Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus And Malware W/ Security Toolbar


  • Please log in to reply
2 replies to this topic

#1 matt2491

matt2491

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 13 November 2007 - 07:26 AM

I am recieving popups at the bottom of my screen with a little yellow triangle stating that i have been infected with numerous viruses and malware. there are intenet popups all over the place also and a new security toolbar in my browser. I have run ad-aware and spy-bot and virus detector but none have worked. I need my computer for office work and am really screwed at this point. Any help would be sooo appreciated. attached is my hijack and combofix logs. thank you.

HIJACK-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:29 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\vmxzdqei.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: Sprint PCS Connection Manager (3).lnk = C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/...erInstaller.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UkVHU1VQUE9SVA\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6630 bytes






COMBO

ComboFix 07-11-08.3 - mglogowski 2007-11-11 21:16:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -8:00]
Running from: C:\Documents and Settings\mglogowski\My Documents\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mglogowski\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mglogowski\Favorites\Online Security Guide.lnk
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\vmxzdqei.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 21:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 20:20 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-11 20:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-11 20:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-11 20:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-11 20:20 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-11 20:20 3,416 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 16:42 79,936 --a------ C:\WINDOWS\system32\tgknmfiy.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\yukfkoac.dll
2007-11-11 14:24 145,984 --a------ C:\WINDOWS\system32\vmxzdqei.dll
2007-11-11 13:38 <DIR> d--hs---- C:\WINDOWS\UkVHU1VQUE9SVA
2007-11-10 08:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 08:09 <DIR> d-------- C:\Program Files\LimeWire
2007-11-10 08:08 36,352 --a------ C:\WINDOWS\system32\ssqomkl.dll
2007-11-10 08:08 134 --a------ C:\n.bat
2007-11-10 08:08 0 --a------ C:\x.dat
2007-11-10 08:07 172,032 --a------ C:\winlogon.exe
2007-11-10 08:07 850 --a------ C:\Documents and Settings\mglogowski\z.dat
2007-11-10 08:07 0 --a------ C:\z.dat
2007-11-10 08:07 0 --a------ C:\Documents and Settings\mglogowski\x.dat
2007-11-05 11:54 <DIR> d-------- C:\WAR2
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Stardock
2007-10-29 19:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-10-29 19:08 163,584 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-10-26 20:09 2,360 --a------ C:\cc_20071026_2109.reg
2007-10-24 06:09 <DIR> d-------- C:\Program Files\USL
2007-10-22 04:27 <DIR> d-------- C:\Program Files\Socket Communications, Inc
2007-10-19 17:54 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Atari
2007-10-19 17:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-19 17:52 <DIR> d-------- C:\Documents and Settings\mglogowski\Application Data\Leadertech
2007-10-18 18:31 <DIR> d-------- C:\Program Files\Google
2007-10-17 09:23 10,752 --a------ C:\WINDOWS\system32\WhoisCL.exe
2007-10-17 06:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2007-10-17 06:36 299,464 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2007-10-13 23:06 35,641 --a------ C:\cc_20071014_0006.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 04:53 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\LimeWire
2007-11-12 04:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-10 16:11 278,548 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-11-10 16:06 278,547 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-11-10 03:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-08 22:57 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 14:36 --------- d-----w C:\Program Files\Dolby Laboratories Inc
2007-10-17 14:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-11 18:51 --------- d-----w C:\Program Files\Projector User Supportware
2007-09-20 19:21 381 ----a-w C:\cc_20070920_1221.reg
2007-09-15 12:28 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\Kensington
2007-09-14 19:56 --------- d-----w C:\Program Files\Kensington
2007-09-14 18:16 33,423 ----a-w C:\cc_20070914_1116.reg
2007-09-13 14:23 --------- d-----w C:\Program Files\SensorsViewPro31
2007-09-13 02:19 --------- d-----w C:\Documents and Settings\mglogowski\Application Data\BinarySense
2007-09-12 22:29 --------- d-----w C:\Program Files\Sprint(2)
2007-09-12 22:29 --------- d-----w C:\Program Files\Sprint
2007-09-12 22:29 --------- d-----w C:\Program Files\Security Task Manager
2007-09-12 22:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
2007-09-12 21:17 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sprint Mobile Broadband (Pantech)
2007-08-30 23:09 2,273 ----a-w C:\cc_20070830_1609.reg
2007-08-24 15:23 312 ----a-w C:\cc_20070824_0823.reg
2007-08-19 12:30 36,104 ----a-w C:\cc_20070813_0614.reg
2007-08-12 16:42 98,306 ----a-w C:\cc_20070430_0753.reg
2007-05-10 04:30 673,370 -c--a-w C:\Program Files\DelayedShutdownSetup.exe
2006-02-19 10:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-09-17 06:51 879,616 -c--a-w C:\Program Files\Ad-Aware.exe
2005-07-30 00:24:26 472 --sha-r C:\WINDOWS\UkVHU1VQUE9SVA\o4pJoYpkoH6mpE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
2007-11-10 08:08 36352 --a------ C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-11 14:24 145984 --a------ C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d7229d9c-5b63-439b-aafb-2d58526bb000}]
2007-11-11 16:42 79936 --a------ C:\WINDOWS\system32\tgknmfiy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\vmxzdqei.dll [2007-11-11 14:24 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-20 03:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 03:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 02:32]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 10:19]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 06:12 C:\WINDOWS\AGRSMMSG.exe]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 02:32]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 09:43 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 15:21]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 13:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 13:30]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 08:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-09-10 06:03]

