[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1230
  • Last Modified:

CAMP.EXE

I have a strange virus -IT Creates an excutable called camp.exe,these files are hidden in c,  and autorun.inf, stops access to any hard drive via right click, cannot access the the folder option in the toolbar. It also disables system restore and any attempt to reactivitate it displays a group policy restriction. IT displays a flash screen with the flollowing message 'KIBAKI TOSHA'- I have tried symantec corporate addition but it cant get recognise it. It I have tried a number of adware software without success
0
tombutu
Asked:
tombutu
  • 3
  • 3
3 Solutions
 
rpggamergirlCommented:
Sounds similar to Flashdrive infection, or could be a new variant of it,
Run this tool Flash_Disinfector.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


And then download and run Combofix, and show us the log so we can check what bad files are there.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
tombutuAuthor Commented:
the combofix runs but does not generate any log the programme exits when I key in Choice 1, below is the Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 16:39, on 2007-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\oracle\ora81\bin\dbsnmp.exe
D:\oracle\ora81\bin\vppdc.exe
D:\oracle\ora81\BIN\TNSLSNR.exe
D:\DEV\bin\rwmts60.exe
d:\oracle\ora81\bin\ORACLE.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\csrss.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\csrss.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3E99AEFA-B519-4644-B48A-49422793C736} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {D8F76A81-1346-4DC5-A342-91CEA9CBB5Cd} - C:\WINDOWS\system32\jwgkpmcy.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [j8241431] rundll32 C:\WINDOWS\system32\j8241431.dll sook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Shortcut to WetEnd_E.lnk = C:\DPLcpmsbackup\wetend_db\WetEnd_E.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DPLKENYA.COM
O17 - HKLM\Software\..\Telephony: DomainName = DPLKENYA.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D94C9A1-F792-4D49-B7AF-FDC62AB2F4F7}: NameServer = 195.202.64.1,195.202.64.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DPLKENYA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DPLKENYA.COM
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O20 - Winlogon Notify: wvusqro - wvusqro.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleDEVClientCache80 - Unknown owner - D:\DEV\BIN\ONRSD80.EXE
O23 - Service: OracleOraHome81Agent - Oracle Corporation - D:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - D:\oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - D:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - D:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - D:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: Oracle Reports Server [Rep60_SERVER3-DEV] (OracleReportServer-Rep60_SERVER3-DEV) - Oracle Corp - D:\DEV\bin\rwmts60.exe
O23 - Service: OracleServiceTEST - Oracle Corporation - d:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

0
 
rpggamergirlCommented:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\csrss.exe"
O4 - HKLM\..\Run: [j8241431] rundll32 C:\WINDOWS\system32\j8241431.dll sook
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll (file missing)
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O20 - Winlogon Notify: wvusqro - wvusqro.dll (file missing)


I'm not sure what happened with combofix there, can you check in your C:\ if combofix has a text report somewhere?

I also wonder why vundofix didn't remove the bad registry entries???..we'll take care of that afterwards.
C:\WINDOWS\system32\j8241431.dll<-- can you also check if this file is still there?


Your log is also showing an active variant of SDBot,
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
tombutuAuthor Commented:
ok found the combofix log, though it was in C drive and not in the combo fix folder. I 'am posting it to you while I proceed with your recomendations

"John" - 2007-07-20 17:34:08 - ComboFix 07-07-17.8 - Service Pack 2  NTFS  [SAFE MODE]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\John\APPLIC~1.\macromedia\Flash Player\#SharedObjects\KU7GXTJ5\www.broadcaster.com
C:\DOCUME~1\John\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\John\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\John\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\John\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\John\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\John\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\Documents and Settings\John.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\csrss.exe


(((((((((((((((((((((((((   Files Created from 2007-06-20 to 2007-07-20  )))))))))))))))))))))))))))))))


