« previous next »
Pages: [1] 2 3   Go Down

Author Topic: System files and a few other little questions  (Read 23936 times)

0 Members and 1 Guest are viewing this topic.

Stevepac

  • Guest
System files and a few other little questions
« on: July 05, 2007, 03:54:53 PM »
First I have 8 viruses in my chest. The files include:
1) A0119471.dll In System volume Information/_restore (bunch of numbers and letters).
2) A0119472.dll Same location as above.
3) A0119473.dll Same location.
4) A0119474.dll Same location
5) efcbawu(2).dll In WINDOWS\SYSTEM32
6) jkkhfde(2).dll Same location
7)qomnnlm.dll Same location
8)vqnuxutx.dll Same location
Does anyone know what these files do and if it is ok to delete them?

Also I was running the virus scanner, in thorough and after it detected a virus the Currect Scanner Status changed to Infected. Does that mean the scanner has been infected or is it just showing that it found something?

This last part is a little unrelated, but sometimes when I close my internet explorer page I get an error that reads. The instruction at "0x7e1f9af3" referenced memory at "0x7dc48950". The memory could not be read. Does anyone know what to do about this?

If you guys know all this stuff I'll love you and give you a chocolate chip cookie :)
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89686
  • No support PMs thanks
Re: System files and a few other little questions
« Reply #1 on: July 05, 2007, 06:52:49 PM »
You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

The files that were in the System volume Information folder have had their names changed by the system restore function so we are unable to say what they might have been. Files in the System volume Information restore points are usually files that have previously been deleted or moved from the system folders. Often this is as a result of a malware infection putting files in the system folders and system restore not being disabled before action.

Items 5-8 seem like randomly generated file names and you can google the file names to see what they bring. Personally I don't spend much time checking what something was capable of.

The 'Status' is just an indication that infection has been found (and likely dealt with), not that the scanner is infected.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD - 27" external monitor 1440p 2560x1440 resolution - avast! free  24.9.6130 (build 24.9.9452.762) UI 1.0.818/ Firefox, uBlock Origin Lite, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: System files and a few other little questions
« Reply #2 on: July 05, 2007, 11:43:57 PM »
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #3 on: July 06, 2007, 05:32:51 PM »
This is ComboFix Log, I will do the next one tonight.

"Steven" - 2007-07-06 10:54:26 - ComboFix 07-07-04.4 - Service Pack 2 


(((((((((((((((((((((((((   Files Created from 2007-06-06 to 2007-07-06  )))))))))))))))))))))))))))))))


2007-07-06 10:46   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-04 23:58   <DIR>   d--------   C:\Program Files\iPod
2007-07-04 23:18   <DIR>   d----c---   C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-04 23:17   <DIR>   d--------   C:\Program Files\Common Files\Apple
2007-07-04 23:17   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-16 18:54   <DIR>   d--------   C:\Program Files\Infogrames Interactive
2007-06-08 00:41   4,194,304   --a------   C:\DOCUME~1\Megan\ntuser.dat
2007-06-08 00:41   3,407,872   --a------   C:\DOCUME~1\Sandy\ntuser.dat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 03:59:19   --------   d-----w   C:\Program Files\iTunes
2007-07-05 03:52:14   --------   d-----w   C:\Program Files\QuickTime
2007-07-05 03:31:12   --------   d-----w   C:\Program Files\Apple Software Update
2007-06-30 01:55:37   --------   d-----w   C:\Program Files\Verizon
2007-06-16 22:54:36   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-17 11:08:42   1,463,536   --sh--w   C:\WINDOWS\system32\hhhkj.bak2
2007-05-17 02:23:21   1,459,929   --sh--w   C:\WINDOWS\system32\hhhkj.bak1
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16   59032   --a------   C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29]
"AIMWDInstallFilename"="C:\PROGRA~1\AIM\AIMWDI~1.EXE" [2004-01-12 16:29]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0IwM]
C:\documents and settings\megan\local settings\temp\0IwM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2LRX2W83X2T3MQ]
C:\WINDOWS\System32\LsxI52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bakra]
C:\WINDOWS\System32\IEHost34.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dpi]
C:\Program Files\Common Files\Dpi\dpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pcsv]
C:\WINDOWS\system32\pcs\pcsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rundll32_8]
rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWindowsUpdate]
C:\WINDOWS\uptodate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RVP]
"C:\Program Files\RVP\bpc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared.
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #4 on: July 06, 2007, 05:34:13 PM »
tools\msconfig\startupreg\WhenUSearch]
C:\PROGRA~1\WHENUS~1\Search.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2CF0B992-5EEB-4143-99C0-5297EF71F444}]
rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain


