Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32.bagle (srosa, Mdelk, Hldrrr & Wintems)


  • This topic is locked This topic is locked
3 replies to this topic

#1 Kilika32

Kilika32

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 29 January 2008 - 01:11 PM

As I stated, I believe my computer is infected With Win32.Bagle (srosa, mdelk, hldrrr & wintems) I'm unable to run most AV including spybot and mcafee or HJT and I'm not sure where to go from here. I am however able to run Deckard's System Scanner and GMER. The logs are posted as follows:

Deckard's System Scanner v20071014.68
Run by CWiseman on 2008-01-29 09:53:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 3.04 GiB (less than 15%) free.


-- HijackThis (run as CWiseman.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:30 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DS Development\Bells and Whistles for Outlook\BWOpts.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cwiseman\Desktop\Solutions\gmer.exe
C:\Documents and Settings\cwiseman\Desktop\Solutions\KillBox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cwiseman\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CWiseman.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: DeskBandHelper Class - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\Program Files\ACG\PCLAW32\plietool.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PCLaw Web Timer - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\Program Files\ACG\PCLAW32\plietool.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\ACG\PCLAW32\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\ACG\PCLAW32\plietool.dll
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\ACG\PCLAW32\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\ACG\PCLAW32\plietool.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196118365839
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...216/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = peelbrimley.com
O17 - HKLM\Software\..\Telephony: DomainName = peelbrimley.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F01A251-04CA-4214-A2FF-D323254CF4D8}: NameServer = 10.1.1.2
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14352 bytes

