Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Of System32 Files


  • Please log in to reply
6 replies to this topic

#1 neverquit11

neverquit11

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 January 2008 - 01:03 PM

i am currently running windows xp home. i have tried many spyware locators such as ad aware, spybot, hijackthis, vundo fix and although most can find the problem even after reboot the file xxwur.dll and xxwur.exe still are present. when i try to manually delete the files xxwur.exe can be removed but is present again after restart but when i try to delete xxwur.dll it says it cannot be deleted because its in use by another program i will list the file log from my hjt. also when i run spybot search and destroy it will detect many problems such as virtumundo for example but no matter how many times i delete the files and reboot they are all there next time as well. any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:01 AM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.59.99:8811
F3 - REG:win.ini: load=C:\WINDOWS\system32\xxwur.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 3852 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:42 AM

Posted 20 January 2008 - 01:50 PM

Hello neverquit11,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 neverquit11

neverquit11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 January 2008 - 02:36 PM

i ran both and here are the logs, im not sure if it is normal but i keep getting a popup for rundll saying error loading the specific module could not be found...


ComboFix 08-01-20.1 - Nick 2006-01-19 3:04:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.40 [GMT -5:00]Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outerinfo
C:\Program Files\smbols~1
C:\Program Files\smbols~1\w?wexec.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asembl~1
C:\WINDOWS\asembl~1\a?sembly\
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\ruwxx.ini
C:\WINDOWS\SYSTEM32\ruwxx.ini2
C:\WINDOWS\system32\xxwur.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 14:22 . 2008-01-20 14:22 3,584 --a------ C:\WINDOWS\SYSTEM32\xxwur.exe
2008-01-20 03:19 . 2008-01-20 03:19 <DIR> d-------- C:\temp\tn3
2008-01-20 03:18 . 2008-01-20 03:18 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-19 11:53 . 2006-01-18 13:43 <DIR> d-------- C:\VundoFix Backups
2008-01-18 21:36 . 2008-01-18 21:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-18 21:00 . 2008-01-18 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 21:00 . 2008-01-18 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 19:42 . 2008-01-19 11:08 53,248 --a------ C:\WINDOWS\SYSTEM32\umonit .exe
2008-01-17 19:42 . 2008-01-19 14:07 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-17 18:10 . 2008-01-18 21:12 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-17 17:59 . 2008-01-18 13:34 <DIR> d--hs---- C:\WINDOWS\Tmljaw
2008-01-17 17:59 . 2008-01-17 17:59 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRTT.sys
2008-01-17 17:58 . 2008-01-17 17:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\re9
2008-01-17 17:58 . 2006-01-18 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\kt8
2008-01-17 17:58 . 2008-01-17 19:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\gz4
2008-01-17 17:58 . 2006-01-18 13:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-17 17:58 . 2008-01-18 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\dp2
2008-01-17 17:58 . 2008-01-17 17:59 <DIR> d-------- C:\temp\Ryuan1
2008-01-12 21:47 . 2008-01-12 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PurePlay
2008-01-11 18:26 . 2008-01-11 18:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 18:22 --------- d-----w C:\Program Files\AIM6
2008-01-19 03:48 --------- d-----w C:\Program Files\QuickTime
2008-01-19 03:48 --------- d-----w C:\Program Files\iTunes
2008-01-19 02:20 --------- d-----w C:\Program Files\Image-Line
2008-01-19 02:18 --------- d-----w C:\Program Files\KellySoftware
2008-01-11 02:05 --------- d-----w C:\Program Files\Viewpoint
2008-01-11 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-11 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-11 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-04 00:53 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-12-02 22:41 --------- d-----w C:\Program Files\iPod
2007-12-02 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-02 22:15 --------- d-----w C:\Program Files\Apple Software Update
2007-12-02 22:14 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-02 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-01-18 17:31 379 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
2007-01-18 17:28 87,040 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
2007-01-18 17:28 151 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3149.dat
2007-01-18 17:28 13,046 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
2007-01-18 17:28 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1538.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb153.dat
2006-05-14 06:09 794,741 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak1
2006-05-27 00:50 866,154 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak2
2006-06-01 14:18 701,811 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Tmljaw\nA53uT.vbs
.
<pre>
----a-w			50,528 2008-01-19 18:20:59  C:\Program Files\AIM6\aim6 .exe
----a-w		   267,048 2008-01-19 01:59:43  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   574,464 2006-01-18 20:24:00  C:\Program Files\McAfee.com\Agent\MC1A3F~1 .EXE
----a-w		   303,104 2008-01-19 01:59:31  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w		   212,992 2008-01-19 05:24:38  C:\Program Files\McAfee.com\Agent\mcupdate  .exe
----a-w		   574,464 2006-01-19 23:19:09  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w		   574,464 2006-01-20 00:23:50  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w		   574,464 2006-01-20 01:16:13  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w		   574,464 2006-01-18 17:42:57  C:\Program Files\McAfee.com\Agent\MCUPDA~4 .EXE
----a-w		   122,880 2008-01-19 02:00:04  C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w		   163,840 2008-01-19 01:58:59  C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w		 1,694,208 2008-01-20 19:20:38  C:\Program Files\Messenger\msmsgs .exe
----a-w		   652,288 2008-01-19 03:48:00  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   652,288 2008-01-18 23:42:21  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   652,288 2008-01-18 22:02:08  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   652,288 2008-01-18 18:35:27  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   652,288 2008-01-18 12:06:27  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   652,288 2008-01-18 04:39:37  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   652,288 2008-01-18 03:25:43  C:\Program Files\QuickTime\QTTask .exe
----a-w			15,360 2008-01-19 19:07:06  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w			53,248 2008-01-19 16:08:51  C:\WINDOWS\SYSTEM32\umonit .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641EF440-6CDA-4657-F8CD-66A3938BF0CA}]
C:\WINDOWS\SYSTEM32\FRW.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba569958-a6dd-42b0-ba5e-fbbabb2373fa}]
C:\WINDOWS\SYSTEM32\NXEYICK.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-20 14:21 2225152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-06-10 17:17:52 114688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\xxwur

