|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
04-21-2008, 11:58 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 8
OS: XP Home SP2
|
TrojanDownloader Del.12.AN
Hi,
I've been trying to help a neighbour with a problem AVG report. Every now and then, and every time I go to Windows Explore, AVG pops up a red warning message: Threat Detected! While opening file c:\WIndows\System32\atmli.dll Trojan horse Downloader.Delf.12AN It offers the Heal and Move to Vault option. I've tried them both numerous times to no avail. I've tried AdAware, which removed numerous infections, but the problem persists. I tried HiJackThis, which confirms the presence of BHO atmli.dll, but HijackThis cannot fix it, despite numerous tries. I tried Combofix, following a suggestion in another, similar thread on this forum - no go. I've tried to remove the file manually through Windows Explore, but simply get an Access Denied message. I've tried booting into Safe Mode with Command Prompt and using the old DOS Commands to delete it, or change its attributes (-r-a-s-h), but again access is denied. I haven't tried SpyBot - the machine is offline. Both AVG and AdAware are up-to-date definitions-wise. I've gone through your 5 suggested steps, apart from the Panda Scan, since the machine isn't connected to the Internet and attach the Deckard scan log file. I'd appreciate any help you can give - this one has me stumped!  Cheers, Frank |
|
     |
|
04-23-2008, 06:42 PM
|
#2 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: TrojanDownloader Del.12.AN
Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
An Australian Member of  Eddy |
|
|
|
|
04-24-2008, 03:24 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 8
OS: XP Home SP2
|
Re: TrojanDownloader Del.12.AN
Hi, Pancake, thanks for responding. Combofix and new HijackThis logs are attached.
Thanks, Frank ComboFix 08-04-20.1 - Jackie 2008-04-24 11:04:12.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.453 [GMT 1:00] Running from: C:\Documents and Settings\Jackie\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 ))))))))))))))))))))))))))))))) . 2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d----c--- C:\Deckard 2008-04-21 10:34 . 2008-04-21 10:35 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-21 10:33 . 2008-04-21 10:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-20 17:47 . 2008-04-21 19:03 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-04-20 14:34 . 2008-04-20 14:34 <DIR> d-------- C:\Program Files\AvRack 2008-04-20 14:34 . 2008-04-20 14:34 <DIR> d-------- C:\Program Files\Avance Sound Manager 2008-04-20 14:34 . 2002-05-06 10:28 616,960 --------- C:\WINDOWS\system32\alsndmgr.cpl 2008-04-20 14:34 . 2002-05-06 16:05 614,012 --------- C:\WINDOWS\system32\drivers\alcxwdm.sys 2008-04-20 14:34 . 2002-04-23 04:12 208,896 --------- C:\WINDOWS\alcupd.exe 2008-04-20 14:34 . 2002-02-05 06:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav 2008-04-20 14:34 . 2002-04-23 03:13 135,168 --------- C:\WINDOWS\alcrmv.exe 2008-04-20 14:34 . 2002-03-21 03:23 46,592 --------- C:\WINDOWS\soundman.exe 2008-04-20 14:34 . 2001-07-05 17:19 164 --------- C:\WINDOWS\avrack.ini 2008-04-20 12:42 . 2008-04-20 13:26 19,456 --a------ C:\Documents and Settings\Jackie\Computer Spec.doc 2008-04-09 18:55 . 2008-04-09 18:55 <DIR> d-------- C:\Program Files\LG Electronics 2008-04-02 13:00 . 2008-04-04 08:51 <DIR> d--h----- C:\Program Files\IE bho 2008-04-02 12:47 . 2008-04-24 11:03 <DIR> dr-h-c--- C:\$VAULT$.AVG 2008-04-01 19:03 . 2008-04-02 09:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\System Doctor Free . