Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus Fire, Or/ Antivermin


  • Please log in to reply
12 replies to this topic

#1 andrewpsp

andrewpsp

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 11 April 2008 - 02:51 PM

When i load up the computer I always get the Help and Support Icon in the
system tray. A bubble appears every so often stating that the system has
detected a number of actrive spyware applications that may impact the
performance of the computer. Click the icon to get rid of unwanted spyware by
downloading an up-to date antispyware solution.

When i click on this bubble it takes me to the following web page - this you
have to register to and then pay for.

//antivermins.com/?aff=321


My regedit is disabled, and task manager is disabled also. Ran avast scan twice, on boot scan, it removed about 4 to 5 infections each time, also ran spybot s&d, this virus is a bastard i tell you.



Deckard's System Scanner v20071014.68
Run by isa on 2008-04-11 14:09:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-04-11 19:10:04 UTC - RP129 - Deckard's System Scanner Restore Point
86: 2008-04-11 08:02:33 UTC - RP128 - Last known good configuration
85: 2008-04-11 08:02:27 UTC - RP127 - Restore Operation
84: 2008-04-11 08:02:27 UTC - RP126 - yes
83: 2008-04-11 08:02:27 UTC - RP125 - Removed LUMIX Simple Viewer


-- First Restore Point --
1: 2008-04-11 08:02:03 UTC - RP43 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-11 14:11:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Documents and Settings\All Users\Application Data\rypujmlq\zyvyrkni.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\vqjtju.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\mrofinu1535.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\vqjtju.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\gpld0.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ktufudkj.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\isa\Desktop\dss.exe
C:\WINDOWS\system32\ktufudkj.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\ssqNFwtq.dll
O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - C:\WINDOWS\vnbptxlf.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] vqjtju.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\isa\cftmon.exe
O4 - HKLM\..\Run: [Winupdates] gpld0.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] vqjtju.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Microsoft Update Machine] vqjtju.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\isa\cftmon.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\isa\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [dwqroswp] C:\WINDOWS\system32\ktufudkj.exe
O4 - HKLM\..\Policies\Explorer\Run: [AKSrz65PBf] C:\Documents and Settings\All Users\Application Data\rypujmlq\zyvyrkni.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{BAA03AE6-5CD8-4CEC-AF29-7259275B3A91}: NameServer = 85.255.116.131,85.255.112.89
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23DB93E-5311-4C7F-9B8C-588954E953E0}: NameServer = 85.255.116.131,85.255.112.89
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23F8C03-C92E-43F6-BB26-16A9483175C2}: NameServer = 85.255.116.131,85.255.112.89
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.89
O20 - Winlogon Notify: ssqNFwtq - C:\WINDOWS\system32\ssqNFwtq.dll
O21 - SSODL: ComponentDrive - {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll (file missing)
O21 - SSODL: zip - {2c7be5a9-f1ed-42a7-a35e-fffadd7c49fe} - C:\WINDOWS\Installer\{2c7be5a9-f1ed-42a7-a35e-fffadd7c49fe}\zip.dll (file missing)
O21 - SSODL: mgsvflkw - {772C3918-EC98-4146-8255-8F21E36259DC} - C:\WINDOWS\mgsvflkw.dll (file missing)
O21 - SSODL: qdnkewfa - {902D7D05-A5B0-4D9F-89C1-32ECD5176ABF} - C:\WINDOWS\qdnkewfa.dll (file missing)
O21 - SSODL: AlrtKernel - {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! mail scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! web scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 9773 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 zeqbqwp - c:\windows\zeqbqwp.sys
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>

S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_5045&SUBSYS_103C30CF&REV_1001\4&887B936&0&0002
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_5045&SUBSYS_103C30CF&REV_1001\4&887B936&0&0002
Service:

Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_1180&DEV_0832&SUBSYS_30CF103C&REV_05\4&37A8D8D1&0&2840
Manufacturer: IEEE 1394 OHCI Compliant Host Controller Vendor
Name: OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_1180&DEV_0832&SUBSYS_30CF103C&REV_05\4&37A8D8D1&0&2840
Service: ohci1394