-- Files created between 2007-12-29 and 2008-01-29 -----------------------------

2008-01-29 09:01:54 0 d-------- C:\Documents and Settings\cwiseman\Application Data\HouseCall 6.6
2008-01-29 08:46:48 0 d-------- C:\Program Files\Enigma Software Group
2008-01-29 08:39:31 8576 --a------ C:\WINDOWS\system32\drivers\aaymplgrcunf.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-28 17:37:34 0 d-------- C:\WINDOWS\LastGood
2008-01-28 16:56:53 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-28 16:56:07 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Grisoft
2008-01-28 16:35:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-28 16:16:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\URSoft
2008-01-28 15:38:50 0 d-------- C:\Program Files\LIUtilities
2008-01-28 15:21:09 0 d-------- C:\Program Files\Trend Micro
2008-01-28 14:17:46 0 d-------- F:\Deckard
2008-01-28 13:39:24 2256 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 13:35:06 102664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys <Not Verified; Trend Micro Inc.; ActiveClean>
2008-01-28 13:33:39 0 d-------- C:\Documents and Settings\cwiseman\.housecall6.6
2008-01-28 12:39:21 0 d--h----- C:\WINDOWS\PIF
2008-01-28 12:18:33 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-28 11:20:35 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Macromedia
2008-01-28 11:08:02 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Yahoo!
2008-01-28 11:07:54 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Google
2008-01-28 10:56:06 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\McAfee
2008-01-28 10:43:19 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Systweak
2008-01-26 12:31:01 8576 --a------ C:\WINDOWS\system32\drivers\noacywpbxwtm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-26 10:07:44 209 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-01-26 10:07:44 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2008-01-25 17:50:49 0 d-------- C:\WINDOWS\McAfee.com
2008-01-25 17:08:05 0 d-------- C:\Program Files\eMule
2008-01-25 17:06:13 8576 --a------ C:\WINDOWS\system32\drivers\ofcowxijtogn.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-25 16:24:44 0 d-------- C:\Program Files\Kaspersky Lab
2008-01-25 10:46:32 0 d-------- C:\Program Files\a-squared Free
2008-01-25 10:45:05 0 d-------- C:\Program Files\a-squared Anti-Dialer
2008-01-25 10:44:54 0 d-------- C:\Program Files\a-squared HiJackFree
2008-01-25 09:10:56 0 d-------- C:\Program Files\CCleaner
2008-01-25 08:31:16 0 d-------- C:\WINDOWS\90DEF45BF2BD4451A89649257D1C0069.TMP
2008-01-25 08:30:22 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Adobe
2008-01-25 08:29:10 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\SiteAdvisor
2008-01-25 08:27:22 0 d-------- C:\Documents and Settings\LMcConnell\Application Data\Identities
2008-01-25 08:25:22 0 d--h----- C:\Documents and Settings\LMcConnell\Templates
2008-01-25 08:25:22 0 dr------- C:\Documents and Settings\LMcConnell\Start Menu
2008-01-25 08:25:22 0 dr-h----- C:\Documents and Settings\LMcConnell\SendTo
2008-01-25 08:25:22 0 dr-h----- C:\Documents and Settings\LMcConnell\Recent
2008-01-25 08:25:22 0 d--h----- C:\Documents and Settings\LMcConnell\PrintHood
2008-01-25 08:25:22 0 d--h----- C:\Documents and Settings\LMcConnell\NetHood
2008-01-25 08:25:22 0 dr------- C:\Documents and Settings\LMcConnell\My Documents
2008-01-25 08:25:22 0 d--h----- C:\Documents and Settings\LMcConnell\Local Settings
2008-01-25 08:25:22 0 dr------- C:\Documents and Settings\LMcConnell\Favorites <FAVORI~1>
2008-01-25 08:25:22 0 d-------- C:\Documents and Settings\LMcConnell\Desktop
2008-01-25 08:25:22 0 d--hs---- C:\Documents and Settings\LMcConnell\Cookies
2008-01-25 08:25:22 0 dr-h----- C:\Documents and Settings\LMcConnell\Application Data
2008-01-25 08:25:22 0 d---s---- C:\Documents and Settings\LMcConnell\Application Data\Microsoft
2008-01-25 08:25:21 1310720 --ah----- C:\Documents and Settings\LMcConnell\NTUSER.DAT
2008-01-24 16:40:22 0 d-------- C:\Program Files\Greatis
2008-01-24 15:26:53 0 d-------- C:\Program Files\Lavasoft
2008-01-24 15:26:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-24 15:26:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 14:28:41 0 d-------- C:\Program Files\InterMute
2008-01-24 12:29:48 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Uniblue
2008-01-21 13:39:33 0 d-------- C:\Documents and Settings\cwiseman\Application Data\SecondLife
2008-01-21 08:30:33 0 d-------- C:\Program Files\QuickTime
2008-01-17 10:29:54 3365 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2008-01-17 10:28:21 0 d-------- C:\WINDOWS\system32\drivers\umdf
2008-01-17 10:24:35 3283 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Musepack Codec.dat
2008-01-15 13:47:12 1844 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2008-01-15 13:47:08 1224 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
2008-01-15 13:47:07 2228 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2008-01-15 13:47:04 11473 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
2008-01-15 13:46:51 1206 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Dalet Codec.dat
2008-01-15 13:46:49 3008 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2008-01-15 13:46:41 3030 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2008-01-15 13:46:34 3152 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-01-15 13:46:26 3107 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-01-15 13:46:17 2951 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-01-15 13:46:08 2843 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2008-01-15 13:45:43 2793 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [ReplayGain] Codec.dat