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-21 10:00 --------- d-----w C:\Program Files\Common Files\DriveCleaner Freeware 2008-04-21 09:35 --------- d-----w C:\Program Files\Lavasoft 2008-04-21 09:35 --------- d-----w C:\Documents and Settings\Jackie\Application Data\Lavasoft 2008-04-20 13:34 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-20 12:30 --------- d-----w C:\Program Files\Global Beach 2008-04-20 11:57 --------- d-----w C:\Documents and Settings\Jackie\Application Data\AVG7 2008-04-20 11:53 --------- d-----w C:\Program Files\Google 2008-04-20 11:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-20 11:49 --------- d-----w C:\Program Files\Microsoft Games 2008-04-20 11:48 --------- d-----w C:\Program Files\InterActual 2008-04-20 11:24 --------- d-----w C:\Program Files\eGames 2008-04-17 18:07 --------- d-----w C:\Program Files\Samsung 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\Nullsoft 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\AOL 2008-04-17 18:03 --------- d-----w C:\Program Files\LGGSM 2008-04-17 17:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL 2008-04-17 17:52 --------- d-----w C:\Documents and Settings\Jackie\Application Data\AOL 2008-04-12 11:14 --------- d-----w C:\Program Files\Picasa2 2008-04-09 17:54 --------- d-----w C:\Program Files\Greetings Workshop 2008-04-09 17:52 --------- d-----w C:\Program Files\Oberon Media 2008-04-04 07:51 --------- d-----w C:\Program Files\SpyShredder 2008-04-04 07:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-04-02 10:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2008-04-01 17:18 --------- d-----w C:\Program Files\DriveCleaner Freeware 2008-03-29 08:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCSuperCharger 2008-03-26 19:34 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-05 16:19 98,048 ----a-w C:\WINDOWS\system32\atmli.dll 2008-03-01 22:46 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-01 11:54 --------- d-----w C:\Program Files\MSN Messenger 2008-03-01 11:50 --------- d-----w C:\Program Files\Windows Live 2008-03-01 11:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-01 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2006-10-03 02:43 2,402,550 -c--a-w C:\WINDOWS\inf\SETB6.tmp 2006-10-03 02:43 2,402,550 -c----w C:\WINDOWS\inf\SET66.tmp 2007-11-11 09:14 447,561 --sh--w C:\WINDOWS\system32\wadgh.bak1 2007-11-13 18:17 645,594 --sh--w C:\WINDOWS\system32\wadgh.bak2 2007-11-13 18:58 645,211 --sh--w C:\WINDOWS\system32\wadgh.ini2 . ((((((((((((((((((((((((((((( snapshot@2008-04-20_19.05.04.63 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-20 17:59:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-24 10:01:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-21 09:34:38 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe + 2008-04-21 09:34:38 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe + 2008-04-21 09:34:38 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe + 2008-04-21 09:34:38 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe - 2008-04-20 16:25:27 2,204 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{8F418895-36E1-4CF1-BCFF-7D7FA7B16076}.bin + 2008-04-20 19:41:03 2,936 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{8F418895-36E1-4CF1-BCFF-7D7FA7B16076}.bin + 2007-07-11 13:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys + 2007-08-07 12:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys + 2007-08-07 12:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys + 2007-12-14 11:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe + 2008-04-24 10:01:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F228713-892A-4253-A13C-672ABA8BCED2}] 2008-03-05 17:19 98048 --a------ C:\WINDOWS\system32\atmli.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:45 579584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-04 01:56 15360] "NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-05-02 15:19 49152] "SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [ ] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 11:50 219136] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jackie^Start Menu^Programs^Startup^360Share Pro On Startup.lnk] path=C:\Documents and Settings\Jackie\Start Menu\Programs\Startup\360Share Pro On Startup.lnk backup=C:\WINDOWS\pss\360Share Pro On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Jackie^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk] path=C:\Documents and