Sign in to follow this  
Vayde

Infection

Recommended Posts

I've run full system scans with the latest versions of Spybot and Ad-Aware SE with updated definitions.

Mcaffe Virus Scan log since infection:

 

 

31/05/2007 22:02:06 Deleted BACH\Dan rpcmonde.exe C:\WINDOWS\system32\rpcmon.exe W32/IRCbot.gen.a (Virus)

31/05/2007 22:10:33 Deleted BACH\Dan explorer.exe C:\Documents and Settings\Dan\Local Settings\Temp\mtncjpti.dll Vundo.dll (Trojan)

31/05/2007 22:11:50 Deleted BACH\Dan SpybotSD.exe C:\WINDOWS\smanager.7.exe Generic AdClicker.d (Trojan)

31/05/2007 22:12:56 Deleted BACH\Dan SpybotSD.exe C:\WINDOWS\system32\drvvus.dll Generic.dx (Trojan)

31/05/2007 22:13:35 Deleted BACH\Dan SpybotSD.exe C:\WINDOWS\retadpu1000272.exe Downloader-BCF (Trojan)

31/05/2007 22:13:36 Deleted BACH\Dan SpybotSD.exe C:\WINDOWS\retadpu2000352.exe Downloader-BCF (Trojan)

31/05/2007 22:14:09 Deleted BACH\Dan SpybotSD.exe C:\WINDOWS\svchost.exe Generic Spy.b (Trojan)

 

01/06/2007 01:12:06 Deleted BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\5LB385VG\q3q99[1].exe QLowZones-15 (Trojan)

01/06/2007 08:42:36 Move failed (Clean failed) BACH\Dan iexplore.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9T21COSB\xc23[1].exe Generic AdClicker.d (Trojan)

01/06/2007 15:46:54 Deleted BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\IJ6630WV\q3q99[1].exe QLowZones-15 (Trojan)

01/06/2007 22:09:12 Deleted BACH\Dan explorer.exe C:\Documents and Settings\Dan\Local Settings\Temp\adcaruvv.dll Vundo.dll (Trojan)

02/06/2007 09:07:16 Deleted BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9T21COSB\q3q99[1].exe QLowZones-15 (Trojan)

 

02/06/2007 10:27:07 Move failed (Clean failed) BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\IJ6630WV\xc23[1].exe Generic AdClicker.d (Trojan)

02/06/2007 10:27:30 Deleted BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\FTX1H5YM\xc36[1].exe Generic Spy.b (Trojan)

02/06/2007 10:27:36 Deleted BACH\Dan win35A.tmp.exe C:\WINDOWS\retadpu1000272.exe Downloader-BCF (Trojan)

02/06/2007 10:27:36 Deleted BACH\Dan Yazzle1162OinAd C:\WINDOWS\Temp\mshtml2.exe Downloader-EV (Trojan)

02/06/2007 10:39:45 Deleted BACH\Dan explorer.exe C:\Documents and Settings\Dan\Local Settings\Temp\flbcrsjn.dll Vundo.dll (Trojan)

02/06/2007 16:38:12 Deleted BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\5LB385VG\q3q99[1].exe QLowZones-15 (Trojan)

 

03/06/2007 02:07:20 Move failed (Clean failed) BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\FTX1H5YM\q3q99[1].exe QLowZones-15 (Trojan)

03/06/2007 02:07:24 Move failed (Clean failed) BACH\Dan firefox.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\FTX1H5YM\q3q99[1].exe QLowZones-15 (Trojan)

03/06/2007 12:13:30 Move failed (Clean failed) BACH\Dan iexplore.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9T21COSB\q3q99[1].exe QLowZones-15 (Trojan)

03/06/2007 12:13:34 Move failed (Clean failed) BACH\Dan iexplore.exe C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\9T21COSB\q3q99[1].exe QLowZones-15 (Trojan)

03/06/2007 12:36:19 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1F207E\BlackBox.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:19 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1F207E\VB.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:19 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1F207E\Dummy.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:19 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1F207E\Beyond.class Generic Downloader.v (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1C4605\GetAccess.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1C4605\Installer.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1C4605\NewSecurityClassLoader.class Generic Downloader.v (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\1C4605\NewURLClassLoader.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\20C029\GetAccess.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\20C029\Installer.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\20C029\NewSecurityClassLoader.class Generic Downloader.v (Trojan)

03/06/2007 12:36:36 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\20C029\NewURLClassLoader.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\31C5B9\Matrix.class JV/Shinwow (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\31C5B9\Counter.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\31C5B9\Dummy.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\31C5B9\Parser.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\2E3D80\Matrix.class JV/Shinwow (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\2E3D80\Counter.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\2E3D80\Dummy.class Exploit-ByteVerify (Trojan)

03/06/2007 12:36:45 Deleted BACH\Dan Ad-Aware.exe C:\Documents and Settings\Dan\Local Settings\Temp\AAWTMP\C1220875\2E3D80\Parser.class Exploit-ByteVerify (Trojan)

03/06/2007 12:41:58 Moved (Clean failed) BACH\Dan Ad-Aware.exe C:\Program Files\Alcohol Soft\Alcohol 120\Crack-FFF.exe Generic.dp (Trojan)

03/06/2007 12:43:36 Deleted BACH\Dan Ad-Aware.exe C:\Program Files\Common Files\Yazzle1162OinAdmin.exe Generic Downloader (Trojan)

 

 

Folder AAWTMP re-appears after delete.

 

HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 13:10:06, on 03/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\All Users\Application Data\udinajkv.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Dan\My Documents\Progs\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {36A74AEE-1FBA-4C89-8A76-1F882BBB61AC} - C:\WINDOWS\system32\vtstq.dll (file missing)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-gb\msntb.dll

O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\hggdccy.dll (file missing)

O2 - BHO: (no name) - {C21902CF-9D64-4FC3-AD9A-9A3B3A427B22} - C:\WINDOWS\system32\awvvt.dll (file missing)

O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xmaoqvyt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-gb\msntb.dll

O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\cnjdpaug.dll",realset

O4 - HKLM\..\Run: [udinajkv.exe] C:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe

 

Help anyone?

Edited by Vayde

Share this post


Link to post
Share on other sites

1. Download this file - combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites
Sign in to follow this