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.2.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.2.6.lnk
backup=C:\WINDOWS\pss\LimeWire 4.2.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Registration Myst Uru]
path=C:\Documents and Settings\Nick\Start Menu\Programs\Startup\Registration Myst Uru
backup=C:\WINDOWS\pss\Registration Myst UruStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 15:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-18 22:48 696832 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\hggfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 14:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 14:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-20 14:21 2225152 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oqtunjm]
C:\Program Files\s?mbols\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 19:41 652288 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-10-05 23:32 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-02-03 20:14 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2004-05-12 16:22 249856 C:\WINDOWS\system32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
--a------ 2008-01-20 14:21 2225152 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 16:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
--a------ 2006-06-07 07:10 225280 C:\VEXPLITE\MONLITE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"viritsvclite"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station .exe" /b Startup
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

R1 VIDEOPRTT;VIDEOPRTT;C:\WINDOWS\system32\drivers\VIDEOPRTT.sys [2008-01-17 17:59]
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys [2006-07-27 06:21]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S4 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2006-06-07 07:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1cdf931-9344-11da-b600-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 23:40:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 14:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\xxwur.dll
.
Completion time: 2008-01-20 14:30:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 19:30:23
.
2008-01-09 08:03:37 --- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:48 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.59.99:8811
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {641EF440-6CDA-4657-F8CD-66A3938BF0CA} - C:\WINDOWS\SYSTEM32\FRW.DLL (file missing)
O2 - BHO: (no name) - {ba569958-a6dd-42b0-ba5e-fbbabb2373fa} - C:\WINDOWS\SYSTEM32\NXEYICK.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4439 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:42 AM

Posted 20 January 2008 - 03:23 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 50,528 2008-01-19 18:20:59 C:\Program Files\AIM6\aim6 .exe
----a-w 267,048 2008-01-19 01:59:43 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 574,464 2006-01-18 20:24:00 C:\Program Files\McAfee.com\Agent\MC1A3F~1 .EXE
----a-w 303,104 2008-01-19 01:59:31 C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w 212,992 2008-01-19 05:24:38 C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w 574,464 2006-01-19 23:19:09 C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w 574,464 2006-01-20 00:23:50 C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w 574,464 2006-01-20 01:16:13 C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w 574,464 2006-01-18 17:42:57 C:\Program Files\McAfee.com\Agent\MCUPDA~4 .EXE
----a-w 122,880 2008-01-19 02:00:04 C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w 163,840 2008-01-19 01:58:59 C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w 1,694,208 2008-01-20 19:20:38 C:\Program Files\Messenger\msmsgs .exe
----a-w 652,288 2008-01-19 03:48:00 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 23:42:21 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 22:02:08 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 18:35:27 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 12:06:27 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 04:39:37 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 03:25:43 C:\Program Files\QuickTime\QTTask .exe
----a-w 15,360 2008-01-19 19:07:06 C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w 53,248 2008-01-19 16:08:51 C:\WINDOWS\SYSTEM32\umonit .exe

