BleepingComputer.com: Help removing Kryptik.VP Trojan

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Help removing Kryptik.VP Trojan

#1 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 30 June 2009 - 02:12 PM

Hello,

I was recently infected with a Trojan a couple days ago (from a random website I visited). I ran a Virus scan using NOD32 and it seemed to clean out most of the problems I was having, yet I know the entire Trojan has not been removed yet. Any program that I use minimizes every once in a while and a get a pop-up saying I am infected (not from my anti virus program) while also starting up IExplorer in the background (i can only see it in the Task Manager).

I have attached my NOD32 scan log and HJT scan

NOD32

Scan performed at: 6/29/2009 14:43:03 PM
Scanning Log
NOD32 version 4197 (20090629) NT
Command line: c:\documents and settings\all users\application data\11834214\11834214.exe c:\documents and settings\all users\application data\91844206\91844206.exe C:\WINDOWS\msa.exe C:\Documents and Settings\Rohin\Rohin.exe
Operating memory - a variant of Win32/Kryptik.VP trojan

Date: 29.6.2009 Time: 14:43:39
Scanned disks, folders and files: c:\documents and settings\all users\application data\11834214\11834214.exe; c:\documents and settings\all users\application data\91844206\91844206.exe; C:\WINDOWS\msa.exe; C:\Documents and Settings\Rohin\Rohin.exe
c:\documents and settings\all users\application data\11834214\11834214.exe - Win32/Adware.SystemSecurity application - deleted
c:\documents and settings\all users\application data\91844206\91844206.exe - Win32/Adware.SystemSecurity application - deleted
C:\WINDOWS\msa.exe - a variant of Win32/Kryptik.VP trojan
C:\Documents and Settings\Rohin\Rohin.exe - a variant of Win32/Wigon.KT trojan
Number of scanned files: 4
Number of threats found: 4
Number of files cleaned: 4
Time of completion: 14:43:53 Total scanning time: 14 sec (00:00:14)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete.


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:33 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\jcqltjy64c.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\uyosbl5n8b.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\uyosbl5n8b.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GrabIt\GrabIt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\system.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\win.exe
C:\DOCUME~1\Rohin\LOCALS~1\Temp\lsass.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/en/index.php?rvs=hompag&d=79919289
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Decal] "C:\Program Files\Decal 3.0\DenAgent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [b0311a3c] rundll32.exe "C:\WINDOWS\system32\skjgwkkj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Rohin\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [Rohin] C:\Documents and Settings\Rohin\Rohin.exe /i
O4 - HKCU\..\Run: [] C:\DOCUME~1\Rohin\LOCALS~1\Temp\uyosbl5n8b.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Rohin\LOCALS~1\Temp\uyosbl5n8b.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Rohin\LOCALS~1\Temp\lsass.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149125133703
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\citrix\system32\mfaphook.dll
O20 - Winlogon Notify: eFWqonKb - eFWqonKb.dll (file missing)
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\sdjee3inf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8347 bytes


Any help would be appreciated.

Thanks,
-Cryo

#2 User is offline   schrauber 

  • Mr.Mechanic
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 21,111
  • Joined: 03-May 08
  • Gender:Male
  • Location:Saarland,Germany

Posted 04 July 2009 - 02:48 AM

Hello Cryogen476 and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 09 July 2009 - 06:00 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 12 July 2009 - 12:27 PM

Thread reopened at request of topic starter. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 12 July 2009 - 01:07 PM

Hello,

Thanks for reopening!

DDS (Ver_09-06-26.01) - NTFSx86
Run by Rohin at 13:58:50.17 on Sun 07/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.510 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rohin\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79919289
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: c:\windows\system32\sdjee3inf.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\sdjee3inf.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gaim] c:\program files\gaim\gaim.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Cognac] c:\docume~1\rohin\locals~1\temp\b.exe
uRun: [Rohin] c:\documents and settings\rohin\Rohin.exe /i
uRun: [<NO NAME>] c:\docume~1\rohin\locals~1\temp\jqrzc.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\rohin\locals~1\temp\uzwycu.exe
uRun: [Windows System Recover!] c:\docume~1\rohin\locals~1\temp\notepad.exe
uRun: [bw1bakg4d1w5kdt75l9i6xi] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [pp5a7xoc09vkhhwotcm2s0vw1u] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [xc4e5nhfw1bg8pcg7wth] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [qri4ttrijipochlnnt7vw3u] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [j1g6pna5j7whfst43ox0z7t2avty3] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [vcry1o13pn3vlurx36] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [io683ah3qodyzav8f] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [vsrdp8hvkzul26yeldalztsnb42ku] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [dmkpae21eeb] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [scnmbf6efnekko8usjt5qv8kua9a] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [y9t8l5tvnbsbg4k4pots2div2tpa4g] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [fdjq8hz1qdwr0] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [p3omspmfmx3pltfzksj6dgm5dydz] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [mscxiguwxa40l03c4tdrv] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [tqidz8ak06b6od4bluw339nhh] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [dwgveiw9sw01dil4r] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [povmofcl0tpwu2g1tkcz] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [e93wn74182yoy] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [lpjb1gaozizzixjde] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [luno5v8z836qif] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [xtwlgnoq4a8dr] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [tx4rlnyf6w8nrn2v19789drngvb] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [klp02j1p1431u2] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [jlx0qfw95olusuhq0ohevg0o83sa54] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [i8qof00iovbfizo4n] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [mt2qhaw3x96h4juhakvwatv4h9u2] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [etrp8k8vrfms2] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [ntl7o1knxihtjqrr0amuj] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [qfvkbc3o3ea0030ofim7] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [uiq5p7w4c1iqfu] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [v9nz449tkw7osntj] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [a6981zxp62iuuyarv6bee9v] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [t093osj7e2pppjzsdw] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [syx6xjd3tnb3fv58nwgx] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [r8ezjnlc3b47t] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [eb8a4nf8oq2jgnpky93jjibg9x4xpq] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [lfb2ap2opau24m75uiwhmk45hsi0rd] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [u58lsh0esr1hkn7r5g36] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [pgdqze7nb4c2car2f1xbxamb4z4c] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [g88v2zzfyypr2gj6vc5q0wcqt8g] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [o7ip46r9ex3rf5bespffheff2fn] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [lkczfwdloa9qch] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [rj1ojmfc7hkb28i87nvjriungjw] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [su788205zlwftc3l6c] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [ninui6bkrxxnpdwlq293hgz] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [cggefa476a16qh1buyj5rmn7q6r] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [tz32bxgd4oy3axn] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [d4yuvj708mumczqdkj] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [d3fyqm5p42ky] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [tsaoaghw6l22lbhan3tt87ruoingd8] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [f6kbhsuiov7u9dda] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [fmil67w3wwjpnvc] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [pf36g0wqnfbo] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [r0vxetzpi6y3pbntk2474hhe5sdg7] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [dvfcohvhatg31g8br71f] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [kfacz0fapb0enbb85v] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [eb66d00ajrbq5pfm75mouw] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [q3w5f7eu30m9fx] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [wmmozf9n9qtl6phn02xzge45go2] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [sgo1vmhgtnqmqhfiwfqk9kkz5o8jp] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
uRun: [ho33ymqcbpbcscdo5xe] c:\docume~1\rohin\locals~1\temp\asa7hridf.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [POINTER] point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [Decal] "c:\program files\decal 3.0\DenAgent.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [b0311a3c] rundll32.exe "c:\windows\system32\skjgwkkj.dll",b
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rohin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Save with Download Manager... - c:\program files\j river\media jukebox\DMDownload.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
LSP: c:\windows\system32\imon.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149125133703
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: eFWqonKb - eFWqonKb.dll
AppInit_DLLs: c:\progra~1\citrix\system32\mfaphook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\sdjee3inf.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\sdjee3inf.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvuVmMca

