Anything Here? - Moved...

SufferWell1396 · #1 05-30-2007, 01:14 AM

I felt that something was wrong when a program called msnmgr9.exe was trying to access network-rooterz.net, so i blocked the program. Heres a HJT log just to make sure nothing is wrong. PS i dont have MSN messenger installed.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:13:55 AM, on 5/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\system32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\system32\hidserv.exe
D:\WINDOWS.000\system32\regsvc.exe
D:\WINDOWS.000\system32\MSTask.exe
D:\WINDOWS.000\system32\stisvc.exe
D:\WINDOWS.000\System32\WBEM\WinMgmt.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Lexmark 2300 Series\lxcgmon.exe
D:\Program Files\Lexmark 2300 Series\ezprint.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\lotus\smartctr\suitest.exe
C:\Program Files\lotus\wordpro\ltsstart.exe
C:\Program Files\lotus\register\remind32.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.exe
D:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
D:\WINDOWS.000\system32\lxcgcoms.exe
D:\WINDOWS.000\msnmgr9.exe
D:\Program Files\AIM\aim.exe
D:\WINDOWS.000\system32\ntvdm.exe
D:\WINDOWS.000\system32\wuauclt.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\FrostWire\FrostWire.exe
D:\Documents and Settings\Howard\Desktop\HiJackThis_v2.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS.000\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 D:\WINDOWS.000\system32\spool\DRIVERS\W32X86\3\LXC Gtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "D:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "D:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MicrsoMsn] msnmgr9.exe
O4 - HKLM\..\RunServices: [MicrsoMsn] msnmgr9.exe
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Wireless Configuration Utility HW.51.lnk = D:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\Program Files\lotus\smartctr\suitest.exe
O4 - Startup: Lotus QuickStart.lnk = C:\Program Files\lotus\wordpro\ltsstart.exe
O4 - Startup: OpenOffice.org 2.2.lnk = D:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: LimeWire On Startup.lnk = D:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\Program Files\lotus\register\remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176624841140
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS.000\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS.000\system32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINDOWS.000\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - D:\WINDOWS.000\system32\lxcgcoms.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6145 bytes

law9933 · #2 05-30-2007, 02:15 AM

Applications & Security is the forum for HJT logs. Someone might move it.

Budfred · #3 05-30-2007, 02:26 AM

Yep, that looks like an infection... Run some other scans:

Download AVG Anti-Spyware from HERE

Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware

* Click Scanner
* Click on the Scan tab
* Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and Reboot in Normal Mode.

Then:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

and finally:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Then post all the logs...

SufferWell1396 · #4 05-30-2007, 02:46 PM

Okay. Im finishing up on my 2000 installation.

Since Me and 2000 have different kernels im thinking that Me isnt infected with what 2000's got. But wouldnt hurt to be sure.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:45:35 PM, on 5/30/2007
Platform: Windows ME (Win9x 4.90.3000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\802.11 WIRELESS LAN\802.11G WIRELESS CARDBUS & PCI ADAPTER HW.51 V1.00\WLANCU.EXE
C:\PROGRAM FILES\FIREFOXPRELOADER\FIREFOXPRELOADER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS_V2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/subsequentfury
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl (User 'Default user')
O4 - .DEFAULT Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe (User 'Default user')
O4 - .DEFAULT Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe (User 'Default user')
O4 - Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O4 - Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL

--
End of file - 5988 bytes

Budfred · #5 05-30-2007, 09:14 PM

That one looks okay, but I wouldn't rely on that until we see how the other scans go and try a couple on WinME as well...

toadyy · #6 05-31-2007, 01:05 PM

Could some please send me the combofix.exe in a zip file? My firewall will not let me dl it. Thanks

[email]tskelton69 AT gmail.com /email]

Budfred · #7 05-31-2007, 02:39 PM

Quote:

Originally Posted by toadyy

Could some please send me the combofix.exe in a zip file? My firewall will not let me dl it. Thanks

[email]tskelton69 AT gmail.com /email]

1st - Jumping into someone else's thread with your question is considered rude around here...

2nd - Using ComboFix or any number of other tools without knowing what you are doing is ill-advised and may cause more problems than it resolves...

3rd - Posting an email address in a public forum is an invitation to SPAMmers to overwhelm your mailbox with SPAM...

4th - Sending an email to someone who posts in a forum a request for emails in the first post is ill-advised and may lead to being added to a large number of SPAM lists...

