1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

BIG PROBLEM, I have seen this one, but I don't know were to start.

Discussion in 'Virus & Other Malware Removal' started by mrdogboy, Jan 28, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. mrdogboy

    mrdogboy Thread Starter

    Joined:
    Oct 16, 2006
    Messages:
    23
    The machine is 100% CPU. and it every now and then pops up a window about my security, as well has a SHIELD in the TRAY.. I've seen this before in other systems, but I don't remeber the FIX.... Here is my HACKTHIS report..

    Please HELP ME !!

    Logfile of HijackThis v1.99.1
    Scan saved at 2:23:38 PM, on 1/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ZG1p\command.exe
    c:\srvinst\srvany.exe
    D:\D3\D3Programs\D3Vme.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\ctyyfpqa.exe
    c:\program files\drexel ftpservice\ftpservice.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
    C:\WINDOWS\system32\r_server.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TZO\TZO_NT_Service.exe
    C:\WINDOWS\system32\svcd\svchost.exe
    C:\WINDOWS\system32\locator.exe
    D:\D3\D3Programs\d3odbcsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\??crosoft\wuauclt.exe
    C:\Program Files\QdrModule\QdrModule11.exe
    C:\Program Files\QdrPack\QdrPack11.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    C:\Program Files\QdrModule\QdrModule11 .exe
    C:\Program Files\Web Buying\v1.8.6\webbuying.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\QdrPack\QdrPack11 .exe
    C:\Program Files\Web Buying\v1.8.6\webbuying .exe
    C:\Program Files\Spyware Doctor\swdoctor .exe
    C:\WINDOWS\system32\AlarmS4.exe
    C:\Projects\CallerID\CallerId.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    F:\HJT-CWS.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-1Q5TG.tmp\is-M61FT.tmp
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe
    C:\WINDOWS\system32\STEM~1\winlogon .exe
    C:\WINDOWS\system32\STEM~1\winlogon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.222/
    F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsrq.exe
    F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Task Scheduler] C:\WINDOWS\system32\dlha\mstask32.com
    O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Intel Audio Studio V2.0] C:\WINDOWS\fmideploy.exe
    O4 - HKCU\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe
    O4 - HKCU\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe
    O4 - HKCU\..\Run: [Dreu] "C:\WINDOWS\system32\STEM~1\winlogon.exe" -vt ndrv
    O4 - HKCU\..\Run: [Wqktxuxy] C:\WINDOWS\system32\??crosoft\wuauclt.exe
    O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
    O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
    O4 - Global Startup: Shortcut to CallerId.lnk = C:\Projects\CallerID\CallerId.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted IP range: http://192.168.1.10
    O15 - Trusted IP range: http://192.168.1.222
    O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://www.mercurypay.com/MPS_Cust...&UICulture=1033&ReportStack=1&OpType=PrintCab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{40FDE946-C5BE-444D-8DF5-F0FDB64C396B}: NameServer = 192.168.1.1
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Hardware Monitoring Program (ADMService) - OSA Technologies Inc - C:\Program Files\Acer\eManager\admServ.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZG1p\command.exe
    O23 - Service: Credit Card Listener - Unknown owner - c:\srvinst\srvany.exe
    O23 - Service: D3 ODBC Server (D3odbcsv) - Raining Data - D:\D3\D3Programs\d3odbcsv.exe
    O23 - Service: D3 Virtual Machine Environment (D3Vme) - Raining Data - D:\D3\D3Programs\D3Vme.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\ctyyfpqa.exe
    O23 - Service: DrexelFTPService - - c:\program files\drexel ftpservice\ftpservice.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
    O23 - Service: Security Service (UXIA) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
     
  2. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Hello mrdogboy.

    Very seriously infected system there. We will do some repairs and adjust as we go, but given the level of infection and the way it has loaded itself there removal of it could possibly lead to a requirement to reinstall the operating system. We have an excellent success rate in this forum, but it is good to give an upfront caution when one is warranted.


    You will want to copy or have other access to these steps, as they will be done while offline.

    Be sure to temporarily disable any protective software when running the scan tools we use here.

    Download SDFix.exe and save it to your desktop.

    Download ComboFix.exe from here to your desktop.

    Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

    ===================================================


    Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


    In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

    Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

    When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

    Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

    =============================

    After the reboot click on the downloaded ComboFix.exe to run the scan.

    When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

    Reconnect to net access, and post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.
     