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rohin\applic~1\mozilla\firefox\profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-5-24 22968]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-7-5 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-7-5 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-9-6 507904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-7-5 237568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-14 24652]
S1 hyittokh;hyittokh;\??\c:\windows\system32\drivers\hyittokh.sys --> c:\windows\system32\drivers\hyittokh.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-02 14:17 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 14:17 1,409 a------- c:\windows\QTFont.for
2009-06-29 02:00 93 a------- c:\windows\system32\hjgruimtlrnogs.dat
2009-06-29 01:59 44 a------- c:\windows\system32\p2hhr.bat
2009-06-29 01:59 15,000 a------- c:\windows\system32\sdjee3inf.dll
2009-06-29 01:59 10 a------- c:\windows\system32\kr_done1
2009-06-29 01:59 155,648 a------- c:\windows\system32\tpsaxyd.exe
2009-06-29 01:59 8 a------- c:\windows\system32\comsa32.sys
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\91844206
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11834214
2009-06-29 01:59 18,944 a------- c:\windows\system32\hjgruilqyomqhb.dll
2009-06-29 01:58 205,828 a------- c:\windows\system32\msxml71.dll
2009-06-29 01:58 68,096 a------- c:\windows\system32\drivers\hjgruirelngfvp.sys
2009-06-29 01:58 43,520 a------- c:\windows\system32\hjgruiiqvdksru.dll
2009-06-29 01:58 1,385 a------- c:\windows\system32\hjgruimowylyfu.dat
2009-06-29 01:51 871,327 a------- c:\windows\system32\rn.tmp
2009-06-22 00:44 14,572,784 a------- c:\program files\ghost_w32.exe
2009-06-22 00:07 <DIR> --d----- c:\program files\Atari

==================== Find3M ====================

2009-06-01 11:37 317,436 a------- c:\windows\system32\taskmgrþ.exe
2009-06-01 02:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2006-09-05 22:47 835 a------- c:\program files\Shortcut to white.lnk
2009-02-18 00:06 15,289 a--sh--- c:\windows\system32\acMmVuvw.ini2
2009-02-17 23:10 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-17 23:10 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-17 23:10 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:59:27.09 ===============

-Cryo

Attached File(s)


#6 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 13 July 2009 - 03:23 AM

Hello, Cryogen476.

Welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up.

Please take note of the following:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
  • If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
  • Please reply to this thread. Do not start a new topic.
Reviewing your log(s) requires an amount of research, so please be patient. Thanks.

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 13 July 2009 - 07:43 AM

Hello, Cryogen476.


Posted Image One or more of the identified infections is a backdoor trojan. Posted Image Such a piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the Internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. It would be wise to contact those same financial institutions to apprise them of your situation. To protect your information that may have been compromised, I recommend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read this reference very carefully: When should I re-format? How should I reinstall?.
If you choose to format and reinstall, see this link for instructions: Reformat Hard Drive FAQ for Windows 95/98/Me/XP.

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you disinfect your PC, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.
Below are some more links that could help you decide what to do.
Security Management - May 2004:
Help: I Got Hacked. Now What Do I Do?

Security Management - July 2004:
Help: I Got Hacked. Now What Do I Do? Part II


If you do still want to continue in an attempt to clean the machine, then follow the instructions below.

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Posted Image Peer-to-peer (P2P) program WARNING Posted Image
Your log shows that you are using a so called peer-to-peer or file sharing program (in your case BitTornado 0.3.15). Programs like this one allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File Sharing, otherwise known as Peer To Peer. (P2P) and Risks of File-Sharing Technology.

Avoid gaming sites, pirated software, cracking tools, keygens, and P2P file sharing programs:
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious flash ads that install viruses, trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again.

Due to the reasons mentioned above, I would strongly recommend that you uninstall BitTornado. The choice to remove it is entirely up to you, however, but I would strongly recommend that you get rid of it. If you agree, go to Start > Control Panel > Add or Remove Programs and remove BitTornado 0.3.15. If you do not agree, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #1: Viewpoint removal
Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". This changed from what we know in 2006. You may like to read this article about the potential of this Viewpoint software here: Viewpoint to Plunge Into Adware - ClickZ.

I suggest you remove the program now. Click on Start > Run... and then paste the following into the "Open:" field: appwiz.cpl. Then press OK. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint Manager (Remove Only)
  • Viewpoint Media Player
  • Viewpoint Toolbar
Step #2: ComboFix
We need to run sUBs' ComboFix:
  • Please download ComboFix from any of the links below and save it to your Desktop.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double-click ComboFix.exe and follow the prompts.

    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed." Please continue as follows:
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt); post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

Quote

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Please read ComboFix's Disclaimer.

Step #3: DDS scan
Please scan with DDS again and provide a new DDS log in your next reply.

So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • a new DDS log
NOTE: Use several posts if necessary to include everything in the requested logs.

