Trojan Zonebac

prov1x · #1 02-09-2008, 11:10 PM

I have recently been receiving a Norton Antivirus realtime alert that my sytem has the trojan Zonebac. Symantec does not remove it. Can someone help me get rid of this. I am including both a Kaspersky and Hijack this scan results.

I ran Kaspersky. Here are my results

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 09, 2008 7:26:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/02/2008
Kaspersky Anti-Virus database records: 555870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 69262
Number of viruses found: 3
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:55:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000001.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200000.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200001.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200002.VBN Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\edgar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Desktop\stng380.exe Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\History\History.IE5\MSHist012008020920080210\index.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\1367375516.exe Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin/file3 Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe EmbeddedEXE: infected - 2 skipped
C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe UPX: infected - 2 skipped
C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F4F.tmp Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F54.tmp Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\edgar\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\edgar\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\RECYCLER\S-1-5-21-1177238915-2077806209-725345543-1004\Dd554\Favorite.dll Infected: not-a-virus:AdWare.Win32.Favman.a skipped

Scan process completed.

prov1x · #2 02-09-2008, 11:11 PM

Here are the results of a Hijack This scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:29 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\bak\vptray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177874453233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194822532468
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5433 bytes

kimsland · #3 02-09-2008, 11:54 PM

Viruses/Spyware/Malware, preliminary removal instructions
http://www.techspot.com/vb/topic58138.html

Must be completed before checking all those files.

You may also want to run Startup and remove any unwanted startups, before posting all your attachments from doing the above.

Sorry that's just the way we like it, it avoids saying things that are already covered.

prov1x · #4 02-11-2008, 06:01 PM

I tried completing all steps however when I get to step 14 - Run Ad-Aware in safe mode I get the following;

Exception EAccessViolation in the module Ad-Aware2007.exe at 001CA094
Access Violation at address 005CA094 in module 'Ad-Aware2007.exe' read of address 00000414

What should I do to resolve and continue

kimsland · #5 02-11-2008, 06:32 PM

Ad-Aware looks to be corrupt

Please Un-install and download Ad-Aware Free again

prov1x · #6 02-11-2008, 07:33 PM

I completed un-install, downloaded and re-installed but received same results when trying to run in safe mode

kimsland · #7 02-11-2008, 08:15 PM

Ad-aware have a forum message on this here http://www.lavasoftsupport.com/index...5&hl=safe+mode

I'm not aware that the new and improved Ad-aware does not run in Safe mode, but definately require an answer to this (as yet none)

I think continue on (and run Ad-aware in Normal mode)
But if you post a message at the lavasoft forum, I'd like an answer too.

To be resolved

Please continue on.

Blind Dragon · #8 02-12-2008, 11:45 AM

skip step 14 and finish step 15 then post the requested logs as attachments using the paperclip icon above your reply.

It could be the infection preventing you from running it. I had the same happen the other day with AVG.

This thread is for the use of prov1x only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

prov1x · #9 02-12-2008, 07:39 PM

THe results of the Panda Antirootkit san

Items scanned 4020
Rootkits detected 0
known rootkits 0
unknown rootkits 0
Rootkits removed 0
Rootkits sent to PAnda 0

ComboFix 08-02.05.3 - edgar 2008-02-10 21:40:24.1 - NTFSx86
Running from: C:\Documents and Settings\edgar\Desktop\Techspot computer repair software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1201817014.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 19:47 . 2008-02-10 19:47 <DIR> d-------- C:\VundoFix Backups
2008-02-10 18:10 . 2008-02-10 18:25 2,844 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-10 18:05 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-10 18:05 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-10 18:05 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-10 18:05 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-10 18:05 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-10 18:05 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-10 18:05 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-10 18:02 . 2008-02-10 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-10 17:57 . 2008-02-10 17:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 17:57 . 2008-02-10 17:59 <DIR> d-------- C:\Program Files\CCleaner
2008-02-10 17:52 . 2008-02-10 17:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 17:52 . 2008-02-10 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 17:51 . 2008-02-10 17:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 17:44 . 2008-02-10 17:44 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\Grisoft
2008-02-10 17:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 14:28 . 2008-02-10 14:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-10 14:26 . 2008-02-10 14:29 <DIR> d-------- C:\Documents and Settings\edgar\.housecall6.6
2008-02-10 13:48 . 2008-02-10 21:45 313,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-10 13:48 . 2008-02-10 20:40 5,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-10 13:43 . 2008-02-10 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-10 13:42 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-10 13:42 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-10 13:42 . 2008-02-10 13:46 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-10 13:41 . 2008-02-10 13:41 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-10 13:39 . 2008-02-10 20:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-10 13:34 . 2008-02-10 13:35 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\AVG7
2008-02-10 13:33 . 2008-02-10 13:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 13:32 . 2008-02-10 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 13:32 . 2008-02-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 19:33 . 2008-02-09 19:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 04:02 . 2008-02-03 04:02 13 --a------ C:\WINDOWS\C3EA-41F7-BFAC-EBF8.dat
2008-01-30 20:11 . 2008-01-30 20:11 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-27 14:23 . 2008-02-08 21:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-27 14:23 . 2008-01-27 14:23 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 22:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 22:37 --------- d-----w C:\Program Files\BitTorrent_DNA
2008-02-10 16:37 --------- d-----w C:\Documents and Settings\edgar\Application Data\Lavasoft
2008-02-09 02:08 --------- d-----w C:\Program Files\QuickTime
2008-02-03 04:27 --------- d-----w C:\Documents and Settings\edgar\Application Data\LimeWire
2008-01-24 13:42 --------- d-----w C:\Documents and Settings\edgar\Application Data\U3
2008-01-12 19:29 --------- d-----w C:\Documents and Settings\edgar\Application Data\BitTorrent
2008-01-09 03:00 --------- d-----w C:\Program Files\MP3 Player Utilities 4.15
2007-12-26 00:58 --------- d-----w C:\Program Files\USBToolbox
2007-12-26 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 17:00 1818624 C:\WINDOWS\mixer.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-10-26 16:56 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 14:09 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 13:33 219136]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 00:31]