Settings\Jackie\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair] --a--c--- 2002-09-11 13:58 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray] --a--c--- 2002-09-11 13:57 45056 C:\Program Files\Logitech\ImageStudio\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a--c--- 2002-09-09 18:16 90112 C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a--c--- 1999-08-04 00:00 127040 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\System32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2000-10-16 09:37 32768 C:\WINDOWS\System32\rmctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --------- 2002-03-21 03:23 46592 C:\WINDOWS\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfNavigator] C:\WINDOWS\system32\SurferClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MSFtpsvc"=2 (0x2) "KPF4"=2 (0x2) "iPod Service"=3 (0x3) "ImapiService"=3 (0x3) "IISADMIN"=2 (0x2) "WZCSVC"=2 (0x2) "Spooler"=2 (0x2) "NVSvc"=2 (0x2) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\sys-browser\\uninstall.exe"= "C:\WINDOWS\system32\kqjptjrg.exe"= C:\WINDOWS\system32\kqj "C:\WINDOWS\system32\nwjxthvt.exe"= C:\WINDOWS\system32\nwj "C:\WINDOWS\system32\drvehwrj.exe"= C:\WINDOWS\system32\drv "C:\WINDOWS\system32\tsmhmxgj.exe"= C:\WINDOWS\system32\tsm "C:\WINDOWS\system32\gigcbhhq.exe"= C:\WINDOWS\system32\gig "C:\WINDOWS\system32\hlorfkyt.exe"= C:\WINDOWS\system32\hlo "C:\WINDOWS\system32\rhnoppmr.exe"= C:\WINDOWS\system32\rhn "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= R0 lvajlhhi;lvajlhhi;C:\WINDOWS\system32\drivers\jznehkcz.dat [] R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 07:45] S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 01:56] S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 19:09] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 15:16] S3 rtport;rtport;C:\WINDOWS\system32\drivers\rtport.sys [2002-10-10 00:20] . Contents of the 'Scheduled Tasks' folder "2005-03-07 20:20:00 C:\WINDOWS\Tasks\dfrg.job" - C:\WINDOWS\system32\dfrg.msc "2008-04-16 15:00:01 C:\WINDOWS\Tasks\{10E2629A-EEE0-468D-B6B1-3F115A5CFA9E}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= "2008-04-04 08:00:01 C:\WINDOWS\Tasks\{DA0D12F6-DED3-48A7-8C20-25FBC3C8463A}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= "2008-04-04 15:00:00 C:\WINDOWS\Tasks\{E907A9C9-1CB6-4253-A54D-427E02EF3E6A}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 11  36Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet132\Services\lvajlhhi] "ImagePath"="system32\drivers\jznehkcz.dat" . Completion time: 2008-04-24 11:08:10 ComboFix-quarantined-files.txt 2008-04-24 10:08:05 ComboFix2.txt 2008-04-20 18:58:57 ComboFix3.txt 2008-04-20 18:25:08 ComboFix4.txt 2008-04-20 18 14Pre-Run: 13,846,708,224 bytes free Post-Run: 13,811,228,672 bytes free 226 --- E O F --- 2008-04-09 18:23:39 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:15:48, on 24/04/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\mqtgsvc.exe C:\Documents and Settings\Jackie\Desktop\HiJackThis.exe C:\Documents and Settings\Jackie\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {7F228713-892A-4253-A13C-672ABA8BCED2} - C:\WINDOWS\system32\atmli.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user') O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 2769 bytes Last edited by Pancake : 04-24-2008 at 04:04 AM. Reason: Copied and pasted for better viewing.... |
|
|
|
|
04-24-2008, 04:05 AM
|
#4 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: TrojanDownloader Del.12.AN
Before we can carry on we need to install your Recovery Console.
Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System  Download the file & save it as it's originally named, next to ComboFix.exe.  Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
__________________
An Australian Member of Eddy |
|
|
|
|
04-28-2008, 03:38 AM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 8
OS: XP Home SP2
|
Re: TrojanDownloader Del.12.AN
OK - sorry I missed that step. It all worked nicely as you outlined, and I've attached the new logs.
