Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus And Malware Reports In System Tray


  • Please log in to reply
5 replies to this topic

#1 marklafan

marklafan

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 12 November 2007 - 12:52 AM

i am getting virus report and malware/spyware reports poping up in my system tray with the yellow triangle sign. Also have the security 7.1 tool bar in my explorer windows and popups to download spyware removers. i have run my spyware and malware removers with no luck. following is my hijackthis and combofix logs. please help

HIJACK-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:29 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\vmxzdqei.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: Sprint PCS Connection Manager (3).lnk = C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/...erInstaller.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UkVHU1VQUE9SVA\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6630 bytes






COMBO

ComboFix 07-11-08.3 - mglogowski 2007-11-11 21:16:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -8:00]
Running from: C:\Documents and Settings\mglogowski\My Documents\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mglogowski\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Favorites\Online Security Guide.lnk
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\vmxzdqei.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 21:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 20:20 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-11 20:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-11 20:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-11 20:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-11 20:20 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-11 20:20 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 16:42 79,936 --a------ C:\WINDOWS\system32\tgknmfiy.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\yukfkoac.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\vmxzdqei.dll
2007-11-11 13:38 <DIR> d--hs---- C:\WINDOWS\UkVHU1VQUE9SVA
2007-11-10 08:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 08:09 <DIR> d-------- C:\Program Files\LimeWire
2007-11-10 08:08 36,352 --a------ C:\WINDOWS\system32\ssqomkl.dll
2007-11-10 08:08 134 --a------ C:\n.bat
2007-11-10 08:08 0 --a------ C:\x.dat
2007-11-10 08:07 172,032 --a------ C:\winlogon.exe
2007-11-10 08:07 850 --a------ C:\Documents and Settings\mglogowski\z.dat
2007-11-10 08:07 0 --a------ C:\z.dat
2007-11-10 08:07 0 --a------ C:\Documents and Settings\mglogowski\x.dat
2007-11-05 11:54 <DIR> d-------- C:\WAR2
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Stardock
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-10-29 19:08 163,584 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-10-26 20:09 2,360 --a------ C:\cc_20071026_2109.reg
2007-10-24 06:09 <DIR> d-------- C:\Program Files\USL
2007-10-22 04:27 <DIR> d-------- C:\Program Files\Socket Communications, Inc
2007-10-19 17:54 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Atari
2007-10-19 17:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-19 17:52 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Leadertech
2007-10-18 18:31 <DIR> d-------- C:\Program Files\Google
2007-10-17 09:23 10,752 --a------ C:\WINDOWS\system32\WhoisCL.exe
2007-10-17 06:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2007-10-17 06:36 299,464 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2007-10-13 23:06 35,641 --a------ C:\cc_20071014_0006.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 04:53 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\LimeWire
2007-11-12 04:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-10 16:11 278,548 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-11-10 16:06 278,547 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-11-10 03:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-08 22:57 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 14:36 --------- d-----w C:\Program Files\Dolby Laboratories Inc
2007-10-17 14:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-11 18:51 --------- d-----w C:\Program Files\Projector User Supportware
2007-09-20 19:21 381 ----a-w C:\cc_20070920_1221.reg
2007-09-15 12:28 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\Kensington
2007-09-14 19:56 --------- d-----w C:\Program Files\Kensington
2007-09-14 18:16 33,423 ----a-w C:\cc_20070914_1116.reg
2007-09-13 14:23 --------- d-----w C:\Program Files\SensorsViewPro31
2007-09-13 02:19 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\BinarySense
2007-09-12 22:29 --------- d-----w C:\Program Files\Sprint(2)
2007-09-12 22:29 --------- d-----w C:\Program Files\Sprint
2007-09-12 22:29 --------- d-----w C:\Program Files\Security Task Manager
2007-09-12 22:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
2007-09-12 21:17 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sprint Mobile Broadband (Pantech)
2007-08-30 23:09 2,273 ----a-w C:\cc_20070830_1609.reg
2007-08-24 15:23 312 ----a-w C:\cc_20070824_0823.reg
2007-08-19 12:30 36,104 ----a-w C:\cc_20070813_0614.reg
2007-08-12 16:42 98,306 ----a-w C:\cc_20070430_0753.reg
2007-05-10 04:30 673,370 -c--a-w C:\Program Files\DelayedShutdownSetup.exe
2006-02-19 10:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-09-17 06:51 879,616 -c--a-w C:\Program Files\Ad-Aware.exe
2005-07-30 00:24:26 472 --sha-r C:\WINDOWS\UkVHU1VQUE9SVA\o4pJoYpkoH6mpE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
2007-11-10 08:08 36352 --a------ C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-11 14:24 145984 --a------ C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d7229d9c-5b63-439b-aafb-2d58526bb000}]
2007-11-11 16:42 79936 --a------ C:\WINDOWS\system32\tgknmfiy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\vmxzdqei.dll [2007-11-11 14:24 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-20 03:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 03:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 02:32]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 10:19]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 C:\WINDOWS\AGRSMMSG.exe]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 02:32]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 09:43 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 15:21]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 13:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 13:30]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 08:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-09-10 06:03]