Contents of the 'Scheduled Tasks' folder
2007-07-03 16:04:05  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-26 05:16:22  C:\WINDOWS\tasks\dfrg.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 11:09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g0m??V??g0m??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????g2m??2???????D???<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 11:14:42

   --- E O F ---
(((((((((((((((((((((((((   Files Created from 2007-06-06 to 2007-07-06  )))))))))))))))))))))))))))))))


No new files created in this timespan


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 03:59:19   --------   d-----w   C:\Program Files\iTunes
2007-07-05 03:52:14   --------   d-----w   C:\Program Files\QuickTime
2007-07-05 03:31:12   --------   d-----w   C:\Program Files\Apple Software Update
2007-06-30 01:55:37   --------   d-----w   C:\Program Files\Verizon
2007-06-16 22:54:36   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-17 11:08:42   1,463,536   --sh--w   C:\WINDOWS\system32\hhhkj.bak2
2007-05-17 02:23:21   1,459,929   --sh--w   C:\WINDOWS\system32\hhhkj.bak1
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16   59032   --a------   C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29]
"AIMWDInstallFilename"="C:\PROGRA~1\AIM\AIMWDI~1.EXE" [2004-01-12 16:29]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0IwM]
C:\documents and settings\megan\local settings\temp\0IwM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2LRX2W83X2T3MQ]
C:\WINDOWS\System32\LsxI52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #5 on: July 06, 2007, 05:34:36 PM »
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bakra]
C:\WINDOWS\System32\IEHost34.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dpi]
C:\Program Files\Common Files\Dpi\dpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pcsv]
C:\WINDOWS\system32\pcs\pcsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rundll32_8]
rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWindowsUpdate]
C:\WINDOWS\uptodate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RVP]
"C:\Program Files\RVP\bpc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]
C:\PROGRA~1\WHENUS~1\Search.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2CF0B992-5EEB-4143-99C0-5297EF71F444}]
rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-03 16:04:05  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-26 05:16:22  C:\WINDOWS\tasks\dfrg.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 11:16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g0m??V??g0m??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????g2m??2???????D???<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-06 11:20:56

   --- E O F ---
Logged

mauserme

  • Guest
Re: System files and a few other little questions
« Reply #6 on: July 06, 2007, 06:26:46 PM »
It looks like a bit of a Vundo infection, possibly with some others as well.  Were the files you listed in your initial post all successfully moved to the chest?  Besides those files there are a couple that need to go.

Please download OTMoveIt  by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\System32\IEHost34.exe
C:\WINDOWS\System32\LsxI52.exe
C:\documents and settings\megan\local settings\temp\0IwM.exe
C:\WINDOWS\System32\inetp60.dll



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then upload the following file to Virus Total and post the analysis results


C:\WINDOWS\system32\aswBoot.exe


Don't forget the HJT log too.  There may be a browser hijack that we should fix with that.


EDIT:  Added some files to the list of those to be killed.  There is some adware too but I would like to see HJT before going after it.

Also, open Add/Remove Programs in the Control Panel and, if you find Delfin Media Viewer, uninstall it.  Generate and post the HJT log after this step.
« Last Edit: July 06, 2007, 06:57:48 PM by mauserme »
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #7 on: July 07, 2007, 04:41:38 AM »
Logfile of HijackThis v1.99.1
Scan saved at 10:40, on 2007-07-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Laplink\RemoteAssist\shwSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.49erswebzone.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: winShadow - OmniCom Technologies - C:\Program Files\Laplink\RemoteAssist\shwSrvc.exe

Logged

mauserme

  • Guest
Re: System files and a few other little questions
« Reply #8 on: July 07, 2007, 06:37:32 AM »
Thanks for the HJT log.

