Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desire Help In Removing Malware - Virtumondo (awtrsrp.dll?)


  • Please log in to reply
15 replies to this topic

#1 rickschu

rickschu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 26 October 2007 - 06:50 AM

Hi All:

The other day the computer that my kids have been using for schoolwork was attacked by an apparent Malware program. I am receiving messages that I have Virtumondo. I also have reason to believe, after running some spyware applications, that I have Vundo, PrcViewer and Trojan-Downloader-Gen/MobRules.

I have followed the instructions for preparing HijackThis (as best as my computer will let me) and have attached the log file below. If anyone can help me resolve this problem(s), it would be greatly appreciated.

Thanks in advance --

rickschu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:04 AM, on 10/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\componentlauncher.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} - C:\WINDOWS\system32\awtrsrp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\System32\wbem\csrss.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\System32\newmaxxsv234.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win2E.tmp.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrsrp - C:\WINDOWS\SYSTEM32\awtrsrp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10636 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 26 October 2007 - 09:23 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rickschu :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 26 October 2007 - 11:22 AM

RichieUK:

Thanks for the quick reply. I will perform all of the steps you mentioned this evening when I return home. Since I am now unable to get the computer to connect to the internet, can I just remove Java now and reinstall the latest version once the Malware is removed? Or, do I need Java for any of the removal procedures?

Rickschu

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 26 October 2007 - 03:17 PM

Follow the above steps in the order they're posted if you would please :thumbsup:
Posted Image
Posted Image

#5 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 26 October 2007 - 08:27 PM

Ok. I followed your directions and the log files are listed below (thank's, again, for your help):


SDFix: Version 1.112

Run by Administrator on Fri 10/26/2007 at 09:07 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 21:11:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden files ...



Files with Hidden Attributes:

Thu 25 Oct 2007 16,311 A.SH. --- "C:\WINDOWS\system32\efhkj.tmp"
Wed 24 Oct 2007 6,470 A.SH. --- "C:\WINDOWS\system32\efhkj.bak1"
Wed 24 Oct 2007 14,973 A.SH. --- "C:\WINDOWS\system32\prutv.tmp"
Wed 24 Oct 2007 6,470 A.SH. --- "C:\WINDOWS\system32\prutv.bak2"
Tue 24 Jan 2006 27,136 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2273.tmp"
Wed 24 Oct 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Wed 24 Oct 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Finished!