2007-07-20 17:01      26,112      --a------      C:\WINDOWS\system32\nircmd.exe
2007-07-20 15:55      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-07-20 15:16      286,720      -r-hs----      C:\camp.exe
2007-07-20 11:47      <DIR>      d--------      C:\KAV
2007-07-20 00:19      <DIR>      d--------      C:\.Trash-1000
2007-07-19 16:21      77,312      --a------      C:\WINDOWS\ua2.dll
2007-07-19 15:27      286,720      -r-hs----      C:\WINDOWS\system32\drivers\intel.exe
2007-07-16 15:04      <DIR>      d--------      C:\Program Files\MobiFX
2007-07-16 15:04      <DIR>      d--------      C:\Program Files\Common Files\LogoManager
2007-07-04 13:16      54,784      --a------      C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-07-04 13:16      12,464      --a------      C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-07-04 13:16      <DIR>      d--------      C:\Program Files\Common Files\Macrovision Shared
2007-07-04 13:16      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-07-04 13:15      <DIR>      d--------      C:\Program Files\AnswerWorks 4.0
2007-07-04 13:14      <DIR>      d--------      C:\Program Files\Common Files\Autodesk Shared
2007-07-04 13:14      <DIR>      d--------      C:\Program Files\AutoCAD 2004
2007-07-04 13:14      <DIR>      d--------      C:\DOCUME~1\John\APPLIC~1\Autodesk
2007-07-04 13:14      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-06-20 09:58      <DIR>      d--------      C:\Downloads
2007-06-20 09:55      <DIR>      d--------      C:\Program Files\Free Download Manager
2007-06-20 09:55      <DIR>      d--------      C:\DOCUME~1\John\APPLIC~1\Free Download Manager


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 19:12:02      --------      d-----w      C:\Program Files\Winamp
2007-07-20 19:11:57      --------      d-----w      C:\Program Files\Movie Maker
2007-07-20 19:11:55      --------      d-----w      C:\Program Files\Oracle
2007-07-20 19:11:51      --------      d-----w      C:\Program Files\Common Files\PCSuite
2007-07-20 19:11:50      --------      d-----w      C:\Program Files\Common Files\InstallShield
2007-07-20 19:11:50      --------      d-----w      C:\Program Files\Ahead
2007-07-20 19:11:22      --------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-07-20 19:11:22      --------      d-----w      C:\Program Files\Yahoo!
2007-07-20 19:11:22      --------      d-----w      C:\Program Files\MathType
2007-07-20 19:11:22      --------      d-----w      C:\Program Files\Google
2007-07-20 19:11:21      --------      d-----w      C:\Program Files\Windows NT
2007-07-20 19:11:20      --------      d-----w      C:\Program Files\MP3 Workshop
2007-07-20 19:11:18      --------      d-----w      C:\Program Files\Symantec
2007-07-20 19:11:17      --------      d-----w      C:\Program Files\nLite
2007-07-20 19:11:14      --------      d-----w      C:\Program Files\BitLord
2007-07-20 19:10:48      --------      d-----w      C:\Program Files\Messenger
2007-07-20 19:10:48      --------      d-----w      C:\Program Files\MagicDisc
2007-07-20 19:10:46      --------      d-----w      C:\Program Files\Advanced Spyware Remover
2007-07-20 05:53:54      --------      d-----w      C:\Program Files\No-IP
2007-07-17 13:35:51      --------      d-----w      C:\DOCUME~1\John\APPLIC~1\Nokia
2007-06-21 07:11:13      848      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-20 12:29:41      --------      d-----w      C:\Program Files\Companion Suite IH West Setup Files V1_1_2
2007-06-20 06:19:57      --------      d-----w      C:\Program Files\Toolbar
2007-06-18 11:03:59      875,432      --sha-w      C:\WINDOWS\system32\qqtwa.bak2
2007-06-16 09:07:31      24,576      ----a-w      C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-08 14:58:27      --------      d-----w      C:\Program Files\Common Files\Corel
2007-06-08 14:58:24      --------      d-----w      C:\Program Files\Corel
2007-05-30 07:00:52      --------      d-----w      C:\DOCUME~1\John\APPLIC~1\Design Science
2007-05-16 15:12:02      683,520      ----a-w      C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15      144,896      ----a-w      C:\WINDOWS\system32\schannel.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28      440384      --a------      C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02      37808      ---------      C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E99AEFA-B519-4644-B48A-49422793C736}]
                  C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 15:29      198136      --a------      C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
2006-08-20 19:55      81920      --a------      C:\Program Files\Free Download Manager\iefdmcks.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8F76A81-1346-4DC5-A342-91CEA9CBB5Cd}]
                  C:\WINDOWS\system32\jwgkpmcy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
"NWEReboot"="" []
"LClock"="C:\Program Files\LClock\LClock.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 00:24]