C:\Documents and Settings\mglogowski\Start Menu\Programs\Startup\
Sprint PCS Connection Manager (3).lnk - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe [2006-10-18 12:12:15]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 11:39:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\ssqomkl.dll [2007-11-10 08:08 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 18:14 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl]
ssqomkl.dll 2007-11-10 08:08 36352 C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmxzdqei]
vmxzdqei.dll 2007-11-11 14:24 145984 C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqn.dll

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 sensorsview;sensorsview;\??\C:\WINDOWS\system32\drivers\sensorsview.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
S3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pxfhbus.sys
S3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32\DRIVERS\pxfhmdfl.sys
S3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pxfhmdm.sys
S3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pxfhserd.sys
S3 U2SP;USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b566993-f298-11db-a490-00166f77d1b7}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 22:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-12 05:30:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A99B1664-4275-4E48-99D9-43B654D6D7C0}.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 21:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 21:32:07 - machine was rebooted
.
--- E O F ---

Edited by marklafan, 12 November 2007 - 07:16 AM.


BC AdBot (Login to Remove)

 


m

#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:24 PM

Posted 12 November 2007 - 08:44 AM

Hello!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:24 PM

Posted 13 November 2007 - 07:29 AM

Hello ,

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

2. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\Fonts\Setup.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

3. Please right click on the attachment CFScript.txt(see at end of my post), and from the menu choose Save Target As, save them to your desktop with the name: CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.

4. In your next reply, please post:
  • New HijackThis log.
  • Combofix log.
  • Result from jotti malware scan.
  • SDFix results.

Attached Files


Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 marklafan

marklafan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 November 2007 - 10:13 AM

Here is the requested files. FYI- All symptons are still occuring




a. Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:06, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wentxp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\vmxzdqei.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [6bb5243c] rundll32.exe "C:\WINDOWS\system32\pvadxrkp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: Sprint PCS Connection Manager (3).lnk = C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/...erInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA38999A-B274-457D-BA04-360736A90081}: NameServer = 68.28.58.92 68.28.50.91
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe

--
End of file - 6700 bytes




b. COMBO

ComboFix 07-11-08.3 - mglogowski 2007-11-13 6:50:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.565 [GMT -8:00]
Running from: C:\Documents and Settings\mglogowski\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\mglogowski\Desktop\CFScript.txt
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mglogowski\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\vmxzdqei.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 06:09 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-12 20:33 114,944 --a------ C:\WINDOWS\system32\drivers\WENCRNT4.sys
2007-11-12 20:33 75,776 --a------ C:\WINDOWS\system32\wentxp.exe
2007-11-12 09:49 89,664 --a------ C:\WINDOWS\system32\pvadxrkp.dll
2007-11-12 09:49 81,472 --a------ C:\WINDOWS\system32\aprwonof.dll
2007-11-12 09:49 71,232 --a------ C:\WINDOWS\system32\rcpmtmjg.exe
2007-11-12 06:20 36,352 --a------ C:\WINDOWS\system32\khffdbx.dll
2007-11-11 21:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 20:20 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-11 20:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-11 20:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-11 20:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-11 20:20 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-11 20:20 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 16:42 79,936 --a------ C:\WINDOWS\system32\tgknmfiy.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\yukfkoac.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\vmxzdqei.dll
2007-11-11 13:38 <DIR> d--hs---- C:\WINDOWS\UkVHU1VQUE9SVA
2007-11-10 08:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 08:08 36,352 --a------ C:\WINDOWS\system32\ssqomkl.dll
2007-11-10 08:07 850 --a------ C:\Documents and Settings\mglogowski\z.dat
2007-11-10 08:07 0 --a------ C:\Documents and Settings\mglogowski\x.dat
2007-11-05 11:54 <DIR> d-------- C:\WAR2
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Stardock
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-10-29 19:08 163,584 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-10-26 20:09 2,360 --a------ C:\cc_20071026_2109.reg
2007-10-24 06:09 <DIR> d-------- C:\Program Files\USL
2007-10-22 04:27 <DIR> d-------- C:\Program Files\Socket Communications, Inc
2007-10-19 17:54 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Atari
2007-10-19 17:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-19 17:52 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Leadertech
2007-10-18 18:31 <DIR> d-------- C:\Program Files\Google
2007-10-17 09:23 10,752 --a------ C:\WINDOWS\system32\WhoisCL.exe
2007-10-17 06:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2007-10-17 06:36 299,464 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2007-10-13 23:06 35,641 --a------ C:\cc_20071014_0006.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 04:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-10 16:11 278,548 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-11-10 03:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-08 22:57 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 14:36 --------- d-----w C:\Program Files\Dolby Laboratories Inc
2007-10-17 14:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-11 18:51 --------- d-----w C:\Program Files\Projector User Supportware
2007-09-20 19:21 381 ----a-w C:\cc_20070920_1221.reg
2007-09-15 12:28 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\Kensington
2007-09-14 19:56 --------- d-----w C:\Program Files\Kensington
2007-09-14 18:16 33,423 ----a-w C:\cc_20070914_1116.reg
2007-09-13 14:23 --------- d-----w C:\Program Files\SensorsViewPro31
2007-09-13 02:19 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\BinarySense
2007-08-30 23:09 2,273 ----a-w C:\cc_20070830_1609.reg
2007-08-24 15:23 312 ----a-w C:\cc_20070824_0823.reg
2007-08-21 06:15 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 12:30 36,104 ----a-w C:\cc_20070813_0614.reg
2007-05-10 04:30 673,370 -c--a-w C:\Program Files\DelayedShutdownSetup.exe
2006-02-19 10:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-09-17 06:51 879,616 -c--a-w C:\Program Files\Ad-Aware.exe
2005-07-30 00:24:26 472 --sha-r C:\WINDOWS\UkVHU1VQUE9SVA\o4pJoYpkoH6mpE.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_21.30.44.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-13 18:21:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-13 14:10:15 5,808,128 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-11-13 14:10:15 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-13 18:21:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-13 14:09:49 5,808,128 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-11-13 14:09:50 69,632 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-11-12 04:40:56 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-13 14:28:39 63,590 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-12 04:40:56 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-13 14:28:39 404,536 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
2007-11-10 08:08 36352 --a------ C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-11 14:24 145984 --a------ C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9c62195-8e02-4e7a-b608-d4599039aab0}]
2007-11-12 09:49 81472 --a------ C:\WINDOWS\system32\aprwonof.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\vmxzdqei.dll [2007-11-11 14:24 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-20 03:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 03:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 02:32]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 10:19]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 C:\WINDOWS\AGRSMMSG.exe]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 02:32]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 09:43 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 15:21]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 13:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 13:30]
"6bb5243c"="C:\WINDOWS\system32\pvadxrkp.dll" [2007-11-12 09:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-09-10 06:03]

C:\Documents and Settings\mglogowski\Start Menu\Programs\Startup\
Sprint PCS Connection Manager (3).lnk - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe [2006-10-18 12:12:15]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 11:39:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\ssqomkl.dll [2007-11-10 08:08 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 18:14 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl]
ssqomkl.dll 2007-11-10 08:08 36352 C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmxzdqei]
vmxzdqei.dll 2007-11-11 14:24 145984 C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqpq.dll

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 sensorsview;sensorsview;\??\C:\WINDOWS\system32\drivers\sensorsview.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R2 WENCRNT4;WENCRNT4;\??\C:\WINDOWS\system32\Drivers\WENCRNT4.SYS
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pxfhbus.sys
R3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32\DRIVERS\pxfhmdfl.sys
R3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pxfhmdm.sys
R3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pxfhserd.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
S3 U2SP;USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b566993-f298-11db-a490-00166f77d1b7}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 23:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-13 15:00:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A99B1664-4275-4E48-99D9-43B654D6D7C0}.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 07:00:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 7:03:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 21:32
.
--- E O F ---