********************************************************************************************************************************
ComboFix 07-10-26.5 - Administrator 2007-10-26 21:15:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.138 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 20:54 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-26 19:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 19:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 19:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-26 19:34 <DIR> d-------- C:\HJT
2007-10-25 22:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-25 22:09 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-10-25 22:09 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys
2007-10-25 22:09 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys
2007-10-25 22:09 245,376 --a------ C:\WINDOWS\system32\rt2500usb.sys
2007-10-25 22:09 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-25 22:09 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2007-10-25 22:09 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-10-25 21:07 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-25 21:07 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-25 21:07 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-25 21:07 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-25 21:07 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-25 20:53 16,464 --ahs---- C:\WINDOWS\system32\efhkj.ini2
2007-10-24 23:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-10-24 23:21 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-24 23:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-24 23:21 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-24 23:21 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-24 23:21 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-24 23:21 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-24 23:21 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-24 23:21 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-24 23:20 <DIR> d-------- C:\Program Files\McAfee
2007-10-24 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-24 23:14 <DIR> d-------- C:\Program Files\Ntsfjxyw
2007-10-24 23:14 <DIR> d-------- C:\Program Files\Laoxhiid
2007-10-24 22:52 6,470 --ahs---- C:\WINDOWS\system32\efhkj.bak1
2007-10-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 22:39 15,585 --ahs---- C:\WINDOWS\system32\prutv.ini2
2007-10-24 22:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-24 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-24 22:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-24 22:17 202,366 --a------ C:\Pass2.cmd
2007-10-24 22:17 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-24 21:58 <DIR> d-------- C:\WINDOWS\pss
2007-10-24 21:29 6,470 --ahs---- C:\WINDOWS\system32\prutv.bak2
2007-10-24 21:05 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-24 21:05 14,848 --a------ C:\Program Files\msc.exe
2007-10-24 21:04 <DIR> d-------- C:\Program Files\nszstolo
2007-10-24 21:04 36,352 --a------ C:\WINDOWS\system32\awtrsrp.dll
2007-10-24 20:25 16,384 --a------ C:\WINDOWS\xlavba6.exe
2007-10-22 10:54 126 --a------ C:\Documents and Settings\Administrator\c200.bat
2007-10-22 10:53 <DIR> d--hs---- C:\WINDOWS\UmljayBTY2h1c3Rlcg
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\xirdrvr
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\temp2
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\ozde
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\fixtmp
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\ehgvjcfi
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\bit2
2007-10-22 10:53 <DIR> d-------- C:\Program Files\qvcdyzgh
2007-10-22 10:53 <DIR> d-------- C:\Program Files\Ldgfeusn
2007-10-22 10:53 <DIR> d-------- C:\Program Files\Hjshznio
2007-10-22 10:53 113,152 --a------ C:\WINDOWS\dravis.exe
2007-10-22 10:53 34,304 --a------ C:\WINDOWS\klonos.exe
2007-10-16 08:11 94,384 --a------ C:\WINDOWS\system32\msxml9r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 00:55 --------- d-----w C:\Program Files\Java
2007-10-26 23:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-09-12 19:00 --------- d-----w C:\Program Files\Google
2007-08-29 23:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Smith Micro
2007-08-29 23:40 --------- d-----w C:\Program Files\Verizon Wireless
2007-08-29 23:40 --------- d-----w C:\Program Files\Novatel Wireless
2007-08-29 23:40 --------- d-----w C:\Program Files\Common Files\Research in Motion
2007-08-01 19:39 97,972 ----a-w C:\WINDOWS\Publix Preschool Pals Uninstaller.exe
2007-06-22 21:17 722,176 ----a-w C:\Documents and Settings\Administrator\gotomypc_428.exe
2006-06-12 20:52 0 ----a-w C:\Program Files\error.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-26_20.10.27.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-26 23:48:39 4,767,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-27 01:06:47 4,767,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-10-26 23:48:39 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-27 01:06:47 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-10-27 00:00:19 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-27 01:15:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}]
2007-10-24 21:04 36352 --a------ C:\WINDOWS\system32\awtrsrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 17:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 08:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-04-29 20:38]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 21:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-15 15:47:26]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk - C:\Program Files\CreataCard\Plus\FMRemind.exe [2007-04-30 12:58:59]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-07 21:08:51]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-29 20:38:01]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-05-22 16:41:13]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}"= C:\WINDOWS\system32\awtrsrp.dll [2007-10-24 21:04 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsrp]
awtrsrp.dll 2007-10-24 21:04 36352 C:\WINDOWS\system32\awtrsrp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe"
S3 apmbatt;Microsoft APM Legacy Battery Driver;C:\WINDOWS\System32\DRIVERS\apmbatt.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\System32\drivers\PCASp50.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
S3 viafilter;VIA USB Filter;C:\WINDOWS\System32\Drivers\viausb1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 03:21:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-25 03:21:20 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 21:16:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 21:16:42
C:\ComboFix2.txt ... 2007-10-26 20:22
C:\ComboFix3.txt ... 2007-10-26 20:10
.
--- E O F ---
**********************************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:08 PM, on 10/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} - C:\WINDOWS\system32\awtrsrp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O20 - Winlogon Notify: awtrsrp - C:\WINDOWS\SYSTEM32\awtrsrp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10190 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 27 October 2007 - 04:41 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\prutv.ini2
C:\WINDOWS\system32\prutv.bak2
C:\Program Files\msc.exe
C:\WINDOWS\system32\awtrsrp.dll
C:\WINDOWS\xlavba6.exe
C:\WINDOWS\dravis.exe
C:\WINDOWS\klonos.exe
C:\WINDOWS\system32\msxml9r.dll
Folder::
C:\Program Files\Ntsfjxyw
C:\Program Files\Laoxhiid
C:\Program Files\nszstolo
C:\WINDOWS\UmljayBTY2h1c3Rlcg
C:\WINDOWS\system32\ehgvjcfi
C:\Program Files\qvcdyzgh
C:\Program Files\Ldgfeusn
C:\Program Files\Hjshznio
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsrp]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 27 October 2007 - 10:40 AM

I followed your directions and have posted the latest CombFix and HijackThis logs below...