  3. mrdogboy

    mrdogboy Thread Starter

    Joined:
    Oct 16, 2006
    Messages:
    23
    here's my SD Report:


    SDFix: Version 1.133

    Run by Administrator on Tue 01/29/2008 at 12:24 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    cmdService
    Network Monitor
    ntload

    Path:
    C:\WINDOWS\ZG1p\command.exe
    C:\Program Files\Network Monitor\netmon.exe service
    \??\C:\WINDOWS\system32\ntload.sys

    cmdService - Deleted
    Network Monitor - Deleted
    ntload - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\PROGRA~1\INTERN~1\DIVOVY~1.HTM - Deleted
    C:\Documents and Settings\Administrator\Desktop\Online Security Center.URL - Deleted
    C:\Temp\1cb\syscheck.log - Deleted
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
    C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
    C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe - Deleted
    C:\WINDOWS\system32\atmtd.dll - Deleted
    C:\WINDOWS\system32\atmtd.dll._ - Deleted
    C:\WINDOWS\system32\CID - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted
    C:\WINDOWS\system32\svcd\svchost.exe - Deleted
    C:\WINDOWS\system32\SvcNm - Deleted
    C:\WINDOWS\system32\update32.exe.tmp - Deleted
    C:\WINDOWS\system32\upds.log - Deleted
    C:\WINDOWS\system32\url1 - Deleted
    C:\WINDOWS\system32\url2 - Deleted
    C:\WINDOWS\system32\url3 - Deleted
    C:\WINDOWS\system32\winsrc.dll - Deleted
    C:\WINDOWS\system32\wscmp.dll - Deleted
    C:\WINDOWS\system32\wscmp.dll.tmp - Deleted
    C:\WINDOWS\TTC-4444.exe - Deleted
    C:\WINDOWS\uninstall_nmon.vbs - Deleted


    Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

    Folder C:\Program Files\InetGet2 - Removed
    Folder C:\Program Files\Network Monitor - Removed
    Folder C:\Temp\1cb - Removed
    Folder C:\Temp\tn3 - Removed
    Folder C:\WINDOWS\system32\svcd - Removed


    Removing Temp Files...

    ADS Check:




    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-29 12:34:40
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
    "C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:IE6"
    "C:\\WINDOWS\\system32\\ctyyfpqa.exe"="C:\\WINDOWS\\system32\\cty"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    Remaining Files:
    ---------------
    C:\WINDOWS\system32\drivers\core.cache.dsk Found

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
    Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
    Tue 26 Oct 2004 1,024 ...HR --- "C:\WINDOWS\system32\ntiembed.dll"

    Finished!
     
  4. mrdogboy

    mrdogboy Thread Starter

    Joined:
    Oct 16, 2006
    Messages:
    23
    My COMBOfix report:

    ComboFix 08-01-29.3 - Administrator 2008-01-29 12:46:16.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -5:00]
    Running from: F:\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
    C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Documents and Settings\d3startup\Application Data\NetMon
    C:\Documents and Settings\d3startup\Application Data\NetMon\domains.txt
    C:\Documents and Settings\d3startup\Application Data\NetMon\log.txt
    C:\Documents and Settings\d3startup\Desktop\Online Security Center.URL
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\NetworkService\Application Data\NetMon
    C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
    C:\Program Files\ISM
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\FF.dll
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive9.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dic.gz
    C:\Program Files\QdrModule\kwd.gz
    C:\Program Files\QdrModule\QdrModule11 .exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\QdrPack11 .exe
    C:\Program Files\QdrPack\trgts.gz
    C:\Program Files\web buying
    C:\Program Files\web buying\v1.8.6\wbuninst.exe
    C:\temp\tn3
    C:\WINDOWS\system32\000080.exe
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\byxyvtr.dll
    C:\WINDOWS\system32\crosof~1
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
    C:\WINDOWS\system32\kpycaqh.dll
    C:\WINDOWS\system32\mljjhgh.dll
    C:\WINDOWS\system32\nnnnnli.dll
    C:\WINDOWS\system32\nrrxpiax.ini
    C:\WINDOWS\system32\petaktuu.ini
    C:\WINDOWS\system32\qrstv.ini
    C:\WINDOWS\system32\qrstv.ini2
    C:\WINDOWS\system32\stem~1
    C:\WINDOWS\system32\stem~1\??stem\
    C:\WINDOWS\system32\tuvuvuu.dll
    C:\WINDOWS\system32\xxyywwt.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
    .