*Newly Created Service* - PHOOKS
*Newly Created Service* - PUTGOMFOPCIB
*Newly Created Service* - SDTHOOK
.
********************************************************************** ****

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 21:45:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************** ****
.
Completion time: 2008-02-10 21:48:44
ComboFix-quarantined-files.txt 2008-02-11 02:47:53
.
2008-01-10 04:21:59 --- E O F ---

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:45:13 PM 2/12/2008

+ Scan result:

F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc201.txt -> TrackingCookie.Burstbeacon : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc202.txt -> TrackingCookie.Burstnet : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc35.txt -> TrackingCookie.Burstnet : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc56.txt -> TrackingCookie.Dealtime : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc157.txt -> TrackingCookie.Information : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc150.txt -> TrackingCookie.Liveperson : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc155.txt -> TrackingCookie.Msn : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc88.txt -> TrackingCookie.Msn : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc50.txt -> TrackingCookie.Overture : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc171.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc26.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc27.txt -> TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc106.txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\edgar\Cookies\edgar@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc112.txt -> TrackingCookie.Webtrends : Cleaned.
F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc14.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

prov1x · #10 02-12-2008, 07:40 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:47 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177874453233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194822532468
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6262 bytes

kimsland · #11 02-12-2008, 09:41 PM

Quote:

Originally Posted by Blind Dragon

then post the requested logs as attachments using the paperclip icon above your reply.

Just quoting Blind Dragon, for your information.

prov1x · #12 02-12-2008, 10:03 PM

for some reason when I click on the paperclip Icon nothing happens. The other icons with the drop down menus work fine but the paper clip icon does not respond. That is why I copied the results to my post. Am I doing this incorrectly? Is ther somewhere else or a setting I have to change?

prov1x · #13 02-12-2008, 10:05 PM

let's try this

Blind Dragon · #14 02-12-2008, 10:06 PM

Make sure your browser is allowing popups. when you click it does a yellow box pop up accross the top of the screen?

prov1x · #15 02-12-2008, 10:12 PM

it's odd, there are no yellow pop up windows. again, the two other drop don menus next to the paper clip (emoticon and color selection for letters) work and allow me to select form them. When I click on the paperclip there is absolutely no response. I went to additional options below reply window, clicked "manage attachments" and it allowed me to attach the files. Hope that works.

Blind Dragon · #16 02-12-2008, 10:56 PM

Ok, HiJackThis looks clean. I am not experienced with combofix yet, so if you want you can wait for somebody who is, or you can manually delete these:

Show hidden files through windows explorer

Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
On the Tools menu in Windows Explorer, click Folder Options
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders
Remove the checkmark from the checkbox labeled Hide protected operating system files
Remove the checkmark from the checkbox labeled Hide file extensions for known file types
Put a checkmark in the checkbox labeled Display the contents of system folders.

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.
Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Use Windows Explorer to navigate to and delete the following files:

Access Windows Explorer by clicking Start, point to All Programs, Accessories, and then click Windows Explorer. Or hold the windows key and press E

Folders:
C:\Program Files\WinBudget <-This folder only

After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

In the search box for All or part of the file name please type matrix.dll
If any instances are shown Delete them.

Do the same for and matrix.dat

Remove registry entries

Click Start, Run, type regedit, click ok.

Navigate to and delete the following entries:

HKEY_CLASSES_ROOT\toolbar.TB\CLSID
HKEY_CLASSES_ROOT\toolbar.TB.1\CLSID
HKEY_CLASSES_ROOT\AppID\toolbar.DLL
HKEY_CLASSES_ROOT\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}

Reboot the computer into Normal Mode

Post a fresh Combofix log

prov1x · #17 02-13-2008, 07:12 AM

Done, here is the new combofix log