5th - If you can't download the program, it is probably a problem with your firewall that needs to be fixed rather than just getting the program through an email...

If you wish to respond, please start your own thread...

SufferWell1396 · #8 06-02-2007, 04:57 PM

ComboFix is saying that its only for 2000/XP and im in 2000. Why wont it work?

Budfred · #9 06-02-2007, 06:49 PM

I don't know... Are you giving it time to unzip and then running it from the unzipped folder?? If so, are you giving it time to run, it can take a while to get going... If you start clicking things, it will abort...

SufferWell1396 · #10 06-05-2007, 12:21 AM

Sorry. ComboFix wouldnt work for some reason or other.

I booted into Safe Mode and ran SDFix (catchme.exe, RunThis.bat just made a command prompt say Bad Command or File Name)

Catchme.exe gave me the following report.

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 D:\WINDOWS.000\system32\spool\DRIVERS\W32X86\3\LXC Gtime.dll,_RunDLLEntry@16????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Budfred · #11 06-05-2007, 12:37 AM

Is D: your WinME or Win2K drive?? Please answer my questions about how you ran ComboFix so that I know if that was the problem... If you ran it properly, download a fresh copy and try it again... If none of those options work, we will try other tools... What happened with the AVG AS scan??

SufferWell1396 · #12 06-05-2007, 12:49 AM

i just clicked on the icon for ComboFix.
AVG AS keeps comeing back with more. I tried GEMR to find rootkits... It came back with alot of results...
D:\ is my Win 2k drive

---- System - GMER 1.0.12 ----

SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\D:\WINDOWS.000\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPTransmit + 43D7 BED31D0C 6 Bytes CALL BFF15E50 Teefer.sys
.text tcpip.sys!IPGetAddrType + 765 BED3668D 6 Bytes CALL BFF15E50 Teefer.sys
.text tcpip.sys!IPGetAddrType + 227A BED381A2 6 Bytes CALL BFF15E50 Teefer.sys
.text wanarp.sys EB7ECDFE 7 Bytes CALL BFF15FA0 Teefer.sys

---- User code sections - GMER 1.0.12 ----

SufferWell1396 · #13 06-05-2007, 12:51 AM

.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetProfilesDirectoryW + FFFB13A6 7C0F13AD 36 Bytes [ 33, FF, 3B, F7, 0F, 8C, F9, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetProfilesDirectoryW + FFFB13CB 7C0F13D2 12 Bytes CALL 7C05B7E1
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetProfilesDirectoryW + FFFB13D8 7C0F13DF 3 Bytes [ AA, 00, 01 ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetProfilesDirectoryW + FFFB13DC 7C0F13E3 8 Bytes [ 8B, F0, 3B, F7, 0F, 8C, C3, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetProfilesDirectoryW + FFFB13E6 7C0F13ED 5 Bytes [ FF, 75, FC, 6A, 64 ]
.text ...
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetUserProfileDirectoryW + 2 7C0F49F1 21 Bytes [ 75, 07, B8, 1E, 00, 03, 80, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetUserProfileDirectoryW + 18 7C0F4A07 28 Bytes [ F3, A5, 8B, C8, 83, E1, 03, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetUserProfileDirectoryW + 35 7C0F4A24 114 Bytes [ 45, 18, 89, 07, 33, C0, 5F, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetUserProfileDirectoryW + A8 7C0F4A97 3 Bytes [ 54, 1B, E3 ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetUserProfileDirectoryW + AC 7C0F4A9B 33 Bytes CALL 7C0DA180
.text ...
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetAllUsersProfileDirectoryW + C 7C0F4FA9 143 Bytes [ FF, 51, 08, 8B, CF, E8, 2F, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetAllUsersProfileDirectoryW + 9C 7C0F5039 24 Bytes [ 15, D4, 13, E2, 7C, 85, C0, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetAllUsersProfileDirectoryW + B5 7C0F5052 147 Bytes [ 89, 38, 33, C0, 5F, 5E, C2, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetDefaultUserProfileDirectoryW + D 7C0F50E6 58 Bytes [ 75, 17, 8B, 43, 10, 85, C0, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetDefaultUserProfileDirectoryW + 48 7C0F5121 54 Bytes [ 7D, F4, 6A, 08, AB, AB, 33, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetDefaultUserProfileDirectoryW + 7F 7C0F5158 15 Bytes [ 00, 8B, 75, 08, 8D, 4D, F4, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetDefaultUserProfileDirectoryW + 8F 7C0F5168 48 Bytes [ 50, 10, 8B, F8, 3B, FB, 74, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!GetDefaultUserProfileDirectoryW + C0 7C0F5199 12 Bytes [ 51, 1C, 8B, F8, 8D, 45, E8, ... ]
.text ...
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!DestroyEnvironmentBlock + 63 7C0F53C8 34 Bytes [ C0, 74, 13, 21, 70, 0C, 21, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!DestroyEnvironmentBlock + 86 7C0F53EB 14 Bytes [ 89, 5E, 0C, 89, 7E, 10, FF, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!DestroyEnvironmentBlock + 95 7C0F53FA 17 Bytes [ 00, EB, 07, 53, FF, 15, 64, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!DestroyEnvironmentBlock + A7 7C0F540C 83 Bytes [ 55, 8B, EC, 83, EC, 54, 66, ... ]
.text D:\WINDOWS.000\system32\lxcgcoms.exe[1716] USERENV.DLL!DestroyEnvironmentBlock + FB 7C0F5460 1 Byte [ 00 ]
.text ...