File::
C:\WINDOWS\SYSTEM32\xxwur.exe
C:\temp\tn3
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\re9
C:\WINDOWS\SYSTEM32\kt8
C:\WINDOWS\SYSTEM32\gz4
C:\WINDOWS\SYSTEM32\edcA01
C:\WINDOWS\SYSTEM32\dp2
C:\temp\Ryuan1

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oqtunjm]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 neverquit11

neverquit11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 January 2008 - 05:11 PM

ok the rundll stopped popping up here is the combofix log...

ComboFix 08-01-20.1 - Nick 2008-01-20 16:48:27.2 - NTFSx86
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\temp\Ryuan1
C:\temp\tn3
C:\WINDOWS\SYSTEM32\dp2
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\edcA01
C:\WINDOWS\SYSTEM32\gz4
C:\WINDOWS\SYSTEM32\kt8
C:\WINDOWS\SYSTEM32\re9
C:\WINDOWS\SYSTEM32\xxwur.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\SYSTEM32\ruwxx.ini
C:\WINDOWS\SYSTEM32\ruwxx.ini2
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 17:01 . 2008-01-20 17:01 <DIR> d-------- C:\temp\tn3
2008-01-20 17:00 . 2008-01-20 17:00 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-19 11:53 . 2006-01-18 13:43 <DIR> d-------- C:\VundoFix Backups
2008-01-18 21:36 . 2008-01-18 21:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-18 21:00 . 2008-01-18 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 21:00 . 2008-01-18 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 19:42 . 2008-01-19 11:08 53,248 --a------ C:\WINDOWS\SYSTEM32\umonit.exe
2008-01-17 19:42 . 2008-01-19 14:07 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-17 19:42 . 2008-01-19 14:07 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-17 18:10 . 2008-01-18 21:12 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-17 17:59 . 2008-01-18 13:34 <DIR> d--hs---- C:\WINDOWS\Tmljaw
2008-01-17 17:59 . 2008-01-17 17:59 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRTT.sys
2008-01-17 17:58 . 2008-01-17 17:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\re9
2008-01-17 17:58 . 2006-01-18 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\kt8
2008-01-17 17:58 . 2008-01-17 19:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\gz4
2008-01-17 17:58 . 2006-01-18 13:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-17 17:58 . 2008-01-18 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\dp2
2008-01-17 17:58 . 2008-01-17 17:59 <DIR> d-------- C:\temp\Ryuan1
2008-01-12 21:47 . 2008-01-12 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PurePlay
2008-01-11 18:26 . 2008-01-11 18:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 21:48 --------- d-----w C:\Program Files\QuickTime
2008-01-20 21:47 --------- d-----w C:\Program Files\iTunes
2008-01-20 21:47 --------- d-----w C:\Program Files\AIM6
2008-01-19 02:20 --------- d-----w C:\Program Files\Image-Line
2008-01-19 02:18 --------- d-----w C:\Program Files\KellySoftware
2008-01-11 02:05 --------- d-----w C:\Program Files\Viewpoint
2008-01-11 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-11 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-11 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-04 00:53 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-12-02 22:41 --------- d-----w C:\Program Files\iPod
2007-12-02 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-02 22:15 --------- d-----w C:\Program Files\Apple Software Update
2007-12-02 22:14 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-02 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-01-18 17:31 379 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
2007-01-18 17:28 87,040 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
2007-01-18 17:28 151 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3149.dat
2007-01-18 17:28 13,046 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
2007-01-18 17:28 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1538.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb153.dat
2006-05-14 06:09 794,741 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak1
2006-05-27 00:50 866,154 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak2
2006-06-01 14:18 701,811 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Tmljaw\nA53uT.vbs
.
<pre>
----a-w		   212,992 2008-01-19 05:24:38  C:\Program Files\McAfee.com\Agent\mcupdate  .exe
----a-w		   652,288 2008-01-19 03:48:00  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   652,288 2008-01-18 23:42:21  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   652,288 2008-01-18 22:02:08  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   652,288 2008-01-18 18:35:27  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   652,288 2008-01-18 12:06:27  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   652,288 2008-01-18 04:39:37  C:\Program Files\QuickTime\QTTask  .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-20_14.29.47.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-19 08:01:15 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 21:45:59 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2006-01-19 08:01:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 21:45:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2006-01-19 08:01:15 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 21:45:59 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2006-01-19 08:01:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 21:45:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2006-01-19 08:01:16 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 21:46:03 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2006-01-19 08:01:16 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 21:46:03 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641EF440-6CDA-4657-F8CD-66A3938BF0CA}]
C:\WINDOWS\SYSTEM32\FRW.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba569958-a6dd-42b0-ba5e-fbbabb2373fa}]
C:\WINDOWS\SYSTEM32\NXEYICK.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-20 14:20 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-06-10 17:17:52 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.2.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.2.6.lnk
backup=C:\WINDOWS\pss\LimeWire 4.2.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Registration Myst Uru]
path=C:\Documents and Settings\Nick\Start Menu\Programs\Startup\Registration Myst Uru
backup=C:\WINDOWS\pss\Registration Myst UruStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 15:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-18 20:59 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\hggfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 14:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 14:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-20 14:20 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 22:25 652288 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-10-05 23:32 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-02-03 20:14 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2004-05-12 16:22 249856 C:\WINDOWS\system32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
--a------ 2008-01-20 14:20 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 16:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
--a------ 2006-06-07 07:10 225280 C:\VEXPLITE\MONLITE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"viritsvclite"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station .exe" /b Startup
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