    2008-01-29 12:49 . 2008-01-29 12:49 <DIR> d-------- C:\temp\tn3
    2008-01-29 12:48 . 2008-01-29 12:48 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
    2008-01-29 12:23 . 2008-01-29 12:23 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-01-28 16:14 . 2008-01-28 16:13 241,664 --a------ C:\techload.dll
    2008-01-28 16:13 . 2008-01-28 16:13 241,664 --a------ C:\WINDOWS\certproc32 .exe
    2008-01-28 15:38 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2008-01-28 15:38 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2008-01-28 15:38 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2008-01-28 15:37 . 2008-01-28 15:37 <DIR> d-------- C:\Program Files\Alwil Software
    2008-01-28 15:37 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
    2008-01-28 15:37 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
    2008-01-28 15:37 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
    2008-01-28 15:37 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2008-01-28 15:37 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2008-01-14 13:41 . 2008-01-14 13:41 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-01-14 13:08 . 2008-01-14 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PrevxCSI
    2008-01-14 13:05 . 2008-01-14 13:03 613,432 --a------ C:\PREVXCSIFREE.EXE
    2008-01-14 12:45 . 2008-01-25 14:58 245,760 --a------ C:\WINDOWS\system32\Check .exe
    2008-01-14 12:45 . 2008-01-25 14:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
    2008-01-14 12:45 . 2008-01-25 14:58 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe
    2008-01-14 12:28 . 2007-05-17 07:28 549,376 --------- C:\WINDOWS\system32\oleaut32.dll
    2008-01-14 12:26 . 2007-11-07 04:26 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
    2008-01-14 12:26 . 2007-04-25 10:21 144,896 --a------ C:\WINDOWS\system32\schannel.dll
    2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\ZG1p
    2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\vt8
    2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\mp2
    2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\ez4
    2008-01-12 18:27 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\che9
    2008-01-12 18:27 . 2008-01-12 18:27 86,016 --a------ C:\WINDOWS\system32\drivers\ip6fww.sys
    2008-01-12 18:26 . 2008-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\edcA01
    2008-01-12 18:26 . 2008-01-12 18:26 <DIR> d-------- C:\temp\Ryuan1
    2008-01-12 17:47 . 2008-01-12 17:47 34,816 --a------ C:\winiqre.exe
    2008-01-05 16:52 . 2008-01-12 17:23 146 --a------ C:\WINDOWS\gtiplus.ini
    2007-12-30 12:39 . 2007-12-30 12:40 231,424 --a------ C:\WINDOWS\mapisrv32.dll
    2007-12-30 12:39 . 2007-12-30 12:40 10,240 --a------ C:\WINDOWS\jtcres32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-28 19:52 63 ----a-w C:\ccstat.dat
    2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
    2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
    .
    Code:
    <pre>
    ----a-w           241,664 2008-01-28 21:13:14  C:\WINDOWS\certproc32 .exe
    ----a-w           118,784 2008-01-25 19:58:44  C:\WINDOWS\system32\hkcmd .exe
    ----a-w           155,648 2008-01-25 19:58:40  C:\WINDOWS\system32\igfxtray .exe
    ----a-w           245,760 2008-01-25 19:58:54  C:\WINDOWS\system32\Check .exe
    ----a-w           176,128 2008-01-25 19:59:42  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
    ----a-w            59,392 2008-01-15 16:19:22  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
    ----a-w           455,168 2008-01-15 16:19:24  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
    ----a-w           208,952 2008-01-15 16:19:18  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
    ----a-w            44,032 2008-01-15 16:19:18  C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE
    ----a-w            92,160 2008-01-15 16:19:52  C:\Documents and Settings\Administrator\Application Data\PrevxCSI\PrevxCSI .exe
    ----a-w         1,694,208 2008-01-28 21:13:44  C:\Program Files\Messenger\msmsgs .exe
    ----a-w            57,344 2008-01-25 20:00:04  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
    ----a-w         1,393,664 2008-01-25 19:59:24  C:\Program Files\acer\eManager\admtray .exe
    ----a-w            40,960 2008-01-25 19:58:54  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
    ----a-w            32,881 2008-01-25 19:59:16  C:\Program Files\Java\j2re1.4.2_05\bin\jusched .exe
    ----a-w           241,664 2008-01-25 19:59:46  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
    ----a-w            49,152 2008-01-25 19:59:54  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
    ----a-w           323,584 2008-01-25 19:59:48  C:\Program Files\TZO\TZOClient .exe
    ----a-w           469,824 2008-01-25 19:59:50  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
    ----a-w           282,624 2008-01-25 20:00:00  C:\Program Files\QuickTime\qttask   .exe
    ----a-w         1,831,936 2008-01-25 20:00:10  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
    ----a-w            68,856 2008-01-28 21:13:42  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    ----a-w         1,503,232 2008-01-28 21:13:50  C:\Program Files\Spyware Doctor\swdoctor .exe
    ----a-w           108,160 2008-01-28 21:13:40  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
    ----a-w           372,736 2008-01-25 19:59:00  C:\Acer\PSM .EXE
    </pre>