C:\DOCUME~1\John\STARTM~1\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-03-19 11:46:30]
Shortcut to WetEnd_E.lnk - C:\DPLcpmsbackup\wetend_db\WetEnd_E.exe [2007-03-12 12:14:57]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 13:21:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqq]
C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmmt32]
winmmt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusqro]
wvusqro.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Dinesh#C_d]
AutoRun\command- X:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\
explore\Command- C:\camp.exe
open\Command- C:\camp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\
explore\Command- D:\camp.exe
open\Command- D:\camp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\
explore\Command- E:\camp.exe
open\Command- E:\camp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\
explore\Command- H:\camp.exe
open\Command- H:\camp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dfd0257-af6b-11db-9e4b-00188b1d4c75}]
Auto\command- I:\AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c768a308-ddc9-11db-9ea8-00188b1d4c75}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f71192f8-249e-11dc-9b70-00188b1d4c75}]
Auto\command- H:\AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

*Newly Created Service* - PXHELP20

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 17:37:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-20 17:38:44
C:\ComboFix-quarantined-files.txt ... 2007-07-20 17:37

      --- E O F ---
0
 
tombutuAuthor Commented:


SDFix: Version 1.92

Run by John on 2007-07-21 at 10:03

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\csrss.exe  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\DPLcpmsbackup\\wetend_db\\WetEnd_E.exe"="C:\\DPLcpmsbackup\\wetend_db\\WetEnd_E.exe:*:Enabled:WetEnd_E"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\camp.exe
C:\.Trash-1000\files\camp.exe
C:\GH\GALACTA.EXE
C:\WINDOWS\system32\drivers\intel.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\.Trash-1000\files\Free Download Manager\tic5FE8.tmp
C:\Documents and Settings\John\Desktop\~WRL2948.tmp
C:\Key\APPLICATIONS\~WRL0004.tmp
C:\SPECIAL\DHRM I&II\B. RESEARCH\~WRL0004.tmp
C:\SPECIAL\DHRM I&II\B. RESEARCH\~WRL1488.tmp
C:\SPECIAL\DHRM I&II\B. RESEARCH\~WRL2055.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\COUNSELLING\~WRL0321.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\COUNSELLING\~WRL3093.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL0633.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL0778.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL2391.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL2490.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL2601.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL2647.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\FINANCIAL MAGT\~WRL3709.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\RE PROPOSAL FINAL\~WRL2906.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\RE PROPOSAL FINAL\~WRL4061.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL0370.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL0933.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL1669.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL1737.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL2782.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL2911.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL3235.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL3496.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\STRATEGIC HRM\~WRL3850.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\strategic management\~WRL0897.tmp
C:\SPECIAL\DHRM I&II\KEN - KIM\strategic management\~WRL1657.tmp
C:\SPECIAL\Human Resources\Account Opening\~WRL0001.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL1233.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL1429.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL1862.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL1927.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL2328.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL2357.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL2534.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL2694.tmp
C:\SPECIAL\Human Resources\ATTACHMENT\~WRL3469.tmp
C:\SPECIAL\Human Resources\Confirmation of Appointment\~WRL0514.tmp
C:\SPECIAL\Human Resources\Confirmation of Appointment\~WRL3048.tmp
C:\SPECIAL\Human Resources\House Keeping & Safety\~WRL0001.tmp
C:\SPECIAL\Human Resources\Memorandums and Agreements\~WRL0001.tmp
C:\SPECIAL\Human Resources\NHIF\~WRL0164.tmp
C:\SPECIAL\Human Resources\Training & Trainers\~WRL0001.tmp
C:\SPECIAL\Human Resources\VEHICLES\~WRL0001.tmp
C:\SPECIAL\Human Resources\Warning 2nd\Warning 1st\~WRL0324.tmp
C:\SPECIAL\Human Resources\Warning Explanation Request\~WRL2075.tmp
C:\SPECIAL\Immigration\~WRL0003.tmp
C:\SPECIAL\Immigration\~WRL0705.tmp
C:\SPECIAL\Immigration\~WRL1265.tmp
C:\SPECIAL\Immigration\~WRL1747.tmp
C:\SPECIAL\Immigration\~WRL2576.tmp
C:\SPECIAL\Immigration\~WRL2695.tmp
C:\SPECIAL\Immigration\~WRL2784.tmp
C:\SPECIAL\LABOUR LAWS\KEN HRM F\IRUNGU\Personal\~WRL0001.tmp
