Trojan Zonebac

Status
Not open for further replies.
P

prov1x

Posts: 17   +0
I have recently been receiving a Norton Antivirus realtime alert that my sytem has the trojan Zonebac. Symantec does not remove it. Can someone help me get rid of this. I am including both a Kaspersky and Hijack this scan results.

I ran Kaspersky. Here are my results

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 09, 2008 7:26:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/02/2008
Kaspersky Anti-Virus database records: 555870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 69262
Number of viruses found: 3
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:55:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000001.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200001.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200002.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\edgar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Desktop\stng380.exe Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\History\History.IE5\MSHist012008020920080210\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\1367375516.exe Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin/file3 Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe EmbeddedEXE: infected - 2 skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe UPX: infected - 2 skipped
C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F4F.tmp Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F54.tmp Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\edgar\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\edgar\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\RECYCLER\S-1-5-21-1177238915-2077806209-725345543-1004\Dd554\Favorite.dll Infected: not-a-virus:AdWare.Win32.Favman.a skipped

Scan process completed.
 
Here are the results of a Hijack This scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:29 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\bak\vptray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177874453233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194822532468
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5433 bytes
 
I tried completing all steps however when I get to step 14 - Run Ad-Aware in safe mode I get the following;

Exception EAccessViolation in the module Ad-Aware2007.exe at 001CA094
Access Violation at address 005CA094 in module 'Ad-Aware2007.exe' read of address 00000414

What should I do to resolve and continue
 
I completed un-install, downloaded and re-installed but received same results when trying to run in safe mode
 
skip step 14 and finish step 15 then post the requested logs as attachments using the paperclip icon above your reply.

It could be the infection preventing you from running it. I had the same happen the other day with AVG.

This thread is for the use of prov1x only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
All Steps completed

THe results of the Panda Antirootkit san

Items scanned 4020
Rootkits detected 0
known rootkits 0
unknown rootkits 0
Rootkits removed 0
Rootkits sent to PAnda 0




ComboFix 08-02.05.3 - edgar 2008-02-10 21:40:24.1 - NTFSx86
Running from: C:\Documents and Settings\edgar\Desktop\Techspot computer repair software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1201817014.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 19:47 . 2008-02-10 19:47 <DIR> d-------- C:\VundoFix Backups
2008-02-10 18:10 . 2008-02-10 18:25 2,844 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-10 18:05 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-10 18:05 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-10 18:05 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-10 18:05 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-10 18:05 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-10 18:05 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-10 18:05 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-10 18:02 . 2008-02-10 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-10 17:57 . 2008-02-10 17:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 17:57 . 2008-02-10 17:59 <DIR> d-------- C:\Program Files\CCleaner
2008-02-10 17:52 . 2008-02-10 17:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 17:52 . 2008-02-10 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 17:51 . 2008-02-10 17:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 17:44 . 2008-02-10 17:44 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\Grisoft
2008-02-10 17:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 14:28 . 2008-02-10 14:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-10 14:26 . 2008-02-10 14:29 <DIR> d-------- C:\Documents and Settings\edgar\.housecall6.6
2008-02-10 13:48 . 2008-02-10 21:45 313,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-10 13:48 . 2008-02-10 20:40 5,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-10 13:43 . 2008-02-10 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-10 13:42 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-10 13:42 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-10 13:42 . 2008-02-10 13:46 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-10 13:41 . 2008-02-10 13:41 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-10 13:39 . 2008-02-10 20:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-10 13:34 . 2008-02-10 13:35 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\AVG7
2008-02-10 13:33 . 2008-02-10 13:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 13:32 . 2008-02-10 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 13:32 . 2008-02-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 19:33 . 2008-02-09 19:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 04:02 . 2008-02-03 04:02 13 --a------ C:\WINDOWS\C3EA-41F7-BFAC-EBF8.dat
2008-01-30 20:11 . 2008-01-30 20:11 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-27 14:23 . 2008-02-08 21:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-27 14:23 . 2008-01-27 14:23 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 22:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 22:37 --------- d-----w C:\Program Files\BitTorrent_DNA
2008-02-10 16:37 --------- d-----w C:\Documents and Settings\edgar\Application Data\Lavasoft
2008-02-09 02:08 --------- d-----w C:\Program Files\QuickTime
2008-02-03 04:27 --------- d-----w C:\Documents and Settings\edgar\Application Data\LimeWire
2008-01-24 13:42 --------- d-----w C:\Documents and Settings\edgar\Application Data\U3
2008-01-12 19:29 --------- d-----w C:\Documents and Settings\edgar\Application Data\BitTorrent
2008-01-09 03:00 --------- d-----w C:\Program Files\MP3 Player Utilities 4.15
2007-12-26 00:58 --------- d-----w C:\Program Files\USBToolbox
2007-12-26 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 17:00 1818624 C:\WINDOWS\mixer.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-10-26 16:56 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 14:09 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 13:33 219136]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 00:31]