ComboFix 07-10-26.5 - Administrator 2007-10-27 11:27:13.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\msc.exe
C:\WINDOWS\dravis.exe
C:\WINDOWS\klonos.exe
C:\WINDOWS\system32\awtrsrp.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\msxml9r.dll
C:\WINDOWS\system32\prutv.bak2
C:\WINDOWS\system32\prutv.ini2
C:\WINDOWS\xlavba6.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hjshznio
C:\Program Files\Hjshznio\gceinzem.exe
C:\Program Files\Laoxhiid
C:\Program Files\Ldgfeusn
C:\Program Files\Ldgfeusn\thcijlqo.dll
C:\Program Files\msc.exe
C:\Program Files\nszstolo
C:\Program Files\nszstolo\xgpkradw.dll
C:\Program Files\Ntsfjxyw
C:\Program Files\Ntsfjxyw\ziktkhyh.exe
C:\Program Files\qvcdyzgh
C:\Program Files\qvcdyzgh\ifkxyzit.dll
C:\WINDOWS\dravis.exe
C:\WINDOWS\klonos.exe
C:\WINDOWS\system32\awtrsrp.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\ehgvjcfi
C:\WINDOWS\system32\ehgvjcfi\bg1.gif
C:\WINDOWS\system32\ehgvjcfi\bgtop.gif
C:\WINDOWS\system32\ehgvjcfi\bottom1.gif
C:\WINDOWS\system32\ehgvjcfi\essentials.gif
C:\WINDOWS\system32\ehgvjcfi\icon1.ico
C:\WINDOWS\system32\ehgvjcfi\install1.gif
C:\WINDOWS\system32\ehgvjcfi\left1.gif
C:\WINDOWS\system32\ehgvjcfi\li.gif
C:\WINDOWS\system32\ehgvjcfi\logo.gif
C:\WINDOWS\system32\ehgvjcfi\main.htm
C:\WINDOWS\system32\ehgvjcfi\mainframe.htm
C:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
C:\WINDOWS\system32\ehgvjcfi\right1.gif
C:\WINDOWS\system32\ehgvjcfi\s1.htm
C:\WINDOWS\system32\ehgvjcfi\s2.htm
C:\WINDOWS\system32\ehgvjcfi\s3.htm
C:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
C:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
C:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
C:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
C:\WINDOWS\system32\ehgvjcfi\top1.gif
C:\WINDOWS\system32\ehgvjcfi\top2.gif
C:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
C:\WINDOWS\system32\ehgvjcfi\turnon1.gif
C:\WINDOWS\system32\msxml9r.dll
C:\WINDOWS\system32\prutv.bak2
C:\WINDOWS\system32\prutv.ini2
C:\WINDOWS\UmljayBTY2h1c3Rlcg
C:\WINDOWS\xlavba6.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 20:54 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-26 19:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 19:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 19:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-26 19:34 <DIR> d-------- C:\HJT
2007-10-25 22:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-25 22:09 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-10-25 22:09 374,752 --a------ C:\WINDOWS\system32\WUSBGXP.sys
2007-10-25 22:09 339,488 --a------ C:\WINDOWS\system32\WUSB20XP.sys
2007-10-25 22:09 245,376 --a------ C:\WINDOWS\system32\rt2500usb.sys
2007-10-25 22:09 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-25 22:09 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2007-10-25 22:09 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-10-25 21:07 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-25 21:07 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-25 21:07 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-25 21:07 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-25 21:07 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-24 23:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-24 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-10-24 23:21 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-24 23:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-24 23:21 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-24 23:21 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-24 23:21 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-24 23:21 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-24 23:21 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-24 23:21 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-24 23:20 <DIR> d-------- C:\Program Files\McAfee
2007-10-24 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-24 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 22:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-24 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-24 22:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-24 22:17 202,366 --a------ C:\Pass2.cmd
2007-10-24 22:17 4,298 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-24 21:58 <DIR> d-------- C:\WINDOWS\pss
2007-10-24 21:05 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-22 10:54 126 --a------ C:\Documents and Settings\Administrator\c200.bat
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\xirdrvr
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\temp2
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\ozde
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\fixtmp
2007-10-22 10:53 <DIR> d-------- C:\WINDOWS\system32\bit2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 15:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-27 00:55 --------- d-----w C:\Program Files\Java
2007-10-26 23:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-12 19:00 --------- d-----w C:\Program Files\Google
2007-08-29 23:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Smith Micro
2007-08-29 23:40 --------- d-----w C:\Program Files\Verizon Wireless
2007-08-29 23:40 --------- d-----w C:\Program Files\Novatel Wireless
2007-08-29 23:40 --------- d-----w C:\Program Files\Common Files\Research in Motion
2007-08-01 19:39 97,972 ----a-w C:\WINDOWS\Publix Preschool Pals Uninstaller.exe
2007-06-22 21:17 722,176 ----a-w C:\Documents and Settings\Administrator\gotomypc_428.exe
2006-06-12 20:52 0 ----a-w C:\Program Files\error.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-26_20.10.27.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-26 23:48:39 4,767,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-27 01:06:47 4,767,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-10-26 23:48:39 192,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-27 01:06:47 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-10-27 00:00:19 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-27 15:27:08 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"VTTimer"="VTTimer.exe" [2004-10-22 11:53 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 17:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 08:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-04-29 20:38]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 21:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-15 15:47:26]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk - C:\Program Files\CreataCard\Plus\FMRemind.exe [2007-04-30 12:58:59]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-07 21:08:51]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-29 20:38:01]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-05-22 16:41:13]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 03:21:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-25 03:21:20 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 11:31:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 11:32:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 21:16
C:\ComboFix3.txt ... 2007-10-26 20:22
.
--- E O F ---

