5 Trojans keep taking me to partypoker.com Need help cleaning out

[brenda31]

I have found at least 3 combofix quarantined file logs, here's the second log.

Code: [Select]

2007-06-17 00:21      38400    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-17 00:46      285273    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnlk.dll.vir
2007-06-17 00:49      1808184    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir
2007-06-17 00:49      62516    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kimmrbbf.dll.vir
2007-06-17 00:51      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gjidsoiv.dll.vir
2007-06-17 01:37      921779    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\viosdijg.ini.vir
2007-06-18 00:58      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cayjqija.dll.vir
2007-06-18 00:59      345    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ajiqjyac.ini.vir
2007-06-18 13:53      1811116    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir
2007-06-19 00:54      1813276    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir
2007-06-19 02:30      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ewscknwt.dll.vir
2007-06-19 19:59      901924    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\twnkcswe.ini.vir
2007-06-19 20:10      1812605    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini2.vir
2007-06-19 20:12      104    --a------    C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is 074F-92BD
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   
    +---C
    |   +---Program Files
    |   |   \---Common Files
    |   \---WINDOWS
    |       |   svhost.exe.vir
    |       |   
    |       \---system32
    |               ajiqjyac.ini.vir
    |               cayjqija.dll.vir
    |               ewscknwt.dll.vir
    |               gjidsoiv.dll.vir
    |               kimmrbbf.dll.vir
    |               klnmp.bak1.vir
    |               klnmp.bak2.vir
    |               klnmp.ini2.vir
    |               klnmp.tmp.vir
    |               pmnlk.dll.vir
    |               twnkcswe.ini.vir
    |               viosdijg.ini.vir
    |               
    \---Registry_backups


[mauserme]

Hmmm.  Not sure what's causing that.

It doesn't look like anything else is going into quarantine so let's get rid of kwinlodt.exe

Open OTMoveIt again and past this into the left pane

C:\WINDOWS\system32\kwinlodt.exe

Then click the move it button and post the results.

Any thoughts on NirCmd?

How is the computer running now?  Are there anymore trojan alerts or explorer redirects?

[brenda31]

File/Folder C:\WINDOWS\system32\kwinlodt.exe not found.
 
Created on 06-20-2007 23:24:19


As far as the NIRCmd does that have anything to do with the button on my laptop that lets me mute the sound with one touch or raise or lower the volume with the buttons at the top of the laptop?

[mauserme]

I don't believe so, but let's leave it for now but in a state where it can't run. 

Navigate to the file and rename it from kwinlodt.exe to kwinlodt.old.  You can work with the computer for a day or so and, if everything still functions as you expect, we will remove it at that point.

Other than this one questionable file I don't see anything else in the logs.  Are the symptoms gone now?

[brenda31]

The computer has ran better, I have not been redirected to any other sites.  This morning I did have one Trojan alert, although I cannot remember which one it was. 

[mauserme]

This morning I did have one Trojan alert, although I cannot remember which one it was. 

Do you remember if that was before or after the SuperAntiSpyware scans?

[brenda31]

I believe it was after and it was only one that popped up.  Should I run the spyware again?

[mauserme]

If you right click the avast a-icon, then click avast! log viewer, does the detection show up in the warnings section?

[brenda31]

I have also ran a file search kwinlodt.exe so that I can rename it to kwinlodt.old however it did not turn up.

[mauserme]

OK, that's fine.

Let's take a look from one more direction.  Download and scan with the free version of AVG AntiSpyware (sassin44 mentioned this one early on and its very good).  Quarantine any detections and post the log.  I will meet you back here tomorrow.

http://free.grisoft.com/doc/20/lng/us/tpl/v5

[brenda31]

I have opened up the log viwer and it shows

6/20/2007  01:01    System     2032     Sign of   WIN32:Agent HZS[Trj] has been found in "C:\SYSTEMVOLUMEINFORMATION\_RESTORE{D5341F9C-33FZ-43CF-8BD2-1AE937C9BA1B}\RP208\A0041500.EXE"file.

there are also some listed viruses for 6/19/2007  should i list those?

[mauserme]

Yes, please list them.

[brenda31]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   01:43 2007-06-21

 + Scan result:   



C:\_OTMoveIt\MovedFiles\WINDOWS\poolsv.exe -> Downloader.VB.aya : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ehg-myspaceinc.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@searchportal.information[1].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt -> TrackingCookie.Toplist : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt -> TrackingCookie.Zedo : No action taken.


::Report end

[mauserme]

There's nothing to worry about in the AVG log. 

Lets take a quick look at the avast! log from 6/19/07, then we'll finish things up.


EDIT:  Please look once more for C:\WINDOWS\system32\kwinlodt.exe.  I'm guessing it was removed in one of the later ComboFix runs but without the full log I don't know for sure.  I want it to be gone.

This time, when you open the explorer window (not internet explorer), at the top of the window click Tools>Folder Options>View.   Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  Then look for the file.