C:\SPECIAL\LABOUR LAWS\KEN HRM F\Personal\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\ACTING ALLOWANCE - CASUALS\~WRL0956.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Account Opening\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL1233.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL1429.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL1862.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL1927.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL2328.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL2357.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL2534.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL2694.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\ATTACHMENT\~WRL3469.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Confirmation of Appointment\~WRL3048.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\House Keeping & Safety\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL0003.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL0705.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL1265.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL1747.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL2576.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL2695.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Immigration\~WRL2784.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Induction Schedules\~WRL0589.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Induction Schedules\~WRL2287.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Induction Schedules\~WRL3834.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Memorandums and Agreements\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Training & Trainers\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\VEHICLES\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Human Resources\Warning 2nd\Warning 1st\~WRL0324.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\RE PROPOSAL FINAL\~WRL2906.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\RE PROPOSAL FINAL\~WRL4061.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL0370.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL0933.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL1669.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL1737.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL2782.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL2911.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL3235.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL3496.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\STRATEGIC HRM\~WRL3850.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\strategic management\~WRL0897.tmp
C:\SPECIAL\Raymond\Kennedy\KEN - KIM\strategic management\~WRL1657.tmp
C:\SPECIAL\Raymond\Kennedy\KEN HRM F\IRUNGU\Personal\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\KEN HRM F\Personal\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\KENNEDY H-RESOURCES STUDY\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\KENNEDY H-RESOURCES STUDY\~WRL0003.tmp
C:\SPECIAL\Raymond\Kennedy\KENNEDY H-RESOURCES STUDY\~WRL0464.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\My Documents\OTHER CORRESPONDENCES\~WRL1374.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Account Opening\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\FULL AND FINALS\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\FULL AND FINALS\~WRL0005.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\House Keeping & Safety\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Memorandums and Agreements\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Regrets applications\~WRL0351.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\Margaret\LETTERS\~WRL0350.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\Margaret\LETTERS\~WRL2410.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\Margaret\LETTERS\~WRL3407.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\Margaret\LETTERS\~WRL3547.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL1101.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL1235.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL1249.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL2679.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL2893.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL3179.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Shared Folder\operations\My Documents\~WRL3422.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Training & Trainers\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\VEHICLES\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\Mutua\PERSONNEL\Human Resources\Warning 2nd\Warning 1st\~WRL0324.tmp
C:\SPECIAL\Raymond\Kennedy\Salary Increment - MGT\~WRL0001.tmp
C:\SPECIAL\Raymond\Kennedy\TIME CLOCK\~WRL0003.tmp
C:\SPECIAL\Raymond\letters\~WRL0894.tmp
C:\SPECIAL\Raymond\letters\~WRL1989.tmp
C:\SPECIAL\Raymond\letters\~WRL2659.tmp
C:\SPECIAL\Salary Increment - MGT\~WRL0001.tmp

                                 Finished
0
 
rpggamergirlCommented:
Please run Hijackthis and fix these entries while all browsers and other windows are closed:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\csrss.exe"
O2 - BHO: (no name) - {3E99AEFA-B519-4644-B48A-49422793C736} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8F76A81-1346-4DC5-A342-91CEA9CBB5Cd} - C:\WINDOWS\system32\jwgkpmcy.dll (file missing)
O4 - HKLM\..\Run: [j8241431] rundll32 C:\WINDOWS\system32\j8241431.dll sook
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll (file missing)
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O20 - Winlogon Notify: wvusqro - wvusqro.dll (file missing)


C:\WINDOWS\system32\qqtwa.bak2 <-- this is vundo file(though harmless) delete if still present.

Did you run Flash_Dis_infector???
If you didn't yet, please run it.

C:\camp.exe <-- delete this one on reboot with killbox, or in safe mode.

Also delete this registry key if still present,
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now