Also please answer this question: Have you installed the Wootalyzer! application (a deal-a-day tracker?) yourself, and do you use it?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 13 July 2009 - 05:11 PM

Hello htv8,

Here are the two logs

ComboFix 09-07-13.01 - Rohin 07/13/2009 17:12.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.573 [GMT -4:00]
Running from: c:\documents and settings\Rohin\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rohin\LOCALS~1\Temp\csrss.exe
c:\docume~1\Rohin\LOCALS~1\Temp\services.exe
c:\docume~1\Rohin\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Rohin\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\91844206.ini
c:\documents and settings\Ctx_StreamingSvc\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\NetworkService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Rohin\Application Data\wiaserva.log
c:\documents and settings\Rohin\Desktop\Download programs.url
c:\documents and settings\Rohin\Desktop\Translator.url
c:\documents and settings\Rohin\Desktop\Videos.url
c:\documents and settings\Rohin\Favorites\Download programs.url
c:\documents and settings\Rohin\Favorites\Games.url
c:\documents and settings\Rohin\Favorites\Translator.url
c:\documents and settings\Rohin\Favorites\Videos.url
c:\documents and settings\Rohin\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Rohin\Start Menu\Programs\Download programs.url
c:\documents and settings\Rohin\Start Menu\Programs\Games.url
c:\documents and settings\Rohin\Start Menu\Programs\Translator.url
c:\documents and settings\Rohin\Start Menu\Programs\Videos.url
c:\windows\Install.txt
c:\windows\system32\acMmVuvw.ini
c:\windows\system32\acMmVuvw.ini2
c:\windows\system32\bteivsvy.ini
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\hjgruirelngfvp.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\hjgruiiqvdksru.dll
c:\windows\system32\hjgruilqyomqhb.dll
c:\windows\system32\hjgruimowylyfu.dat
c:\windows\system32\hjgruimtlrnogs.dat
c:\windows\system32\Install.txt
c:\windows\system32\jkkwgjks.ini
c:\windows\system32\kirudgxm.ini
c:\windows\system32\kr_done1
c:\windows\system32\msncache.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\sdjee3inf.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-06-29 05:59 . 2009-06-29 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\91844206
2009-06-29 05:59 . 2009-06-29 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\11834214
2009-06-22 04:51 . 2009-06-22 04:51 -------- d-----w- c:\documents and settings\Rohin\Local Settings\Application Data\GHOSTBUSTERS ™
2009-06-22 04:44 . 2009-05-26 16:24 14572784 ----a-w- c:\program files\ghost_w32.exe
2009-06-22 04:42 . 2009-06-22 04:42 -------- d--h--r- c:\documents and settings\Rohin\Application Data\SecuROM
2009-06-22 04:07 . 2009-06-22 15:34 -------- d-----w- c:\program files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 21:57 . 2007-01-22 08:03 -------- d-----w- c:\documents and settings\Rohin\Application Data\.gaim
2009-07-13 20:50 . 2008-07-16 22:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\Skype
2009-07-13 20:01 . 2008-07-16 22:30 -------- d-----w- c:\documents and settings\Rohin\Application Data\skypePM
2009-07-13 18:41 . 2006-06-01 02:01 -------- d-----w- c:\program files\Viewpoint
2009-07-13 18:41 . 2006-06-01 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-13 18:40 . 2007-01-25 21:04 -------- d-----w- c:\documents and settings\Rohin\Application Data\uTorrent
2009-07-13 05:51 . 2006-09-03 22:58 -------- d-----w- c:\program files\Warcraft III
2009-07-02 18:47 . 2008-11-22 21:07 -------- d-----w- c:\program files\VideoLAN
2009-06-29 05:52 . 2009-06-29 05:51 871327 ----a-w- c:\windows\system32\rn.tmp
2009-06-22 04:31 . 2006-06-01 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 22:38 . 2008-12-20 03:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\dvdcss
2009-06-18 17:26 . 2008-08-23 19:57 -------- d-----w- c:\documents and settings\Rohin\Application Data\GrabIt
2009-06-01 15:37 . 2008-12-03 01:42 317436 ----a-w- c:\windows\system32\taskmgrþ.exe
2009-06-01 06:16 . 2009-06-01 06:16 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-01 06:16 . 2009-06-01 06:16 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-01 06:16 . 2009-06-01 06:16 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 06:16 . 2009-02-18 02:35 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 06:16 . 2009-06-01 06:16 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-01 06:16 . 2009-06-01 06:16 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-01 06:16 . 2009-06-01 06:16 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-01 06:16 . 2009-06-01 06:16 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-01 06:15 . 2009-06-01 06:15 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-01 06:15 . 2009-06-01 06:15 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-01 06:15 . 2009-06-01 06:15 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-01 06:15 . 2009-06-01 06:15 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-01 06:15 . 2009-06-01 06:15 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-01 06:15 . 2009-06-01 06:15 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-01 06:15 . 2009-06-01 06:15 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-01 06:15 . 2009-06-01 06:15 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-07 15:44 . 2004-08-04 05:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-02-09 00:34 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 06:15 . 2009-04-27 06:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-27 06:15 . 2009-02-17 07:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 09:58 . 2005-02-01 00:49 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 05:56 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2006-09-06 02:47 . 2006-09-06 02:47 835 ----a-w- c:\program files\Shortcut to white.lnk
2008-12-19 04:22 . 2006-06-01 01:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 04:22 . 2006-06-01 01:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 04:22 . 2007-08-06 14:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 04:22 . 2007-08-06 14:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 04:22 . 2006-06-01 01:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Gaim"="c:\program files\Gaim\gaim.exe" [2005-08-12 69793]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-09-07 921600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\Rohin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rohin^Start Menu^Programs^Startup^realshed.exe]
path=c:\documents and settings\Rohin\Start Menu\Programs\Startup\realshed.exe
backup=c:\windows\pss\realshed.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Documents and Settings\\Rohin\\My Documents\\DL\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\Warcraft III\\lancraft.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\Versus\\System\\SCCT_Versus.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe"=
"c:\\Program Files\\ESET\\nod32kui.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\Gaim\\gaim.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\ESET\\nod32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/17/2009 3:15 AM 64160]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [5/24/2007 3:40 PM 22968]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [7/5/2007 3:45 PM 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [7/5/2007 4:50 PM 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [7/5/2007 3:56 PM 237568]
S1 hyittokh;hyittokh;\??\c:\windows\system32\drivers\hyittokh.sys --> c:\windows\system32\drivers\hyittokh.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:15]

2009-07-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Decal - c:\program files\Decal 3.0\DenAgent.exe
HKLM-Run-b0311a3c - c:\windows\system32\skjgwkkj.dll
HKLM-Run-POINTER - point32.exe
Notify-eFWqonKb - eFWqonKb.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79919289
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Save with Download Manager... - c:\program files\J River\Media Jukebox\DMDownload.htm
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Rohin\Application Data\Mozilla\Firefox\Profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 17:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1844823847-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:c1,0b,7b,69,c9,d9,18,36,4a,2a,dc,24,c1,10,20,07,17,90,13,85,54,
80,14,bd,64,06,8a,22,0c,ac,98,ac,7c,06,8e,b4,94,0f,58,69,63,97,dd,06,ed,1e,\
"rkeysecu"=hex:7d,3a,62,81,50,91,31,d6,46,09,f7,3f,25,67,34,c5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\nview.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-13 18:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 22:01

Pre-Run: 33,692,987,392 bytes free
Post-Run: 33,853,247,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