I would like you to follow through with the instructions I posted just above this log with 2 exceptions.  First, here is a new, slightly longer list of files to kill with OTMoveIT

C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\System32\IEHost34.exe
C:\WINDOWS\System32\LsxI52.exe
C:\documents and settings\megan\local settings\temp\0IwM.exe
C:\WINDOWS\System32\inetp60.dll
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Save\Save.exe
C:\PROGRAM Files\WHENUSEARCH\Search.exe
C:\WINDOWS\System32\stlbdist.DLL


Second, since you've already done the HJT log you don't need to re-do it right now.  Instead, after killing the files listed above download WinPFind3u.exe 
Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.


Don't forget to uninstall Delfin Media Viewer and to send this file to Virus Total and give me the results

C:\WINDOWS\system32\aswBoot.exe


And a few questions:

> Did you install Win Shadow?  Its a  remote access program.

>  There are two items listed in your scheduled tasks:

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\dfrg.job

Did you put these there?  I think I know what they are but I don't like to make assumptions.


« Last Edit: July 07, 2007, 06:49:41 AM by mauserme »
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #9 on: July 07, 2007, 04:48:14 PM »
I'll get on that tonight, I wont be on long now. To answer you question. I dont remember installing anything remote access. I know my computer fixer man used our computer through his to fix it, maybe I installed it then. Apple is from Itunes and yes we did the automatic defrag.

I have a question as well. After I ran commafix my time has been put into military time and I have to keep changing it. How do I make a permanant change?
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67183
Re: System files and a few other little questions
« Reply #10 on: July 07, 2007, 04:59:30 PM »
Quote from: Stevepac on July 07, 2007, 04:48:14 PM
I have a question as well. After I ran commafix my time has been put into military time and I have to keep changing it. How do I make a permanant change?
Control Panel > Regional and Language Support (or something similar).
Logged
The best things in life are free.

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #11 on: July 08, 2007, 04:37:06 AM »
After I used MoveIt I got this

C:\WINDOWS\system32\hhhkj.bak2 moved successfully.
C:\WINDOWS\system32\hhhkj.bak1 moved successfully.
File/Folder C:\WINDOWS\System32\IEHost34.exe not found.
File/Folder C:\WINDOWS\System32\LsxI52.exe not found.
File/Folder C:\documents and settings\megan\local settings\temp\0IwM.exe not found.
File/Folder C:\WINDOWS\System32\inetp60.dll not found.
File/Folder C:\Program Files\Common files\updmgr\updmgr.exe not found.
File/Folder C:\Program Files\Save\Save.exe not found.
File/Folder C:\PROGRAM Files\WHENUSEARCH\Search.exe not found.
File/Folder C:\WINDOWS\System32\stlbdist.DLL not found.
 
Created on 07-06-2007 10:36:05


Some not found....


EDIT: I had to send a email to VirusTool with C:\WINDOWS\system32\aswBoot.exe as the attachment because they were having a lot of entries or something

EDIT: No Delfin Media Viewer
« Last Edit: July 08, 2007, 05:10:57 AM by Stevepac »
Logged

mauserme

  • Guest
Re: System files and a few other little questions
« Reply #12 on: July 08, 2007, 05:09:52 AM »
Quote from: Stevepac on July 08, 2007, 04:37:06 AM
Some not found....
That's OK - saves us a little work.

Those missing ones were listed in the registry loading points section of combofix.  The fact that the files are not found means they were previously cleaned by something else that left some remnants of the infection.
Logged

Stevepac

  • Guest
Re: System files and a few other little questions
« Reply #13 on: July 08, 2007, 05:11:49 AM »
Ok I just edited and everything is done. File is uploads on my previous post for you
Logged

mauserme

  • Guest
Re: System files and a few other little questions
« Reply #14 on: July 08, 2007, 05:16:13 AM »
While we're waiting for Virus Total go ahead and post the winpfind log.  Just want to make sure nothing else is hiding and clean those registry entries.
Logged
Pages: [1] 2 3   Go Up
« previous next »