2008-01-15 13:45:23 2930 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Multi Encoder] Codec.dat
2008-01-15 13:43:17 8457 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2008-01-15 13:43:09 13281 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-01-15 13:43:04 0 d-------- C:\Program Files\Illustrate
2008-01-14 15:54:26 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Mozilla
2008-01-14 15:54:24 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Flickr
2008-01-14 15:44:00 0 d-------- C:\Program Files\Flickr Uploadr
2008-01-08 11:47:28 0 d-------- C:\Documents and Settings\cwiseman\Application Data\eMule
2008-01-07 16:50:07 0 d-------- C:\Documents and Settings\cwiseman\Admin
2008-01-07 16:49:38 0 dr------- C:\Documents and Settings\cwiseman\My Timelines
2008-01-07 16:49:38 0 d-------- C:\Documents and Settings\cwiseman\My Notebook
2008-01-07 16:49:31 0 d-------- C:\Documents and Settings\cwiseman\My Device Themes
2008-01-07 16:49:23 0 d-------- C:\Documents and Settings\cwiseman\Legal Research
2008-01-07 16:49:13 0 dr------- C:\Documents and Settings\cwiseman\My Pictures
2008-01-07 14:40:00 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Systweak
2008-01-07 14:39:40 0 d-------- C:\Program Files\Advanced System Optimizer
2008-01-07 13:52:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-01-29 08:57:38 32768 --a------ C:\WINDOWS\system32\instlsp.exe
2008-01-28 10:54:17 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-27 02:56:53 0 d-------- C:\Program Files\PowerISO
2008-01-27 02:36:24 0 d-------- C:\Program Files\Google
2008-01-25 09:40:10 0 d-------- C:\Program Files\iTunes
2008-01-25 09:19:06 0 d-------- C:\Program Files\VideoLAN
2008-01-24 15:26:14 0 d-------- C:\Program Files\Common Files
2008-01-24 09:06:24 0 d-------- C:\Program Files\McAfee
2008-01-21 08:33:30 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Apple Computer
2008-01-17 12:13:24 0 d-------- C:\Documents and Settings\cwiseman\Application Data\SiteAdvisor
2008-01-17 11:50:12 0 d-------- C:\Program Files\DS Development
2008-01-07 14:38:29 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Yahoo!
2008-01-07 14:33:01 0 d-------- C:\Documents and Settings\cwiseman\Application Data\Adobe
2008-01-07 13:50:24 0 d-------- C:\Program Files\Yahoo!
2007-12-31 09:09:02 0 d-------- C:\Documents and Settings\cwiseman\Application Data\dvdcss
2007-12-24 08:30:23 0 d-------- C:\Program Files\SiteAdvisor
2007-12-03 15:27:48 0 d-------- C:\Documents and Settings\cwiseman\Application Data\DS Development
2007-12-03 09:55:54 0 d-------- C:\Documents and Settings\cwiseman\Application Data\SmartDraw
2007-12-03 09:49:29 0 d-------- C:\Program Files\SmartDraw 2008
2007-11-30 14:28:14 0 d-------- C:\Program Files\DYMO Label
2007-11-29 16:21:04 0 d-------- C:\Program Files\FormsAssistant
2007-11-29 13:46:45 0 d-------- C:\Program Files\MAPILab Ltd
2007-11-29 13:37:14 0 d-------- C:\Documents and Settings\cwiseman\Application Data\MAPILab Ltd
2007-11-26 16:15:04 335 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM 329032 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/29/2008 09:02 AM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/24/2007 01:57 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [07/22/2007 08:29 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [01/29/2008 09:53 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [08/25/2004 05:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 05:18 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [10/16/2007 9:26:03 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 09/18/2005 02:32 AM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1115\Scripts\Logon\0\0]
"Script"=pclaw.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1136\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1138\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1218\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1252\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1284\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1287\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1293\Scripts\Logon\0\0]
"Script"=pclaw.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1311\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1317\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3046655211-2137312040-699269257-1320\Scripts\Logon\0\0]
"Script"=logon.bat

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scanner File Utility.lnk]
backup=C:\WINDOWS\pss\Scanner File Utility.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

*Newly Created Service* - AAYMPLGRCUNF
*Newly Created Service* - AVGARCLN
*Newly Created Service* - AVG_ANTI-ROOTKIT
*Newly Created Service* - MCHINJDRV



-- End of Deckard's System Scanner: finished at 2008-01-29 09:55:55 ------------

BC AdBot (Login to Remove)

 


m

#2 Kilika32

Kilika32
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 29 January 2008 - 01:54 PM

Log was too long to post. Rapidshare link below:

http://rapidshare.com/files/87614921/GMER_...-28-08.txt.html

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 11 February 2008 - 12:27 PM

Hi,

I'm sorry for the delay, the forums are very busy. If you still need help, please post a new DSS log and give a description of how your computer is currently running.

Edited by Simon V., 11 February 2008 - 12:30 PM.

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#4 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 16 February 2008 - 02:24 PM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users