startups were removed they will find many of their programs corrupted or non-functional. Sounds like you trashed their system and sent it back infected. However, as I did not spend much time providing the steps here the pro-rated charges shouldn't be too much - let me know what the customer paid so I can prepare an invoice for you.
mrdogboy's Avatar
mrdogboy mrdogboy is offline
Junior Member with 23 posts.
THREAD STARTER
 
Join Date: Oct 2006
Experience: Einstein
01-Feb-2008, 10:37 AM #8
This was free work to the customer because they were closing the STORE, and just needed to get the employees 1099 out of quick books. The machine will be reformatted.

I would be MORE THEN Happy, to pay you !!! MORE THEN HAPPY !! We can work out a rate and amount if you would like.. I'm not kinding and I'm not sarcastic..

My email is rubin AT drexelmgt dot com
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
02-Feb-2008, 09:32 AM #9
Reformatting would be the best call given the situation, but they should be informed any data should be assumed compromised as well and take appropriate actions. Although in general the voluntary services we provide in forums are open to all who request them, they are not intended to supplement normal business proceedings in for-profit situations. As I understand it the TSG owner has computer services in your US state, so you may want to follow that lead if you are sincere about securing other assistance.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