[brenda31]

I have looked again for C:\WINDOWS\system32\kwinlodt.exe and have not been able to find it.

Here is what avast shows


2007-04-12 13:09   SYSTEM   2012   Sign of "Win32:Adware-gen. [Adw]" has been found in "http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe" file. 
2007-04-17 15:56   È‘|x…
Øá‹   2020   Function setifaceUpdateFiles() has failed. Return code is 0x0000A410, dwRes is 20000000. 
2007-04-17 15:56   È‘|x…
Øá‹   2020   An error has occured while attempting to update. Please check the logs. 
2007-04-27 12:41   SYSTEM   2020   Sign of "JS:Feebs family" has been found in "http://www.donwloadxclips.com/viewasia.php" file. 
2007-04-30 13:51   SYSTEM   2008   Sign of "Win32:Spyware-gen. [Trj]" has been found in "http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab\USDR6_0001_D19M2108NetInstaller.exe" file. 
2007-05-18 14:35   SYSTEM   2024   Sign of "JS:Feebs family" has been found in "http://greatexplorer.net/js/js.js" file. 
2007-05-29 13:02   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "http://www.pornmoviesindex.com/index.php?id=4013&style=bordo&out=1" file. 
2007-05-30 14:33   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bg.jpg" file. 
2007-05-30 14:33   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/" file. 
2007-05-30 14:34   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm" file. 
2007-05-30 14:34   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm" file. 
2007-05-30 14:34   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bg.jpg" file. 
2007-05-30 14:34   SYSTEM   1828   Sign of "JS:Feebs family" has been found in "http://superfastsservers.com/shc2/bt.jpg" file. 
2007-06-01 09:32   SYSTEM   1828   Sign of "Win32:Adware-gen. [Adw]" has been found in "http://drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe" file. 
2007-06-04 13:53   SYSTEM   1996   Sign of "JS:Feebs family" has been found in "http://fast-info.org/?qq=Bang+bros.com" file. 
2007-06-04 13:54   SYSTEM   1996   Sign of "JS:Feebs family" has been found in "C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\K3PZIMZT\fast-info[1].htm" file. 
2007-06-04 13:54   SYSTEM   1996   Sign of "JS:Feebs family" has been found in "http://slil1.info/1.html" file. 
2007-06-17 00:21   SYSTEM   2024   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\C3VJUOTD\wr-1-0000077[1].exe\[UPX]" file. 
2007-06-17 00:27   SYSTEM   2024   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe\[UPX]" file. 
2007-06-17 00:38   SYSTEM   2024   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\poolsv\wr-1-0000077.exe\[UPX]" file. 
2007-06-17 00:39   SYSTEM   2024   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file. 
2007-06-17 00:45   SYSTEM   2024   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file. 
2007-06-17 00:45   SYSTEM   2024   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe" file. 
2007-06-17 00:46   SYSTEM   2024   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file. 
2007-06-17 00:46   SYSTEM   2024   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file. 
2007-06-17 00:46   SYSTEM   2024   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file. 
2007-06-17 00:46   SYSTEM   2024   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file. 
2007-06-17 00:53   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll" file. 
2007-06-17 00:53   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll" file. 
2007-06-17 00:53   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file. 
2007-06-17 00:53   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file. 
2007-06-17 00:58   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe" file. 
2007-06-17 00:58   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe" file. 
2007-06-17 00:58   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file. 
2007-06-17 01:00   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file. 
2007-06-17 02:08   Brenda Mayorga   2532   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe\[UPX]" file. 
2007-06-17 02:14   Brenda Mayorga   2532   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe" file. 
2007-06-17 02:35   Brenda Mayorga   2532   Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1549OinAdmin.exe\[PECompact]" file. 
2007-06-17 03:08   Brenda Mayorga   2532   Sign of "Win32:VB-TGS [Trj]" has been found in "C:\Program Files\poolsv\k11u72.exe" file. 
2007-06-17 03:12   Brenda Mayorga   2532   Sign of "Win32:Agent-HDR [Trj]" has been found in "C:\Program Files\svhost\wr-1-0000077.exe\[UPX]" file. 
2007-06-17 05:14   Brenda Mayorga   2532   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\qlqucbnt.exe" file. 
2007-06-17 11:17   Brenda Mayorga   2532   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\WINDOWS\system32\udchqggj.dll" file. 
2007-06-18 00:18   Brenda Mayorga   2532   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\AXMHGBKX\YazzleBundle-1549[1].exe" file. 
2007-06-18 00:55   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe" file. 
2007-06-18 00:55   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe" file. 
2007-06-18 00:55   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\fojtipub.exe" file. 
2007-06-18 00:56   SYSTEM   2024   Sign of "Win32:Agent-HZS [Trj]" has been found in "C:\WINDOWS\system32\fojtipub.exe" file. 
2007-06-18 00:58   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll" file. 
2007-06-18 00:58   SYSTEM   2024   Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll" file.