C:\Documents and Settings\mglogowski\Start Menu\Programs\Startup\
Sprint PCS Connection Manager (3).lnk - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe [2006-10-18 12:12:15]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 11:39:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"= C:\WINDOWS\system32\ssqomkl.dll [2007-11-10 08:08 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 18:14 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl]
ssqomkl.dll 2007-11-10 08:08 36352 C:\WINDOWS\system32\ssqomkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmxzdqei]
vmxzdqei.dll 2007-11-11 14:24 145984 C:\WINDOWS\system32\vmxzdqei.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqn.dll

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 sensorsview;sensorsview;\??\C:\WINDOWS\system32\drivers\sensorsview.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
S3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pxfhbus.sys
S3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32\DRIVERS\pxfhmdfl.sys
S3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pxfhmdm.sys
S3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pxfhserd.sys
S3 U2SP;USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b566993-f298-11db-a490-00166f77d1b7}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 22:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-12 05:30:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A99B1664-4275-4E48-99D9-43B654D6D7C0}.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 21:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 21:32:07 - machine was rebooted
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:08 PM

Posted 13 November 2007 - 01:58 PM

Hello matt2491 and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:08 PM

Posted 13 November 2007 - 04:21 PM

Hey matt2491,

Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:Step #2

The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean(Older and newer version may not be). Chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this:
http://pcpitstop.com/spycheck/badtorrent.asp

Step #3
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/t/116295/unknown-virus-and-malware-w-security-toolbar/?p=660725
    
    Collect::
    C:\WINDOWS\system32\tgknmfiy.dll
    C:\WINDOWS\system32\yukfkoac.dll
    C:\WINDOWS\system32\vmxzdqei.dll
    C:\WINDOWS\system32\vbzip10.dll
    C:\WINDOWS\system32\ssqomkl.dll
    C:\n.bat
    C:\x.dat
    C:\winlogon.exe
    C:\WINDOWS\system32\ssqomkl.dll
    C:\Documents and Settings\mglogowski\z.dat
    C:\z.dat
    C:\Documents and Settings\mglogowski\x.dat
    C:\WINDOWS\Fonts\Setup.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\UkVHU1VQUE9SVA\o4pJoYpkoH6mpE.vbs
    C:\WINDOWS\system32\ssqomkl.dll
    C:\WINDOWS\system32\vmxzdqei.dll
    C:\WINDOWS\system32\tgknmfiy.dll
    C:\WINDOWS\system32\vmxzdqei.dll
    C:\WINDOWS\system32\sstqn.dll
    
    DirLook::
    C:\WINDOWS\UkVHU1VQUE9SVA
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d7229d9c-5b63-439b-aafb-2d58526bb000}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Host Process"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{01CD0B31-9154-45F2-9414-F5D64B74EAF6}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqomkl]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmxzdqei]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [-HKEY_CLASSES_ROOT\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
    [-HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [-HKEY_CLASSES_ROOT\CLSID\{d7229d9c-5b63-439b-aafb-2d58526bb000}]
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [-HKEY_CLASSES_ROOT\CLSID\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file to:

    http://www.bleepingcomputer.com/submit-malware.php?channel=4

    Please include a link to this topic in the message.
Step #4

Before we continue with cleaning your PC, please post a fresh HijackThis log and the log from ComboFix.

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users