it says stuff like that over 20000 times.. i dont want to waste your time

SufferWell1396 · #14 06-05-2007, 12:54 AM

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EB651220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EB651480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EB6515A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EB94C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EB651220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EB651480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EB6515A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB94C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EB651220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EB651480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EB6515A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB94C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EB651220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EB651480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EB6515A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB94C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EB651220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EB651480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EB6515A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EB94C85A] avgtdi.sys

---- EOF - GMER 1.0.12 ----

Budfred · #15 06-05-2007, 01:18 AM

Please answer all of my questions in as much detail as possible... I don't know how to interpret what you are telling me and the scans without knowing where your installs are and whether you followed all of the instructions...

SufferWell1396 · #16 06-05-2007, 09:14 PM

D:\WINDOWS.000 is my Windows 2000 directory.

Otherwise C:\ is dedicated to Windows Millennium (Win ME installed at C:\WINDOWS)

I ran combofix like normal. Was in NORMAL mode and just double clicked on the icon. and it said that. The End.

I deleted the D:\WINDOWS.000\system32\lxcgcoms.exe because it was clearly just a virus. You have told me to do the same in the past, though i cannot remember the exact post.

I dont really know what else there is to say

Budfred · #17 06-05-2007, 11:56 PM

I am not sure what icon you are talking about that you clicked on... The instructions are to double click on combofix.exe and then follow the prompts... When you click on it, it will open a folder and it will include all the combofix files... Give it a while to finish opening those files... If it doesn't give you a prompt, click on the combofix.bat file in that folder and wait for it to work... However, if you wait long enough, it will probably open and proceed with the scan... If it still doesn't work, try it in Safe Mode... If you don't give it time to finish decompressing the tool, it will probably fail... Don't do anything else while it is running unless it asks you to respond to something...

Simply deleting an infected file is unlikely to solve the general problems...

SufferWell1396 · #18 06-06-2007, 05:04 PM

okay then. ill include pictures.

The ComboFix icon i click on.

The prompt i get when i run Combofix.exe

Budfred · #19 06-06-2007, 10:12 PM

I have asked the author of the tool to look in on this thread and we can see what he says... Meanwhile, try this:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Budfred · #20 06-06-2007, 10:27 PM

sUBs, the author, came through with an answer already... He said:

Quote:

I would say the machine may not have cmd.exe in the correct location.

Look in D:\WINDOWS\system32 to see if it is there...

SufferWell1396 · #21 06-07-2007, 12:17 AM

its there.

sUBs · #22 06-07-2007, 12:26 AM

Please click on Start > Run and type - cmd to bring up the command prompt

Then type ver

Does it say ... Microsoft Windows 2000 [Version 5.00.2195] ?

SufferWell1396 · #23 06-07-2007, 12:50 AM

Yeah.

sUBs · #24 06-07-2007, 12:58 AM

There doesn't appear to be anything that could be hampering ComboFix. Let's see if an updated copy runs better. Please download it from here:

http://download.bleepingcomputer.com...a/ComboFix.exe

Place it at the root of drive D. - D:\ComboFix.exe
Then doubleclick on it

sUBs · #25 06-07-2007, 01:02 AM

If that fails, please download & run this analysis tool :

http://deckard.geekstogo.com/dss.exe

It's simple to use. Just doubleclick to run.

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)