R1 VIDEOPRTT;VIDEOPRTT;C:\WINDOWS\system32\drivers\VIDEOPRTT.sys [2008-01-17 17:59]
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys [2006-07-27 06:21]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S4 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2006-06-07 07:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1cdf931-9344-11da-b600-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 23:40:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 17:02:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 17:07:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 22:06:53
ComboFix2.txt 2008-01-20 19:30:33
.
2008-01-09 08:03:37 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:40 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.59.99:8811
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {641EF440-6CDA-4657-F8CD-66A3938BF0CA} - C:\WINDOWS\SYSTEM32\FRW.DLL (file missing)
O2 - BHO: (no name) - {ba569958-a6dd-42b0-ba5e-fbbabb2373fa} - C:\WINDOWS\SYSTEM32\NXEYICK.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4466 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:42 AM

Posted 20 January 2008 - 06:43 PM

Hello,

I see you've been infected before. Was this just a cleanup you didn't complete and it's back? Or something new? In any case I'll ask you now to please stay with this forum only so as not to complicate things. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 212,992 2008-01-19 05:24:38 C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w 652,288 2008-01-19 03:48:00 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 23:42:21 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 22:02:08 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 18:35:27 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 12:06:27 C:\Program Files\QuickTime\QTTask .exe
----a-w 652,288 2008-01-18 04:39:37 C:\Program Files\QuickTime\QTTask .exe

File::
C:\WINDOWS\system32\hggfg.exe
C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRTT.sys
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

Driver::
VIDEOPRTT

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{641EF440-6CDA-4657-F8CD-66A3938BF0CA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba569958-a6dd-42b0-ba5e-fbbabb2373fa}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

This should be running better now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 neverquit11

neverquit11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 21 January 2008 - 01:51 AM

here is the combofix log...

ComboFix 08-01-20.1 - Nick 2008-01-20 19:58:34.3 - NTFSx86
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRTT.sys
C:\WINDOWS\system32\hggfg.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

<pre>
C:\Program Files\McAfee.com\Agent\mcupdate  .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VIDEOPRTT
-------\VIDEOPRTT