294 --- E O F --- 2009-06-11 15:22


DDS LOG

DDS (Ver_09-06-26.01) - NTFSx86
Run by Rohin at 18:06:18.21 on Mon 07/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.485 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Rohin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79919289
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gaim] c:\program files\gaim\gaim.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rohin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Save with Download Manager... - c:\program files\j river\media jukebox\DMDownload.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
LSP: c:\windows\system32\imon.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149125133703
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rohin\applic~1\mozilla\firefox\profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-5-24 22968]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-7-5 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-7-5 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-9-6 507904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-7-5 237568]
S1 hyittokh;hyittokh;\??\c:\windows\system32\drivers\hyittokh.sys --> c:\windows\system32\drivers\hyittokh.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-13 18:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 16:53 <DIR> a-dshr-- C:\cmdcons
2009-07-13 16:52 219,648 a------- c:\windows\PEV.exe
2009-07-13 16:52 161,792 a------- c:\windows\SWREG.exe
2009-07-13 16:52 98,816 a------- c:\windows\sed.exe
2009-07-02 14:17 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 14:17 1,409 a------- c:\windows\QTFont.for
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\91844206
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11834214
2009-06-29 01:51 871,327 a------- c:\windows\system32\rn.tmp
2009-06-22 00:44 14,572,784 a------- c:\program files\ghost_w32.exe
2009-06-22 00:07 <DIR> --d----- c:\program files\Atari

==================== Find3M ====================

2009-06-01 11:37 317,436 a------- c:\windows\system32\taskmgrþ.exe
2009-06-01 02:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2006-09-05 22:47 835 a------- c:\program files\Shortcut to white.lnk

============= FINISH: 18:06:35.14 ===============

I did install Wootalyzer myself, I have not used it for 3 months.

-Cryo

Attached File(s)


#9 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 14 July 2009 - 11:26 AM

Hello again, Cryogen476! :thumbup2:

Based on what I see, you skipped step #1 of my previous post as you did not uninstall Viewpoint. I strongly recommend performing the Viewpoint removal step of my previous post prior to continuing with the instructions below.

View PostCryogen476, on Jul 14 2009, 12:11 AM, said:

[..] I did install Wootalyzer myself, I have not used it for 3 months. [..]
If you don't use Wootalyzer!, I would recommend uninstalling it by going to Start > Control Panel > Add or Remove Programs.


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Step #1: SystemLook
We need to create a log with jpshortstuff's SystemLook:
  • Please download SystemLook from one of the links below and save it to your Desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click SystemLook.exe to run SystemLook.
  • Copy the entire contents inside the CODE box below into the box provided:
    :dir
c:\documents and settings\All Users\Application Data\91844206 /s
c:\documents and settings\All Users\Application Data\11834214 /s

:filefind
grpconv.exe

  • Click the Look button to start the scan.
      When finished, a Notepad window will open with the results of the scan.

  • Please post the entire contents of the created log in your next reply.
    NOTE: The log can be found on your Desktop entitled SystemLook.txt.
Step #2: CFScript
We need to re-run ComboFix with some additional directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Click Start > Run and in the box that opens type Notepad and press Enter.
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    DDS::
uStart Page = hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79919289

Driver::
hyittokh

Folder::
c:\documents and settings\Rohin\Application Data\uTorrent

File::
c:\windows\system32\rn.tmp
c:\windows\system32\taskmgrþ.exe
c:\windows\system32\drivers\hyittokh.sys

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=-
"c:\\Documents and Settings\\Rohin\\My Documents\\DL\\utorrent.exe"=-
"c:\\WINDOWS\\system32\\cmd.exe"=-
"c:\\WINDOWS\\system32\\wuauclt.exe"=-
"c:\\WINDOWS\\system32\\taskmgr.exe"=-
"c:\\WINDOWS\\system32\\drwtsn32.exe"=-
"c:\\WINDOWS\\system32\\dwwin.exe"=-
"c:\\WINDOWS\\system32\\netsh.exe"=-
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.
Step #3: DDS scan
Rescan with DDS and post their resultant fresh logs please.


So in your next reply, please post the entire contents of:
  • the SystemLook.txt log file (located on the Desktop)
  • C:\ComboFix.txt
  • the DDS.txt and Attach.txt log files
NOTE: Use several posts if necessary to include everything in the requested logs.

Can you please also answer these questions for me?
  • Have you installed the Serv-U FTP Server program yourself and do you use it?
  • Do you know to what this shortcut points: c:\program files\Shortcut to white.lnk. Please navigate to C:\Program Files and right-click the Schortcut to white.lnk file. Please tell me what's listed there.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 14 July 2009 - 08:22 PM

Hi htv8!

I removed Viewpoint before but it is back on the list again :thumbup2:

When I hit the uninstall button I get this message.

" An error occurred while trying to remove Viewpoint Media Player. It may have already been uninstalled.
Would you like to remove Viewpoint Media Player from the add or remove programs list?"

Is this something to worry about? I don't know if it will come back later if I choose to remove it from the list. Should I just hit yes and continue? or do I need to do something else?

Thanks,
-Cryo

#11 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 15 July 2009 - 04:53 AM

View PostCryogen476, on Jul 15 2009, 03:22 AM, said:

[..]

I removed Viewpoint before but it is back on the list again :thumbup2:

When I hit the uninstall button I get this message.

" An error occurred while trying to remove Viewpoint Media Player. It may have already been uninstalled.
Would you like to remove Viewpoint Media Player from the add or remove programs list?"

[..]
Choose "Yes" to remove Viewpoint's entries from the Add or Remove Programs list if you are not able to uninstall them, then just continue with the rest. Because you say that you removed Viewpoint before, those entries have probably already been uninstalled. We will remove Viewpoint's left-overs later on. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 15 July 2009 - 12:16 PM

Hi htv8,

All three logs

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:23 on 15/07/2009 by Rohin (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\All Users\Application Data\91844206 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\11834214 - Parameters: "/s"

---Files---
11834214.glu --a--- 64784 bytes [05:59 29/06/2009] [05:59 29/06/2009]
pc11834214cnf --a--- 56 bytes [15:28 29/06/2009] [15:28 29/06/2009]
pc11834214ins --a--- 0 bytes [15:28 29/06/2009] [15:31 29/06/2009]

No folders found.