Thanks once again. :) Cheers, Frank ComboFix 08-04-20.1 - Jackie 2008-04-28 11:26:25.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.459 [GMT 1:00] Running from: C:\Documents and Settings\Jackie\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jackie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 ))))))))))))))))))))))))))))))) . 2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d----c--- C:\Deckard 2008-04-21 10:34 . 2008-04-21 10:35 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-21 10:33 . 2008-04-21 10:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-20 17:47 . 2008-04-21 19:03 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-04-20 14:34 . 2008-04-20 14:34 <DIR> d-------- C:\Program Files\AvRack 2008-04-20 14:34 . 2008-04-20 14:34 <DIR> d-------- C:\Program Files\Avance Sound Manager 2008-04-20 14:34 . 2002-05-06 10:28 616,960 --------- C:\WINDOWS\system32\alsndmgr.cpl 2008-04-20 14:34 . 2002-05-06 16:05 614,012 --------- C:\WINDOWS\system32\drivers\alcxwdm.sys 2008-04-20 14:34 . 2002-04-23 04:12 208,896 --------- C:\WINDOWS\alcupd.exe 2008-04-20 14:34 . 2002-02-05 06:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav 2008-04-20 14:34 . 2002-04-23 03:13 135,168 --------- C:\WINDOWS\alcrmv.exe 2008-04-20 14:34 . 2002-03-21 03:23 46,592 --------- C:\WINDOWS\soundman.exe 2008-04-20 14:34 . 2001-07-05 17:19 164 --------- C:\WINDOWS\avrack.ini 2008-04-20 12:42 . 2008-04-20 13:26 19,456 --a------ C:\Documents and Settings\Jackie\Computer Spec.doc 2008-04-09 18:55 . 2008-04-09 18:55 <DIR> d-------- C:\Program Files\LG Electronics 2008-04-02 13:00 . 2008-04-04 08:51 <DIR> d--h----- C:\Program Files\IE bho 2008-04-02 12:47 . 2008-04-24 11:16 <DIR> dr-h-c--- C:\$VAULT$.AVG 2008-04-01 19:03 . 2008-04-02 09:19 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\System Doctor Free . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-21 10:00 --------- d-----w C:\Program Files\Common Files\DriveCleaner Freeware 2008-04-21 09:35 --------- d-----w C:\Program Files\Lavasoft 2008-04-21 09:35 --------- d-----w C:\Documents and Settings\Jackie\Application Data\Lavasoft 2008-04-20 13:34 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-20 12:30 --------- d-----w C:\Program Files\Global Beach 2008-04-20 11:57 --------- d-----w C:\Documents and Settings\Jackie\Application Data\AVG7 2008-04-20 11:53 --------- d-----w C:\Program Files\Google 2008-04-20 11:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-20 11:49 --------- d-----w C:\Program Files\Microsoft Games 2008-04-20 11:48 --------- d-----w C:\Program Files\InterActual 2008-04-20 11:24 --------- d-----w C:\Program Files\eGames 2008-04-17 18:07 --------- d-----w C:\Program Files\Samsung 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\Nullsoft 2008-04-17 18:07 --------- d-----w C:\Program Files\Common Files\AOL 2008-04-17 18:03 --------- d-----w C:\Program Files\LGGSM 2008-04-17 17:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL 2008-04-17 17:52 --------- d-----w C:\Documents and Settings\Jackie\Application Data\AOL 2008-04-12 11:14 --------- d-----w C:\Program Files\Picasa2 2008-04-09 17:54 --------- d-----w C:\Program Files\Greetings Workshop 2008-04-09 17:52 --------- d-----w C:\Program Files\Oberon Media 2008-04-04 07:51 --------- d-----w C:\Program Files\SpyShredder 2008-04-04 07:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-04-02 10:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2008-04-01 17:18 --------- d-----w C:\Program Files\DriveCleaner Freeware 2008-03-29 08:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCSuperCharger 2008-03-26 19:34 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-05 16:19 98,048 ----a-w C:\WINDOWS\system32\atmli.dll 2008-03-01 22:46 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-01 11:54 --------- d-----w C:\Program Files\MSN Messenger 2008-03-01 11:50 --------- d-----w C:\Program Files\Windows Live 2008-03-01 11:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-01 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2006-10-03 02:43 2,402,550 -c--a-w C:\WINDOWS\inf\SETB6.tmp 2006-10-03 02:43 2,402,550 -c----w C:\WINDOWS\inf\SET66.tmp 2007-11-11 09:14 447,561 --sh--w C:\WINDOWS\system32\wadgh.bak1 2007-11-13 18:17 645,594 --sh--w C:\WINDOWS\system32\wadgh.bak2 2007-11-13 18:58 645,211 --sh--w C:\WINDOWS\system32\wadgh.ini2 . ((((((((((((((((((((((((((((( snapshot@2008-04-20_19.05.04.63 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-20 17:59:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-28 10:00:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-21 09:34:38 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe + 2008-04-21 09:34:38 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe + 2008-04-21 09:34:38 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe + 2008-04-21 09:34:38 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe - 2008-04-20 16:25:27 2,204 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{8F418895-36E1-4CF1-BCFF-7D7FA7B16076}.bin + 2008-04-20 19:41:03 2,936 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{8F418895-36E1-4CF1-BCFF-7D7FA7B16076}.bin + 2007-07-11 13:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys + 2007-08-07 12:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys + 2007-08-07 12:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys + 2007-12-14 11:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe + 2008-04-24 10:01:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F228713-892A-4253-A13C-672ABA8BCED2}] 2008-03-05 17:19 98048 --a------ C:\WINDOWS\system32\atmli.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 15:45 579584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-04 01:56 15360] "NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-05-02 15:19 49152] "SurfNavigator"="C:\WINDOWS\system32\SurferClient.exe" [ ] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 11:50 219136] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jackie^Start Menu^Programs^Startup^360Share Pro On Startup.lnk] path=C:\Documents and Settings\Jackie\Start Menu\Programs\Startup\360Share Pro On Startup.lnk backup=C:\WINDOWS\pss\360Share Pro On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Jackie^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk] path=C:\Documents and Settings\Jackie\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutomatedSurfer] C:\WINDOWS\system32\SurferClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair] --a--c--- 2002-09-11 13:58 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray] --a--c--- 2002-09-11 13:57 45056 C:\Program Files\Logitech\ImageStudio\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a--c--- 2002-09-09 18:16 90112 C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a--c--- 1999-08-04 00:00 127040 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\System32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2000-10-16 09:37 32768 C:\WINDOWS\System32\rmctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --------- 2002-03-21 03:23 46592 C:\WINDOWS\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfNavigator] C:\WINDOWS\system32\SurferClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MSFtpsvc"=2 (0x2) "KPF4"=2 (0x2) "iPod Service"=3 (0x3) "ImapiService"=3 (0x3) "IISADMIN"=2 (0x2) "WZCSVC"=2 (0x2) "Spooler"=2 (0x2) "NVSvc"=2 (0x2) "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\sys-browser\\uninstall.exe"= "C:\WINDOWS\system32\kqjptjrg.exe"= C:\WINDOWS\system32\kqj "C:\WINDOWS\system32\nwjxthvt.exe"= C:\WINDOWS\system32\nwj "C:\WINDOWS\system32\drvehwrj.exe"= C:\WINDOWS\system32\drv "C:\WINDOWS\system32\tsmhmxgj.exe"= C:\WINDOWS\system32\tsm "C:\WINDOWS\system32\gigcbhhq.exe"= C:\WINDOWS\system32\gig "C:\WINDOWS\system32\hlorfkyt.exe"= C:\WINDOWS\system32\hlo "C:\WINDOWS\system32\rhnoppmr.exe"= C:\WINDOWS\system32\rhn "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= R0 lvajlhhi;lvajlhhi;C:\WINDOWS\system32\drivers\jznehkcz.dat [] R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 07:45] S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 01:56] S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2001-09-10 19:09] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 15:16] S3 rtport;rtport;C:\WINDOWS\system32\drivers\rtport.sys [2002-10-10 00:20] . Contents of the 'Scheduled Tasks' folder "2005-03-07 20:20:00 C:\WINDOWS\Tasks\dfrg.job" - C:\WINDOWS\system32\dfrg.msc "2008-04-16 15:00:01 C:\WINDOWS\Tasks\{10E2629A-EEE0-468D-B6B1-3F115A5CFA9E}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= "2008-04-04 08:00:01 C:\WINDOWS\Tasks\{DA0D12F6-DED3-48A7-8C20-25FBC3C8463A}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= "2008-04-04 15:00:00 C:\WINDOWS\Tasks\{E907A9C9-1CB6-4253-A54D-427E02EF3E6A}_JOHNSON-2BXMAYI_Jackie.job" - C:\WINDOWS\system32\mobsync.exeK /Schedule= . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-28 11:28:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 6 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet132\Services\lvajlhhi] "ImagePath"="system32\drivers\jznehkcz.dat" . Completion time: 2008-04-28 11:31:03 ComboFix-quarantined-files.txt 2008-04-28 10:30:31 ComboFix2.txt 2008-04-24 10:08:13 ComboFix3.txt 2008-04-20 18:58:57 ComboFix4.txt 2008-04-20 18:25:08 ComboFix5.txt 2008-04-20 18 14Pre-Run: 13,741,039,616 bytes free Post-Run: 13,692,530,688 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 235 --- E O F --- 2008-04-09 18:23:39 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:32:31, on 28/04/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\mqtgsvc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Jackie\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {7F228713-892A-4253-A13C-672ABA8BCED2} - C:\WINDOWS\system32\atmli.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user') O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- End of file - 2676 bytes Last edited by Pancake : 04-28-2008 at 03:21 PM. |
|
|
|
|
04-28-2008, 03:32 PM
|
#6 (permalink) | |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: TrojanDownloader Del.12.AN
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.
O2 - BHO: (no name) - {7F228713-892A-4253-A13C-672ABA8BCED2} - C:\WINDOWS\system32\atmli.dll Reboot............... ============================= Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your compter*
__________________
An Australian Member of Eddy |
|
|
|
|
|
04-29-2008, 03:27 AM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 8
OS: XP Home SP2
|
Re: TrojanDownloader Del.12.AN
Hi again, Pancake. Again, it all seemed to go smoothly enough. Here are the new Combofix and HijackThis logs.
I see amtli.dll is still there though - pesky little bleeder, isn't it! :( Cheers, Frank |
|
|
|
|
04-29-2008, 03:56 PM
|
#8 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: TrojanDownloader Del.12.AN
__________________
An Australian Member of Eddy |
|
|
|
|
04-30-2008, 06:40 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 8
OS: XP Home SP2
|
Re: TrojanDownloader Del.12.AN
Wow - bringing the heavy guns to bear! On booting the computer to carry out your latest instructions, it moaned about about an inconsistency in the file system in C:\ and offered to check the disk. I skipped the check. Additionally, I did not receive the usual virus warning this time.
Attached are the 2 latest logs. Cheers, Frank |
|
|
|
|
04-30-2008, 03:35 PM
|
#10 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: TrojanDownloader Del.12.AN
There is a lot of entries missing from you HJT log.What have you removed ?
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O2 - BHO: (no name) - {7F228713-892A-4253-A13C-672ABA8BCED2} - C:\WINDOWS\system32\atmli.dll Reboot an post a new log
__________________
An Australian Member of Eddy |
|
|
|
button.