((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 20:23 . 2008-01-20 20:23 9,091 --a------ C:\ComboFix_error.dat
2008-01-20 17:01 . 2008-01-20 17:01 <DIR> d-------- C:\temp\tn3
2008-01-20 17:00 . 2008-01-20 17:00 167,545 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-19 11:53 . 2006-01-18 13:43 <DIR> d-------- C:\VundoFix Backups
2008-01-18 21:36 . 2008-01-18 21:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 19:42 . 2008-01-19 11:08 53,248 --a------ C:\WINDOWS\SYSTEM32\umonit.exe
2008-01-17 19:42 . 2008-01-19 14:07 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-17 19:42 . 2008-01-19 14:07 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-17 18:10 . 2008-01-18 21:12 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-17 17:59 . 2008-01-18 13:34 <DIR> d--hs---- C:\WINDOWS\Tmljaw
2008-01-17 17:59 . 2008-01-17 17:59 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VIDEOPRTT.sys
2008-01-17 17:58 . 2008-01-17 17:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\re9
2008-01-17 17:58 . 2006-01-18 15:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\kt8
2008-01-17 17:58 . 2008-01-17 19:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\gz4
2008-01-17 17:58 . 2006-01-18 13:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-17 17:58 . 2008-01-18 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\dp2
2008-01-17 17:58 . 2008-01-17 17:59 <DIR> d-------- C:\temp\Ryuan1
2008-01-12 21:47 . 2008-01-12 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PurePlay
2008-01-11 18:26 . 2008-01-11 18:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 21:48 --------- d-----w C:\Program Files\QuickTime
2008-01-20 21:47 --------- d-----w C:\Program Files\iTunes
2008-01-20 21:47 --------- d-----w C:\Program Files\AIM6
2008-01-19 02:20 --------- d-----w C:\Program Files\Image-Line
2008-01-19 02:18 --------- d-----w C:\Program Files\KellySoftware
2008-01-11 02:05 --------- d-----w C:\Program Files\Viewpoint
2008-01-11 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-11 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-11 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-04 00:53 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2007-12-02 22:41 --------- d-----w C:\Program Files\iPod
2007-12-02 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-02 22:15 --------- d-----w C:\Program Files\Apple Software Update
2007-12-02 22:14 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-02 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-01-18 17:31 379 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1942.dat
2007-01-18 17:28 87,040 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4827.dat
2007-01-18 17:28 151 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3149.dat
2007-01-18 17:28 13,046 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb5436.dat
2007-01-18 17:28 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb4604.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb3902.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb2391.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb1538.dat
2006-11-28 16:39 0 ----a-w C:\Documents and Settings\Nick\Application Data\internaldb153.dat
2006-05-14 06:09 794,741 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak1
2006-05-27 00:50 866,154 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.bak2
2006-06-01 14:18 701,811 --sha-w C:\WINDOWS\SYSTEM32\lmnmp.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Tmljaw\nA53uT.vbs
.
<pre>
----a-w		   212,992 2008-01-19 05:24:38  C:\Program Files\McAfee.com\Agent\mcupdate  .exe
----a-w		   652,288 2008-01-19 03:48:00  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   652,288 2008-01-18 23:42:21  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   652,288 2008-01-18 22:02:08  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   652,288 2008-01-18 18:35:27  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   652,288 2008-01-18 12:06:27  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   652,288 2008-01-18 04:39:37  C:\Program Files\QuickTime\QTTask  .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-20_14.29.47.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-19 08:01:15 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 00:56:57 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2006-01-19 08:01:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 00:56:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2006-01-19 08:01:15 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 00:56:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2006-01-19 08:01:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 00:56:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2006-01-19 08:01:16 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-21 00:57:00 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2006-01-19 08:01:16 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 00:57:00 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-20 14:20 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-06-10 17:17:52 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.2.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.2.6.lnk
backup=C:\WINDOWS\pss\LimeWire 4.2.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Registration Myst Uru]
path=C:\Documents and Settings\Nick\Start Menu\Programs\Startup\Registration Myst Uru
backup=C:\WINDOWS\pss\Registration Myst UruStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-11-19 15:41 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 15:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-18 20:59 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\hggfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 14:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 14:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-20 14:20 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-17 22:25 652288 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-10-05 23:32 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-02-03 20:14 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2004-05-12 16:22 249856 C:\WINDOWS\system32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
--a------ 2008-01-20 14:20 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 16:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIRIT LITE MONITOR]
--a------ 2006-06-07 07:10 225280 C:\VEXPLITE\MONLITE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"viritsvclite"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station .exe" /b Startup
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys [2006-07-27 06:21]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S4 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2006-06-07 07:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{758cd544-c7a4-11dc-b71f-000f1fa66e30}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1cdf931-9344-11da-b600-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 23:40:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 20:28:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 20:34:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 01:34:10
ComboFix2.txt 2008-01-20 22:07:01
ComboFix3.txt 2008-01-20 19:30:33
.
2008-01-09 08:03:37 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:58 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.59.99:8811
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MC1A3F~3.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4302 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users