========== filefind ==========

Searching for "grpconv.exe"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\grpconv.exe --a--- 39424 bytes [01:22 18/09/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0

-=End Of File=-

Combofix

ComboFix 09-07-13.01 - Rohin 07/15/2009 12:30.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.621 [GMT -4:00]
Running from: c:\documents and settings\Rohin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rohin\Desktop\CFScript.txt
AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\drivers\hyittokh.sys"
"c:\windows\system32\rn.tmp"
"c:\windows\system32\taskmgrþ.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rohin\Application Data\uTorrent
c:\documents and settings\Rohin\Application Data\uTorrent\Guitar Hero III Legends of Rock Soundtrack.torrent
c:\documents and settings\Rohin\Application Data\uTorrent\Powderfinger - Odyssey Number Five.1.torrent
c:\documents and settings\Rohin\Application Data\uTorrent\Top 500 rock - cd 5 (401-500).torrent
c:\documents and settings\Rohin\Application Data\uTorrent\Tyler_Bates-300-(OST)-2007-KzT.torrent
c:\windows\system32\rn.tmp
c:\windows\system32\taskmgrþ.exe

c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hyittokh


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-06-29 05:59 . 2009-06-29 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\91844206
2009-06-29 05:59 . 2009-06-29 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\11834214
2009-06-22 04:51 . 2009-06-22 04:51 -------- d-----w- c:\documents and settings\Rohin\Local Settings\Application Data\GHOSTBUSTERS ™
2009-06-22 04:44 . 2009-05-26 16:24 14572784 ----a-w- c:\program files\ghost_w32.exe
2009-06-22 04:42 . 2009-06-22 04:42 -------- d--h--r- c:\documents and settings\Rohin\Application Data\SecuROM
2009-06-22 04:07 . 2009-06-22 15:34 -------- d-----w- c:\program files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 16:37 . 2007-01-22 08:03 -------- d-----w- c:\documents and settings\Rohin\Application Data\.gaim
2009-07-15 16:37 . 2008-07-16 22:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\Skype
2009-07-15 15:34 . 2008-07-16 22:30 -------- d-----w- c:\documents and settings\Rohin\Application Data\skypePM
2009-07-15 05:19 . 2008-08-23 19:57 -------- d-----w- c:\documents and settings\Rohin\Application Data\GrabIt
2009-07-15 04:27 . 2006-09-03 22:58 -------- d-----w- c:\program files\Warcraft III
2009-07-15 01:26 . 2007-01-17 01:46 -------- d-----w- c:\program files\KODAK
2009-07-13 18:41 . 2006-06-01 02:01 -------- d-----w- c:\program files\Viewpoint
2009-07-13 18:41 . 2006-06-01 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-02 18:47 . 2008-11-22 21:07 -------- d-----w- c:\program files\VideoLAN
2009-06-22 04:31 . 2006-06-01 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 22:38 . 2008-12-20 03:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\dvdcss
2009-06-01 06:16 . 2009-06-01 06:16 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-01 06:16 . 2009-06-01 06:16 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-01 06:16 . 2009-06-01 06:16 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 06:16 . 2009-02-18 02:35 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 06:16 . 2009-06-01 06:16 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-01 06:16 . 2009-06-01 06:16 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-01 06:16 . 2009-06-01 06:16 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-01 06:16 . 2009-06-01 06:16 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-01 06:15 . 2009-06-01 06:15 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-01 06:15 . 2009-06-01 06:15 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-01 06:15 . 2009-06-01 06:15 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-01 06:15 . 2009-06-01 06:15 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-01 06:15 . 2009-06-01 06:15 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-01 06:15 . 2009-06-01 06:15 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-01 06:15 . 2009-06-01 06:15 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-01 06:15 . 2009-06-01 06:15 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-07 15:44 . 2004-08-04 05:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-02-09 00:34 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 06:15 . 2009-04-27 06:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-27 06:15 . 2009-02-17 07:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 09:58 . 2005-02-01 00:49 1846656 ----a-w- c:\windows\system32\win32k.sys
2006-09-06 02:47 . 2006-09-06 02:47 835 ----a-w- c:\program files\Shortcut to white.lnk
2008-12-19 04:22 . 2006-06-01 01:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 04:22 . 2006-06-01 01:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 04:22 . 2007-08-06 14:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 04:22 . 2007-08-06 14:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 04:22 . 2006-06-01 01:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-13_21.57.01 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Gaim"="c:\program files\Gaim\gaim.exe" [2005-08-12 69793]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-09-07 921600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\Rohin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rohin^Start Menu^Programs^Startup^realshed.exe]
path=c:\documents and settings\Rohin\Start Menu\Programs\Startup\realshed.exe
backup=c:\windows\pss\realshed.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\Warcraft III\\lancraft.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\Versus\\System\\SCCT_Versus.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe"=
"c:\\Program Files\\ESET\\nod32kui.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\Gaim\\gaim.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\ESET\\nod32.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/17/2009 3:15 AM 64160]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [5/24/2007 3:40 PM 22968]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [7/5/2007 3:45 PM 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [7/5/2007 4:50 PM 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [7/5/2007 3:56 PM 237568]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:15]

2009-07-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Rohin\Application Data\Mozilla\Firefox\Profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 12:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1844823847-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:c1,0b,7b,69,c9,d9,18,36,4a,2a,dc,24,c1,10,20,07,17,90,13,85,54,
80,14,bd,64,06,8a,22,0c,ac,98,ac,7c,06,8e,b4,94,0f,58,69,63,97,dd,06,ed,1e,\
"rkeysecu"=hex:7d,3a,62,81,50,91,31,d6,46,09,f7,3f,25,67,34,c5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\nview.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-15 12:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 16:44
ComboFix2.txt 2009-07-13 22:02

Pre-Run: 32,402,571,264 bytes free
Post-Run: 32,364,605,440 bytes free

630 --- E O F --- 2009-06-11 15:22




DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Rohin at 12:58:37.95 on Wed 07/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.404 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rohin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gaim] c:\program files\gaim\gaim.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rohin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
LSP: c:\windows\system32\imon.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149125133703
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rohin\applic~1\mozilla\firefox\profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-5-24 22968]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-7-5 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-7-5 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-9-6 507904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-7-5 237568]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-13 18:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 16:53 <DIR> a-dshr-- C:\cmdcons
2009-07-13 16:52 219,648 a------- c:\windows\PEV.exe
2009-07-13 16:52 161,792 a------- c:\windows\SWREG.exe
2009-07-13 16:52 98,816 a------- c:\windows\sed.exe
2009-07-02 14:17 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 14:17 1,409 a------- c:\windows\QTFont.for
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\91844206
2009-06-29 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11834214
2009-06-22 00:44 14,572,784 a------- c:\program files\ghost_w32.exe
2009-06-22 00:07 <DIR> --d----- c:\program files\Atari

==================== Find3M ====================

2009-06-01 02:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2006-09-05 22:47 835 a------- c:\program files\Shortcut to white.lnk

============= FINISH: 12:58:54.90 ===============


I installed Serv U a long time ago and I just never uninstalled it.
The Shortcut to White.lnk is a shortcut to the game Black and White 2.