**************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:18 AM, on 10/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10074 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 27 October 2007 - 11:36 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#9 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 27 October 2007 - 04:44 PM

Below is the log for the SuperAntiSpyware. It indicates that nothing was found, but my McAfee is still picking up the Malware. I am unable to log onto the internet with the infected computer because the Malware disabled my ability to do so. I, therefore, am unable to log onto F-Secure. Also below is my latest HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:13 PM, on 10/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\componentlauncher.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?5908c7768b02410fb7e130de2724257
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10287 bytes


**************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/27/2007 at 02:43 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Custom Scan
Total Scan Time : 00:27:53

Memory items scanned : 479
Memory threats detected : 0
Registry items scanned : 5787
Registry threats detected : 0
File items scanned : 23424
File threats detected : 0

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 27 October 2007 - 05:37 PM

but my McAfee is still picking up the Malware.

What exactly is McAfee detecting,file names and their exact locations.

I am unable to log onto the internet with the infected computer because the Malware disabled my ability to do so.

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste ipconfig /flushdns then press Enter.
Then copy and paste NETSH WINSOCK RESET then press Enter.
Type EXIT press Enter.
Restart your pc.

Try temporarily disabling McAfee Personal Firewall,see if that makes any difference.
Posted Image
Posted Image

#11 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 27 October 2007 - 09:00 PM

The ipconfig/flushdns command did not work. It produced the following error message:

"An internal error occured: the request is not supported. Please contact Microsoft Product Support Services for further help. Additional Information: Unable to query host name."

I tried to execute the command in both a "normal" boot as well as safe mode.
***********************************
The virus messages I am receiving from McAfee are 4-Fold:

1. Virtumondo
2. PRC Viewer
3. Adware-SrchExplorer
4. Generic Pup.g

Locations are as follows:

1. Virtumondo

C:\qoobox\Quarantine\catchme2007-10-27_113124.00.zip

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP9\A0005480.DLL

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP6\A0004244.DLL

2. PRC Viewer

C:\windows\system32\Process.exe

C:\Documents and Settings\Administrator\Desktop\SDFix.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001027.exe

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001025.exe

C:\SDFix\Apps\Process.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

3. Adware-SrchExplorer

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP6\A0004296.dll

C:\qoobox\Quarantine\Program Files\Windows NT\QUFAPY.DLL.VIR

4. Generic Pup.g

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001026.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 28 October 2007 - 04:26 AM

The virus messages I am receiving from McAfee are 4-Fold:

1. Virtumondo
2. PRC Viewer
3. Adware-SrchExplorer
4. Generic Pup.g

Locations are as follows:

1. Virtumondo

C:\qoobox\Quarantine\catchme2007-10-27_113124.00.zip

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP9\A0005480.DLL

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP6\A0004244.DLL

2. PRC Viewer

C:\windows\system32\Process.exe

C:\Documents and Settings\Administrator\Desktop\SDFix.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001027.exe

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001025.exe

C:\SDFix\Apps\Process.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

3. Adware-SrchExplorer

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP6\A0004296.dll

C:\qoobox\Quarantine\Program Files\Windows NT\QUFAPY.DLL.VIR

4. Generic Pup.g

C:\System Volume Information\_Restore{F12B7D6E-FFAD-408F-84EF-F570C0B8A898}\RP2\A0001026.exe

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe


The following steps will remove all the above:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Restart your pc.
Post a new Hijackthis log.
Let me know exactly whats happening now please.
Posted Image
Posted Image

#13 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 28 October 2007 - 03:41 PM

I ran combofix /u and it uninstalled combo fix. I am still unable to connect to the internet so I can not run OTMoveIt.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 28 October 2007 - 07:41 PM

I suggest you start a new topic here giving as much detail as possible regarding your connection issue.
Networking:
http://www.bleepingcomputer.com/forums/f/21/networking/

If you do happen to get the issue resolved,please carry on with the instructions above.
Posted Image
Posted Image

#15 rickschu

rickschu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 29 October 2007 - 07:05 AM

Thanks for all of your time and efforts. I will attempt to regain my Internet connection (which was lost once the Malware was found) and then proceed with your instructions.

Rickschu :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users