C.JOTTI

Scanner Malware name
A-Squared X
AntiVir TR/Drop.Delf.agn
ArcaVir X
Avast Win32:Trojan-gen {Delphi}
AVG Antivirus Dropper.Generic.QFK
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Dropper.Win32.Delf.agn
Fortinet X
Kaspersky Anti-Virus Trojan-Dropper.Win32.Delf.agn
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus Dropper.Win32.Delf.agn
Sophos Antivirus X
VirusBuster X
VBA32 Backdoor.Win32.Netbus.170

D. SDFIX

SDFix: Version 1.114

Run by mglogowski on Tue 11/13/2007 at 06:13

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\Program Files\Insider\Insider.exe - Deleted
C:\Program Files\Insider\UnInstall.exe - Deleted
C:\n.bat - Deleted
C:\winlogon.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b147.exe - Deleted
C:\WINDOWS\Fonts\svchost.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted


Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Insider - Removed
Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 06:28:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Counter"=dword:000013bc
"Last Help"=dword:000013bd

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Disabled:ActiveSync RAPI Manager"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\WINDOWS\\system32\\rcpmtmjg.exe"="C:\\WINDOWS\\system32\\rcp"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe:*:Enabled:SecureClient Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 1 Aug 2005 211 A.SH. --- "C:\BOOT.BAK"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 11 Nov 2007 6,465 ..SH. --- "C:\WINDOWS\system32\qpqss.bak1"
Mon 12 Nov 2007 443,830 ..SH. --- "C:\WINDOWS\system32\qpqss.bak2"
Tue 13 Nov 2007 20,640 ..SH. --- "C:\WINDOWS\system32\vmxzdqei.dllbox"
Wed 16 May 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Wed 6 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Tue 10 Jul 2007 25,600 ...H. --- "C:\Documents and Settings\mglogowski\My Documents\Personal\~WRL2114.tmp"
Mon 20 Aug 2007 104,090 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BITB.tmp"
Tue 10 Jul 2007 641,496 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\11d2e2b10d233f27e905f3b1affc289a\BIT9.tmp"
Sun 7 Oct 2007 118,587 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1ba295bef2d06eaaa6232f30382de26b\BIT54.tmp"
Thu 9 Aug 2007 15,394,248 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\22c3bb229d81eea2958e2b928ed5b9f9\BIT3F.tmp"
Sun 7 Oct 2007 3,555,389 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2f4f0263deb56b2d77b536cc60a04791\BIT63.tmp"
Thu 9 Aug 2007 101,807 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BITA.tmp"
Thu 9 Aug 2007 173,464 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\BIT9.tmp"
Sun 7 Oct 2007 8,348,280 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\64c20f9a5af9cc7aa7cf70a2374b2ab7\BIT41.tmp"
Thu 9 Aug 2007 102,501 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\BIT41.tmp"
Wed 19 Sep 2007 5,193,850 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\723d12ccbc22f288fb53cd47a25782f9\BIT5C.tmp"
Wed 19 Sep 2007 3,307,342 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0fe7704776ce2219611aa89e7b4dfca\BIT5B.tmp"
Wed 12 Sep 2007 957,912 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ae9bc65d0f581db8e80ca74b7951e935\BIT55.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Thu 9 Aug 2007 7,649,240 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT42.tmp"
Wed 19 Sep 2007 1,066,425 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7e98304794d11e8128641bb5cbd922c\BIT58.tmp"
Thu 9 Aug 2007 154,945 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\BIT8.tmp"

Finished!

#5 marklafan

marklafan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 14 November 2007 - 08:07 AM

The problem has gotten so bad that i cant use my computer and this is the computer i make my living off of!!!!!!!

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:24 PM

Posted 14 November 2007 - 02:09 PM

Hello

1. Please right click on the attachment CFScript.txt(see at end of my post), and from the menu choose Save Target As, save them to your desktop with the name: CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file, along with a new HijackThis log.
2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Regards :thumbsup:

Attached Files


Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users