Thanks,
-Cryo

Attached File(s)


#13 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 15 July 2009 - 08:04 PM

Hello again, Cryogen476. Good job so far! :thumbup2: We are making progress.

View PostCryogen476, on Jul 15 2009, 07:16 PM, said:

[..] I installed Serv U a long time ago and I just never uninstalled it. [..]
As the Serv-U FTP Server program is a legitimate program that is bundled with the Troj/Bdoor-ABW backdoor Trojan, it is sometimes categorized as "undesirable". Also see this reference: Serv-U FTP Server - ServUDaemon.exe - Program Information. I wanted to know if you installed it yourself, because if it was not, it should be removed. But if you don't use it, why not uninstall it? Uninstalling also frees up disk space and it may also speed up your system a bit.


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Posted Image WARNING Posted Image

Quote

NOD32 FiX v2.1
What's this? It looks to me that you are using a cracked ESET NOD32. The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk:

    Trend Micro said:

    Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.
    REFERENCE: Trend Micro - CRCK_KEYGEN.BB

    Trend Micro said:

    ...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
    REFERENCE: Crack Sites Distribute VIRUX and FakeAV | Malware Blog | Trend Micro.
When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the Operating System.

Please remove all cracks and cracked software from your system. If you only use ESET NOD32 Antivirus for illegal purposes, please remove it (including the crack program) from your system using Add or Remove Programs (under Start > Control Panel), then install one good free antivirus as an alternative as it is very important that your computer has an antivirus software running on your machine. New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. Also make sure you keep your antivirus program updated.
Two good antivirus programs free for non-commercial home use are avast! antivirus and Avira AntiVir.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Step #1: Update Java
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your Desktop:
    • Go to http://java.sun.com/javase/downloads/index.jsp.
    • Scroll down to where it says "Java SE Runtime Environment (JRE) JRE 6 Update 14".
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6u14 with JavaFX1 License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download the Windows Offline Installation and save the file to your Desktop.

  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start > Control Panel, double-click Add or Remove Programs and uninstall all older versions of Java (by clicking the Remove or Change/Remove button next to each item and following the on-screen instructions for the Java uninstaller):
      J2SE Runtime Environment 5.0 Update 10
      J2SE Runtime Environment 5.0 Update 6
      J2SE Runtime Environment 5.0 Update 9
      Java™ 6 Update 2
      Java™ 6 Update 3
      Java™ SE Runtime Environment 6 Update 1

  • Reboot your computer once all Java components are removed.
  • From your Desktop, double-click the jre-6u14-windows-i586-p.exe file.
  • Follow the on-screen instructions to install the latest Java version.
Step #2: ComboFix CFScript (2nd time)
We need to re-run ComboFix with some additional directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Click Start > Run and in the box that opens type Notepad and press Enter.
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    DDS::
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll

Driver::
Viewpoint Manager Service

Folder::
c:\documents and settings\All Users\Application Data\91844206
c:\documents and settings\All Users\Application Data\11834214
c:\program files\viewpoint
c:\program files\common files\viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\WINDOWS\\system32\\dpvsetup.exe"=-

FCopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\grpconv.exe | c:\windows\system32\grpconv.exe
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.
Step #3: VirSCAN.org online file scan
We need to determine if a file is malware or not.
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows.
  • Please go to VirSCAN.org: http://virscan.org/.
  • When the VirSCAN.org page has finished loading, click the Browse... button at the top and navigate to the following file if it is present and click Submit:
    c:\windows\system32\grpconv.exe
  • Please be patient as the file will be scanned.
  • Please post back the results of the scan in your next post.

    NOTE: In case VirSCAN.org is busy, try the same at Jotti's malware scan (http://virusscan.jotti.org/) or VirusTotal.com (http://www.virustotal.com/).
Step #4: Cleanup with ATF Cleaner
We need to clean out some temporary data.
Please download ATF Cleaner by Atribune and save it to your Desktop.
Download ATF Cleaner (ATF-Cleaner.exe)

Perform a cleanup as follows:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.
If you use the Mozilla Firefox browser:
  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser:
  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click the Exit button on the Main menu to close the program.
For technical support, double-click the e-mail address located at the bottom of each menu.
Step #5: Kaspersky WebScanner scan
Please do an online scan with the Kaspersky Online Scanner:
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
      The program will install and then begin downloading the latest definition files. NOTE: It takes a while, so please be patient and let it finish.

  • After the files have been downloaded, on the left side of the page click the Settings button and make sure all checkboxes are checked.
  • On the left side of the page under the "Scan" section select My Computer.
      The program will start and scan your system. NOTE: The scan will take a while, so be patient and let it run.

  • Once the scan is complete, click on View scan report.
  • Now, click on the Save Report as button.
  • Change the "Files of Type" dropdown box to "Text Files" in order to save the scan results as a text file.
  • Enter a memorable filename.
  • Save the file to your Desktop.
  • Copy and paste that information in your next post.
Step #6: DDS scan
Rescan with DDS and post its resultant DDS.txt log file please.


So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the VirSCAN scan results
  • the Kaspersky Online Scanner report
  • a fresh DDS.txt log file
NOTE: Use several posts if necessary to include everything in the requested logs.

Please also let me know how your computer is running. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 User is offline   Cryogen476 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 16
  • Joined: 17-February 09

Posted 18 July 2009 - 01:22 AM

Hello htv8,

The results from the logs

Combofix
ComboFix 09-07-13.01 - Rohin 07/17/2009 17:27.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.604 [GMT -4:00]
Running from: c:\documents and settings\Rohin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rohin\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090717-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\11834214
c:\documents and settings\All Users\Application Data\11834214\11834214.glu
c:\documents and settings\All Users\Application Data\11834214\pc11834214cnf
c:\documents and settings\All Users\Application Data\11834214\pc11834214ins
c:\documents and settings\All Users\Application Data\91844206
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\common files\viewpoint
c:\program files\viewpoint
c:\program files\viewpoint\Viewpoint Toolbar\del431.tmp\del432.tmp
c:\program files\viewpoint\Viewpoint Toolbar\del431.tmp\del433.tmp