*Newly Created Service* - PHOOKS
*Newly Created Service* - PUTGOMFOPCIB
*Newly Created Service* - SDTHOOK
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 21:45:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 21:48:44
ComboFix-quarantined-files.txt 2008-02-11 02:47:53
.
2008-01-10 04:21:59 --- E O F ---

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:45:13 PM 2/12/2008

+ Scan result:



F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc201.txt -> TrackingCookie.Burstbeacon : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc202.txt -> TrackingCookie.Burstnet : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc35.txt -> TrackingCookie.Burstnet : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc56.txt -> TrackingCookie.Dealtime : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc157.txt -> TrackingCookie.Information : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc150.txt -> TrackingCookie.Liveperson : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc155.txt -> TrackingCookie.Msn : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc88.txt -> TrackingCookie.Msn : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc50.txt -> TrackingCookie.Overture : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc171.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc26.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc27.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc106.txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\edgar\Cookies\edgar@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc112.txt -> TrackingCookie.Webtrends : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc14.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:47 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177874453233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194822532468
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6262 bytes
 
for some reason when I click on the paperclip Icon nothing happens. The other icons with the drop down menus work fine but the paper clip icon does not respond. That is why I copied the results to my post. Am I doing this incorrectly? Is ther somewhere else or a setting I have to change?
 
Make sure your browser is allowing popups. when you click it does a yellow box pop up accross the top of the screen?
 
it's odd, there are no yellow pop up windows. again, the two other drop don menus next to the paper clip (emoticon and color selection for letters) work and allow me to select form them. When I click on the paperclip there is absolutely no response. I went to additional options below reply window, clicked "manage attachments" and it allowed me to attach the files. Hope that works.
 
Ok, HiJackThis looks clean. I am not experienced with combofix yet, so if you want you can wait for somebody who is, or you can manually delete these:

Show hidden files through windows explorer
  • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
  • On the Tools menu in Windows Explorer, click Folder Options
  • Click the View tab.
  • Under Hidden files and folders, click Show hidden files and folders
  • Remove the checkmark from the checkbox labeled Hide protected operating system files
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
  • Put a checkmark in the checkbox labeled Display the contents of system folders.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Use Windows Explorer to navigate to and delete the following files:
  • Access Windows Explorer by clicking Start, point to All Programs, Accessories, and then click Windows Explorer. Or hold the windows key and press E

Folders:
C:\Program Files\WinBudget <-This folder only

After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

In the search box for All or part of the file name please type matrix.dll
If any instances are shown Delete them.

Do the same for and matrix.dat

Remove registry entries
  • Click Start, Run, type regedit, click ok.
Navigate to and delete the following entries:

HKEY_CLASSES_ROOT\toolbar.TB\CLSID
HKEY_CLASSES_ROOT\toolbar.TB.1\CLSID
HKEY_CLASSES_ROOT\AppID\toolbar.DLL
HKEY_CLASSES_ROOT\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}


Reboot the computer into Normal Mode

Post a fresh Combofix log
 
Download FindAWF:

  • 1.Download FindAWF
    2.Save the file to the Desktop
    3.Double-click the FindAWF icon.
    4.If a Security Alert shows, allow the program to run.
    5.As instructed, press any key to continue.
    6.Use the following option: Press 1 then Enter to scan for bak folders
    The scan may take a while, please be patient.
    7.When done, a text file, Find AWF report is produced that I need to look at.
    Please post it in your reply.

Generate Uninstall List

  • 1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
 
Fix AWF Infection

Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
Click to expand...
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply along with a fresh HJT log
 
Almost there

Launch HJT
*Select Do a System Scan Only
*Put a check mark next to the following entry:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

*Select Fix Checked
*Select Scan and attach another log


Fix AWF Folders
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Canon\MyPrinter\bak
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
Click to expand...
* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* You will be presented with a Menu.
* Press 3, then press Enter.
* Press any key to continue.
* A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
* Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
* The program will proceed to remove the bad folders and will perform another scan for .bak folder
* It may take a few minutes to complete so be patient.
* When it is complete, it will open a text file in notepad called AWF.txt.
* Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.
 
Looks like we got it. I am going to ask one of the experts to double check my work.

If you have any further virus/spyware problems, please post in this thread.

The instructions in this thread are for the use of prov1x only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
thank you for all th ework and time! I'll check back to see if there is anything else I need to do.

Thank You
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back