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94F9AB49-6EAC-382F-DA5C-4BE604870F91}]
    C:\WINDOWS\system32\agyqlxm.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD51DB68-9160-43B3-3186-6EB948D028C0}]
    C:\Program Files\Internet Explorer\zymihazu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D68F6CAC-FE0A-4960-8E41-2F8A2CE6AD38}]
    C:\WINDOWS\system32\vtsrq.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelliMouse Explorer V2.3"="C:\WINDOWS\netpefr32.exe" [ ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Shortcut to CallerId.lnk - C:\Projects\CallerID\CallerId.exe [2005-07-11 16:31:01 45056]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 03:19:24 237568]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 10:36:08 960032]
    QuickBooks Database Server Manager.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe [2006-09-19 10:31:58 149024]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggedec]
    hggedec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    R1 ip6fww;ip6fww;C:\WINDOWS\system32\drivers\ip6fww.sys [2008-01-12 18:27]
    R2 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-02-24 10:19]
    R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-09-20 17:37]
    R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 10:32]
    R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2001-07-24 10:15]
    S2 UXIA;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
    S3 Credit Card Listener;Credit Card Listener;c:\srvinst\srvany.exe [2002-05-03 08:29]
    S3 D3odbcsv;D3 ODBC Server ;D:\D3\D3Programs\d3odbcsv.exe [2005-01-04 16:01]
    S3 D3Vme;D3 Virtual Machine Environment;D:\D3\D3Programs\D3Vme.exe [2005-01-04 16:01]
    S3 int15.sys;int15.sys;C:\Program Files\acer\erecovery\int15.sys [2004-11-03 09:06]
    S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2004-06-07 18:32]
    S3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-15 14:57]
    S4 DrexelFTPService;DrexelFTPService;c:\program files\drexel ftpservice\ftpservice.exe [2005-09-30 12:04]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Audio Studio V2.8]
    C:\WINDOWS\flsmontr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\IntelliMouse Explorer V2.3]
    C:\WINDOWS\netpefr32.exe
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-29 17:33:54 C:\WINDOWS\Tasks\DMIBackUp.job"
    - C:\PROGRA~1\DMIBAC~1\DMIBAC~1.EXE
    "2008-01-29 12:01:02 C:\WINDOWS\Tasks\deltmp.job"
    - C:\chuck\deltmp.bat
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-29 12:49:17
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
    C:\WINDOWS\system32\r_server.exe
    C:\WINDOWS\system32\tlntsvr.exe
    C:\Program Files\TZO\TZO_NT_Service.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Projects\CallerID\CallerId.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-01-29 12:50:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-29 17:50:30
    .
    2008-01-28 20:31:59 --- E O F ---
     
  5. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    bad news is that all of your startup files have been replaced by malware copies, and something has already caused sufficient damage (perhaps some scan done) that appears to have removed the actual registry startup entries for them. This indicates all will require reinstallation of the softwares (as opposed to just locating and returning legit copies after cleaning is done). The services removed already by those two scans done were info stealers, so you can assume all personal and security data such as passwords and key info has been compromised. You will want to either contact any banking/credit accounts ever accessed on this system, or closely monitor them for the near future, and from a different system change all secure logons/passwords.

    These next few repair steps will require aggressive removal procedures, so i want to be sure we err as little as possible. Do you recognize either of these two services or their software?

    drexel ftpservice
    Credit Card Listener
     
  6. mrdogboy

    mrdogboy Thread Starter

    Joined:
    Oct 16, 2006
    Messages:
    23
    drexel ftp and CC Listen are our applications. It's OK..
    I ran the fixes then I ran the AVAST scan and everything is back to normal.
    I removed everything from the registery that started in the RUN under local machine and Local user.. I sent the computer back to the customer. I'm sure I will be seeing again, but this time it will get a total reformatting.. They needed the machine to get the quickbooks and the W2 for the employees.


    Thanks for your help !!

    -lee
     
  7. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Unlikely the Avast database would include any of the rootkit activity showing here. And as all the startups were removed they will find many of their programs corrupted or non-functional. Sounds like you trashed their system and sent it back infected. However, as I did not spend much time providing the steps here the pro-rated charges shouldn't be too much - let me know what the customer paid so I can prepare an invoice for you.
     
  8. mrdogboy

    mrdogboy Thread Starter

    Joined:
    Oct 16, 2006
    Messages:
    23
    This was free work to the customer because they were closing the STORE, and just needed to get the employees 1099 out of quick books. The machine will be reformatted.

    I would be MORE THEN Happy, to pay you !!! MORE THEN HAPPY !! We can work out a rate and amount if you would like.. I'm not kinding and I'm not sarcastic..

    My email is rubin AT drexelmgt dot com
     
  9. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Reformatting would be the best call given the situation, but they should be informed any data should be assumed compromised as well and take appropriate actions. Although in general the voluntary services we provide in forums are open to all who request them, they are not intended to supplement normal business proceedings in for-profit situations. As I understand it the TSG owner has computer services in your US state, so you may want to follow that lead if you are sincere about securing other assistance.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/676966