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\grpconv.exe --> c:\windows\system32\grpconv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 21:27 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-17 20:44 . 2009-07-17 20:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 20:44 . 2009-07-17 20:44 -------- d-----w- c:\program files\Java
2009-07-17 17:32 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-17 17:32 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-17 17:32 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-17 17:32 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-17 17:32 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-17 17:32 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-17 17:32 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-17 17:32 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-17 17:31 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-17 17:31 . 2009-07-17 17:31 -------- d-----w- c:\program files\Alwil Software
2009-06-22 04:51 . 2009-06-22 04:51 -------- d-----w- c:\documents and settings\Rohin\Local Settings\Application Data\GHOSTBUSTERS ™
2009-06-22 04:44 . 2009-05-26 16:24 14572784 ----a-w- c:\program files\ghost_w32.exe
2009-06-22 04:42 . 2009-06-22 04:42 -------- d-----r- c:\documents and settings\Rohin\Application Data\SecuROM
2009-06-22 04:07 . 2009-06-22 15:34 -------- d-----w- c:\program files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 21:37 . 2008-07-16 22:30 -------- d-----w- c:\documents and settings\Rohin\Application Data\skypePM
2009-07-17 21:37 . 2007-01-22 08:03 -------- d-----w- c:\documents and settings\Rohin\Application Data\.gaim
2009-07-17 21:13 . 2008-07-16 22:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\Skype
2009-07-17 17:41 . 2006-09-07 01:08 -------- d-----w- c:\program files\ESET
2009-07-17 05:43 . 2006-09-03 22:58 -------- d-----w- c:\program files\Warcraft III
2009-07-15 20:17 . 2008-08-23 19:57 -------- d-----w- c:\documents and settings\Rohin\Application Data\GrabIt
2009-07-15 01:26 . 2007-01-17 01:46 -------- d-----w- c:\program files\KODAK
2009-07-02 18:47 . 2008-11-22 21:07 -------- d-----w- c:\program files\VideoLAN
2009-06-22 04:31 . 2006-06-01 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 22:38 . 2008-12-20 03:29 -------- d-----w- c:\documents and settings\Rohin\Application Data\dvdcss
2009-06-16 14:55 . 2004-08-04 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2005-02-17 03:07 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 06:16 . 2009-06-01 06:16 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-01 06:16 . 2009-06-01 06:16 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-01 06:16 . 2009-06-01 06:16 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 06:16 . 2009-02-18 02:35 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 06:16 . 2009-06-01 06:16 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-01 06:16 . 2009-06-01 06:16 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-01 06:16 . 2009-06-01 06:16 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-01 06:16 . 2009-06-01 06:16 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-01 06:15 . 2009-06-01 06:15 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-01 06:15 . 2009-06-01 06:15 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-01 06:15 . 2009-06-01 06:15 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-01 06:15 . 2009-06-01 06:15 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-01 06:15 . 2009-06-01 06:15 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-01 06:15 . 2009-06-01 06:15 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-01 06:15 . 2009-06-01 06:15 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-01 06:15 . 2009-06-01 06:15 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-01 06:15 . 2009-06-01 06:15 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-07 15:44 . 2004-08-04 05:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-02-09 00:34 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 06:15 . 2009-04-27 06:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-27 06:15 . 2009-02-17 07:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2006-09-06 02:47 . 2006-09-06 02:47 835 ----a-w- c:\program files\Shortcut to white.lnk
2008-12-19 04:22 . 2006-06-01 01:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 04:22 . 2006-06-01 01:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 04:22 . 2007-08-06 14:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 04:22 . 2007-08-06 14:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 04:22 . 2006-06-01 01:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-13_21.57.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-17 21:35 . 2009-07-17 21:35 16384 c:\windows\temp\Perflib_Perfdata_7c4.dat
+ 2009-07-17 21:35 . 2009-07-17 21:35 16384 c:\windows\temp\Perflib_Perfdata_56c.dat
+ 2007-01-16 19:25 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-01-16 19:25 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-06-16 14:55 . 2009-06-16 14:55 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2009-07-17 20:44 . 2009-07-17 20:44 148888 c:\windows\system32\javaws.exe
+ 2009-07-17 20:44 . 2009-07-17 20:44 144792 c:\windows\system32\javaw.exe
+ 2009-07-17 20:44 . 2009-07-17 20:44 144792 c:\windows\system32\java.exe
+ 2009-06-16 14:55 . 2009-06-16 14:55 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2007-10-29 22:43 . 2009-06-03 19:27 1290752 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-17 20:44 . 2009-07-17 20:44 1563648 c:\windows\Installer\1ce4fc.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Gaim"="c:\program files\Gaim\gaim.exe" [2005-08-12 69793]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\Rohin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rohin^Start Menu^Programs^Startup^realshed.exe]
path=c:\documents and settings\Rohin\Start Menu\Programs\Startup\realshed.exe
backup=c:\windows\pss\realshed.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"c:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\Warcraft III\\lancraft.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\Versus\\System\\SCCT_Versus.exe"=
"c:\\Documents and Settings\\Rohin\\Desktop\\listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\Gaim\\gaim.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Comcast\\Desktop Doctor\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/17/2009 3:15 AM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/17/2009 1:32 PM 114768]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [5/24/2007 3:40 PM 22968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/17/2009 1:32 PM 20560]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [7/5/2007 3:45 PM 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [7/5/2007 4:50 PM 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [7/5/2007 3:56 PM 237568]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 06:15]

2009-07-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\Rohin\Application Data\Mozilla\Firefox\Profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 17:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1844823847-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:c1,0b,7b,69,c9,d9,18,36,4a,2a,dc,24,c1,10,20,07,17,90,13,85,54,
80,14,bd,64,06,8a,22,0c,ac,98,ac,7c,06,8e,b4,94,0f,58,69,63,97,dd,06,ed,1e,\
"rkeysecu"=hex:7d,3a,62,81,50,91,31,d6,46,09,f7,3f,25,67,34,c5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\nview.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-07-17 17:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-17 21:42
ComboFix2.txt 2009-07-15 16:44
ComboFix3.txt 2009-07-13 22:02