-- Scheduled Tasks -------------------------------------------------------------

2008-04-04 11:46:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 06:12:57 4352 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-11 06:10:22 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-11 06:10:22 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-11 06:10:22 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-11 06:10:22 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-11 06:10:22 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-11 06:10:22 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-11 06:10:22 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-11 03:04:22 0 d-------- C:\Program Files\Alwil Software
2008-04-11 03:01:53 6937 --ahs---- C:\WINDOWS\system32\nnXwwyay.ini2
2008-04-11 02:41:06 67282 --a----c- C:\Documents and Settings\Administrator\cftmon.exe
2008-04-11 02:30:44 88676 --a------ C:\Documents and Settings\isa\cftmon.exe
2008-04-11 02:12:45 0 d-------- C:\Documents and Settings\All Users\Application Data\rypujmlq
2008-04-11 02:12:38 38400 --a------ C:\WINDOWS\system32\yayaAqpn.dll
2008-04-11 02:12:19 346112 --a------ C:\WINDOWS\system32\mljiffc.dll
2008-04-11 02:11:11 67282 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-04-11 02:10:05 0 d-------- C:\Documents and Settings\All Users\Application Data\oxajcxul
2008-04-11 02:09:32 90112 --a------ C:\WINDOWS\system32\ktufudkj.exe
2008-04-11 02:08:34 81920 --a------ C:\WINDOWS\apoxqwfv.exe
2008-04-11 02:08:20 54272 --a------ C:\WINDOWS\system32\gpld0.exe
2008-04-11 02:08:16 55218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-11 02:08:16 37376 --a------ C:\WINDOWS\system32\opnkkjGW.dll
2008-04-11 02:08:14 40297 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-04-11 02:07:29 38400 --a------ C:\WINDOWS\mrofinu1535.exe
2008-04-11 02:07:06 36864 --a------ C:\WINDOWS\system32\ssqNFwtq.dll
2008-04-08 23:43:03 0 d-------- C:\Program Files\Common Files\Real
2008-04-08 23:43:02 0 d-------- C:\Program Files\Real
2008-04-08 23:42:21 0 d-------- C:\Documents and Settings\isa\Application Data\Real
2008-04-06 20:19:33 0 d-------- C:\Documents and Settings\isa\Application Data\Lionhead Studios
2008-04-06 18:15:45 16 --a------ C:\WINDOWS\popcinfot.dat
2008-04-06 17:49:22 0 d-------- C:\Documents and Settings\isa\Application Data\The Longest Journey Demo
2008-04-06 17:44:21 0 d-------- C:\Documents and Settings\isa\Application Data\DAEMON Tools Pro
2008-04-06 17:44:09 0 d-------- C:\Program Files\DAEMON Tools Pro
2008-04-06 17:43:41 0 d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-04-06 14:59:48 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-06 14:59:40 0 d-------- C:\Documents and Settings\isa\Application Data\DAEMON Tools
2008-04-06 03:53:59 0 d--hs---- C:\WINDOWS\system32\Sys
2008-04-05 21:19:02 0 d-------- C:\Program Files\NCH Software
2008-04-05 18:23:16 0 d-------- C:\Documents and Settings\isa\Application Data\NCH Swift Sound
2008-04-05 15:25:40 0 d--h----- C:\WINDOWS\PIF
2008-04-02 01:26:59 0 d-------- C:\Documents and Settings\isa\Application Data\Google
2008-04-02 01:23:34 0 d-------- C:\Program Files\Google
2008-04-01 12:14:54 0 d-------- C:\Program Files\Chami
2008-03-25 13:16:11 0 d-------- C:\Documents and Settings\isa\Application Data\teamspeak2
2008-03-25 13:15:55 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-03-25 13:10:45 0 d-------- C:\Program Files\Silkroad
2008-03-13 01:37:13 0 d-------- C:\Documents and Settings\isa\Application Data\Talkback
2008-03-13 00:35:56 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-12 12:41:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak


-- Find3M Report ---------------------------------------------------------------

2008-04-11 14:11:59 46 --a----c- C:\smp.bat
2008-04-11 14:11:16 0 d-------- C:\Documents and Settings\isa\Application Data\DNA
2008-04-11 12:53:45 0 d-------- C:\Program Files\Steam
2008-04-11 00:30:27 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-11 00:28:35 0 d-------- C:\Documents and Settings\isa\Application Data\Adobe
2008-04-10 19:48:48 0 d-------- C:\Program Files\Xfire
2008-04-10 16:39:05 0 d-------- C:\Program Files\Panasonic
2008-04-10 16:39:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-10 16:38:38 0 d-------- C:\Documents and Settings\isa\Application Data\Panasonic
2008-04-10 16:36:15 0 d-------- C:\Program Files\Common Files
2008-04-09 08:31:21 0 d-------- C:\Documents and Settings\isa\Application Data\BitTorrent
2008-04-08 23:43:51 1106 --a------ C:\WINDOWS\mozver.dat
2008-04-08 20:29:32 0 d-------- C:\Documents and Settings\isa\Application Data\OpenOffice.org2
2008-04-08 00:48:39 0 d-------- C:\Documents and Settings\isa\Application Data\Xfire
2008-04-06 15:15:31 0 d-------- C:\Program Files\Bonjour
2008-04-05 21:18:37 1024 --a------ C:\Documents and Settings\isa\Application Data\WavCodec.wff
2008-03-27 14:34:00 0 --a------ C:\Documents and Settings\isa\Application Data\AVSDVDPlayer.m3u
2008-03-13 00:36:18 0 d-------- C:\Documents and Settings\isa\Application Data\Mozilla
2008-03-10 03:52:18 0 d-------- C:\Program Files\Java
2008-03-10 03:23:06 0 d-------- C:\Program Files\Broadcom
2008-03-02 21:04:22 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-02-23 04:02:11 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-22 19:54:42 0 d-------- C:\Program Files\iTunes
2008-02-22 19:54:30 0 d-------- C:\Program Files\iPod
2008-02-16 03:11:32 0 d-------- C:\Program Files\QuickTime
2008-02-16 01:32:41 0 d-------- C:\Program Files\AIM6
2008-02-11 03:32:53 0 d-------- C:\Program Files\Avanquest update
2008-01-12 02:35:26 112463 --a----c- C:\WINDOWS\hpoins07.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
04/11/2008 02:07 AM 36864 --a------ C:\WINDOWS\system32\ssqNFwtq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [10/03/2007 06:15 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/19/2006 05:41 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/21/2007 12:32 AM]
"nwiz"="nwiz.exe" [04/21/2007 12:32 AM C:\WINDOWS\system32\nwiz.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" []
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/14/2007 10:29 PM]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [07/27/2006 05:44 PM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/21/2007 12:32 AM]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [06/06/2007 07:51 PM]
"Microsoft Update Machine"="vqjtju.exe" [06/13/2007 05:23 AM C:\WINDOWS\system32\vqjtju.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 02:13 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 04:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 01:16 AM]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [10/19/2007 01:28 PM]
"runner1"="C:\WINDOWS\mrofinu1535.exe" [04/11/2008 02:07 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/11/2008 02:08 AM]
"autoload"="C:\Documents and Settings\isa\cftmon.exe" [04/11/2008 12:51 PM]
"Winupdates"="gpld0.exe" [04/11/2008 02:08 AM C:\WINDOWS\system32\gpld0.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [04/10/2008 10:25 PM]
"Microsoft Update Machine"="vqjtju.exe" [06/13/2007 05:23 AM C:\WINDOWS\system32\vqjtju.exe]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 11:15 AM]
"Steam"="c:\program files\steam\steam.exe" [03/28/2008 11:07 AM]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [01/15/2008 09:17 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/11/2008 02:08 AM]
"autoload"="C:\Documents and Settings\isa\cftmon.exe" [04/11/2008 12:51 PM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\isa\LOCALS~1\Temp\csrssc.exe" []
"dwqroswp"="C:\WINDOWS\system32\ktufudkj.exe" [04/11/2008 02:09 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Update Machine"=vqjtju.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

C:\Documents and Settings\isa\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [1/7/2008 12:29:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [5/12/2005 2:23:26 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"AKSrz65PBf"=C:\Documents and Settings\All Users\Application Data\rypujmlq\zyvyrkni.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\ssqNFwtq.dll [04/11/2008 02:07 AM 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ComponentDrive"= {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll [ ]
"zip"= {2c7be5a9-f1ed-42a7-a35e-fffadd7c49fe} - C:\WINDOWS\Installer\{2c7be5a9-f1ed-42a7-a35e-fffadd7c49fe}\zip.dll [ ]
"mgsvflkw"= {772C3918-EC98-4146-8255-8F21E36259DC} - C:\WINDOWS\mgsvflkw.dll [ ]
"qdnkewfa"= {902D7D05-A5B0-4D9F-89C1-32ECD5176ABF} - C:\WINDOWS\qdnkewfa.dll [ ]
"AlrtKernel"= {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNFwtq]
ssqNFwtq.dll 04/11/2008 02:07 AM 36864 C:\WINDOWS\system32\ssqNFwtq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yaywwXnn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"