Pre-Run: 29,315,563,520 bytes free
Post-Run: 29,314,588,672 bytes free

266 --- E O F --- 2009-07-16 14:04



VirSCAN
VirSCAN.org Scanned Report :
Scanned time : 2009/07/17 17:57:43 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : grpconv.exe
File Size : 39424 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6dd28a6d99cf7b14b2d1786d143624e0
SHA1 : 8b1a859dd2234272fadf9a20f59e56c5a8847a02
Online report : http://virscan.org/report/e7ea0e0e6f6d8f01...b95326429d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.3 20090718010457 2009-07-18 0.36 -
AhnLab V3 2009.07.17.05 2009.07.17 2009-07-17 0.84 -
AntiVir 8.2.0.222 7.1.4.252 2009-07-17 0.07 -
Antiy 2.0.18 20090716.2619098 2009-07-16 0.02 -
Arcavir 2009 200907171251 2009-07-17 0.04 -
Authentium 5.1.1 200907171458 2009-07-17 1.12 -
AVAST! 4.7.4 090717-0 2009-07-17 0.01 -
AVG 8.5.288 270.13.19/2244 2009-07-18 0.38 -
BitDefender 7.81008.3746565 7.26651 2009-07-18 3.29 -
CA (VET) 9.0.0.143 31.6.6621 2009-07-17 6.54 -
ClamAV 0.95.2 9584 2009-07-18 0.01 -
Comodo 3.10 1683 2009-07-17 0.69 -
CP Secure 1.1.0.715 2009.07.18 2009-07-18 11.08 -
Dr.Web 4.44.0.9170 2009.07.17 2009-07-17 4.88 -
F-Prot 4.4.4.56 20090717 2009-07-17 1.12 -
F-Secure 5.51.6100 2009.07.17.10 2009-07-17 0.10 -
Fortinet 2.81-3.120 10.616 2009-07-17 0.20 -
GData 19.6526/19.400 20090717 2009-07-17 4.42 -
ViRobot 20090716 2009.07.16 2009-07-16 0.41 -
Ikarus T3.1.01.64 2009.07.17.73054 2009-07-17 3.33 -
JiangMin 11.0.800 2009.07.17 2009-07-17 3.30 -
Kaspersky 5.5.10 2009.07.17 2009-07-17 0.08 -
KingSoft 2009.2.5.15 2009.7.17.21 2009-07-17 0.46 -
McAfee 5.3.00 5679 2009-07-17 2.92 -
Microsoft 1.4803 2009.07.17 2009-07-17 5.15 -
mks_vir 2.01 2009.07.15 2009-07-15 3.18 -
Norman 6.01.09 6.01.00 2009-07-16 4.01 -
Panda 9.05.01 2009.07.17 2009-07-17 2.20 -
Trend Micro 8.700-1004 6.288.03 2009-07-17 0.00 -
Quick Heal 10.00 2009.07.17 2009-07-17 1.01 -
Rising 20.0 21.38.44.00 2009-07-17 0.82 -
Sophos 2.88.0 4.43 2009-07-18 2.86 -
Sunbelt 5261 5261 2009-07-16 0.91 -
Symantec 1.3.0.24 20090717.006 2009-07-17 0.05 -
nProtect 20090717.02 4780438 2009-07-17 5.85 -
The Hacker 6.3.4.3 v00370 2009-07-17 0.64 -
VBA32 3.12.10.8 20090717.0839 2009-07-17 1.75 -
VirusBuster 4.5.11.10 10.109.1/1838041 2009-07-17 2.23 -


Kaspersky scan


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 18, 2009 04:59:45
Records in database: 2485649
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 109685
Threat name: 10
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 03:04:45


File name / Threat name / Threats count
C:\Install files\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Install files\Serv-U FTP Server v6.3.0.0.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6200 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruilqyomqhb.dll.vir Infected: Trojan.Win32.Monder.cqbi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msncache.dll.vir Infected: Trojan.Win32.Koblu.lo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Infected: Trojan.Win32.FraudPack.pbg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdjee3inf.dll.vir Infected: Trojan-Downloader.Win32.Small.jyt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sopidkc.exe.vir Infected: Trojan.Win32.Koblu.lb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpsaxyd.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.cf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir Infected: Trojan-Downloader.Win32.DlfBfkg.cf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir Infected: Trojan.Win32.Inject.aerj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.cf 1
C:\WINDOWS\pss\realshed.exeStartup Infected: Trojan.Win32.StartPage.del 1

The selected area was scanned.


DDS log
DDS (Ver_09-06-26.01) - NTFSx86
Run by Rohin at 2:17:44.40 on Sat 07/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.546 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090717-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rohin\Local Settings\temp\jkos-Rohin\binaries\ScanningProcess.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Documents and Settings\Rohin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gaim] c:\program files\gaim\gaim.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rohin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149125133703
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rohin\applic~1\mozilla\firefox\profiles\3tel06dh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-17 114768]
R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-5-24 22968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-17 138680]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-7-5 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-7-5 161352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
R2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-7-5 237568]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-17 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-17 352920]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-17 17:27 39,424 a------- c:\windows\system32\grpconv.exe
2009-07-17 16:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-17 16:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-13 18:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 16:53 <DIR> a-dshr-- C:\cmdcons
2009-07-13 16:52 219,648 a------- c:\windows\PEV.exe
2009-07-13 16:52 161,792 a------- c:\windows\SWREG.exe
2009-07-13 16:52 98,816 a------- c:\windows\sed.exe
2009-07-02 14:17 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-02 14:17 1,409 a------- c:\windows\QTFont.for
2009-06-22 00:44 14,572,784 a------- c:\program files\ghost_w32.exe
2009-06-22 00:07 <DIR> --d----- c:\program files\Atari

==================== Find3M ====================

2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-01 02:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2006-09-05 22:47 835 a------- c:\program files\Shortcut to white.lnk

============= FINISH: 2:18:34.48 ===============


I no longer have the problems from before. Overall it runs like it used to.

Thanks,
-Cryo

#15 User is offline   htv8 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,694
  • Joined: 08-October 05
  • Gender:Male
  • Location:The Netherlands

Posted 18 July 2009 - 07:17 PM

Hello again, Cryogen476. Good job! :thumbup2: Kaspersky found a baddie, and after some additional research, I found that it is indeed a file that should be removed (together with another related file and its relating registry entry).


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

:cool: Re-run ComboFix with some additonal directives:
  • Close any open browsers/windows so that you have nothing open and are at your Desktop.
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Go to Start -> Run... and in the "Open:" box that opens type Notepad and press Enter.
  • Copy the entire contents inside the CODE box below into Notepad (do NOT copy the word "CODE"!) - don't use any other text editor than Notepad or the script will fail. 
      http://www.bleepingcomputer.com/forums/topic237845.html

Collect::[25]
C:\WINDOWS\pss\realshed.exeStartup

File::
c:\documents and settings\Rohin\Start Menu\Programs\Startup\realshed.exe

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Rohin^Start Menu^Programs^Startup^realshed.exe]
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Go to File -> Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Referring to the picture below, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
      Posted Image
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt. Please post the entire contents of that report in your next reply for further review.
  • The ComboFix log will open along with a message box - do NOT be alarmed: with the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the Internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

:) Run a scan with Malwarebytes' Anti-Malware (MbAM):
  • Download Malwarebytes' Anti-Malware (MbAM) from one of the download links below and save it to your Desktop.IMPORTANT: MbAM may "make changes to the registry" as part of its disinfection routine. If using other security programs that detect registry changes (i.e., Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Click Finish.
      MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    NOTE: If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the "Perform quick scan" option is selected; then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
      The scan will begin and "Scan in progress (Scan type: Quick Scan)" will show at the top. It may take some time to complete, so please be patient.

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
      When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.

  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MbAM when done.

    NOTE: If MbAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MbAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into Safe Mode) will prevent MbAM from removing all the malware.

:) Rescan with DDS and post its resultant DDS.txt log file here for review.


So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the MbAM report
  • a new DDS.txt log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users