-- End of Deckard's System Scanner: finished at 2008-04-11 14:12:26 ------------

Edited by KoanYorel, 11 April 2008 - 03:11 PM.
to sanitize URL above

1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 11 April 2008 - 03:55 PM

Hello

Welcome to Bleeping Computer :thumbsup:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 12 April 2008 - 02:52 AM

First request


Username "isa" - 04/12/2008 2:42:15 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\\Program Files\\Hewlett-Packard\\HP Wireless Assistant\\HPWAMain.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"amd_dc_opt"="C:\\Program Files\\AMD\\Dual-Core Optimizer\\amd_dc_opt.exe"
"SynTPStart"="C:\\Program Files\\Synaptics\\SynTP\\SynTPStart.exe"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ArcSoft Connection Service"="C:\\Program Files\\Common Files\\ArcSoft\\Connection Service\\Bin\\ACDaemon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QlbCtrl.exe"="C:\\Program Files\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"
"Winupdates"="gpld0.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="\"C:\\Program Files\\DNA\\btdna.exe\""
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"DAEMON Tools Pro Agent"="\"C:\\Program Files\\DAEMON Tools Pro\\DTProAgent.exe\" -autorun"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#4 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 12 April 2008 - 03:08 AM

combofix report


ComboFix 08-04-11.5 - isa 2008-04-12 2:54:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1363 [GMT -5:00]
Running from: C:\Documents and Settings\isa\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\nnXwwyay.ini
C:\WINDOWS\system32\nnXwwyay.ini2
C:\WINDOWS\system32\ssqNFwtq.dll

----- BITS: Possible infected sites -----

hxxp://flycodecs.com
.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 02:42 . 2008-04-12 02:45 <DIR> d----c--- C:\fixwareout
2008-04-12 01:24 . 2008-04-12 01:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-11 21:09 . 2008-04-12 02:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-11 21:09 . 2008-04-11 21:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 20:28 . 2008-04-11 20:28 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-11 20:17 . 2008-04-11 20:17 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-11 19:32 . 2008-04-11 19:32 <DIR> d-------- C:\Documents and Settings\isa\Application Data\Malwarebytes
2008-04-11 19:31 . 2008-04-11 19:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 19:31 . 2008-04-11 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:05 . 2008-04-11 18:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-11 18:05 . 2008-04-11 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 14:11 . 2008-04-11 14:11 46 --a--c--- C:\smp.bat
2008-04-11 14:09 . 2008-04-11 14:09 <DIR> d----c--- C:\Deckard
2008-04-11 06:12 . 2008-04-11 19:58 3,550 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-11 06:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-11 06:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-11 06:10 . 2008-04-10 21:00 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-11 06:10 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-11 06:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-11 06:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-11 06:10 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-11 03:04 . 2008-04-11 03:04 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-11 03:04 . 2008-03-29 13:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-11 03:04 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-11 03:04 . 2008-03-29 13:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-11 03:04 . 2008-03-29 13:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-11 03:04 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-11 03:04 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-11 03:04 . 2008-03-29 13:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-11 03:04 . 2008-03-29 13:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-11 03:04 . 2008-03-29 13:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-11 03:04 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-11 02:12 . 2008-04-11 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rypujmlq
2008-04-11 02:10 . 2008-04-11 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\oxajcxul
2008-04-11 02:08 . 2008-04-11 02:08 54,272 --a------ C:\WINDOWS\system32\gpld0.exe
2008-04-08 23:43 . 2008-04-08 23:43 <DIR> d-------- C:\Program Files\Real
2008-04-08 23:43 . 2008-04-10 16:36 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-06 20:19 . 2008-04-06 20:19 <DIR> d-------- C:\Documents and Settings\isa\Application Data\Lionhead Studios
2008-04-06 18:15 . 2008-04-08 01:09 16 --a------ C:\WINDOWS\popcinfot.dat
2008-04-06 17:49 . 2008-04-06 18:01 <DIR> d-------- C:\Documents and Settings\isa\Application Data\The Longest Journey Demo
2008-04-06 17:44 . 2008-04-10 16:46 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-04-06 17:44 . 2008-04-06 17:44 <DIR> d-------- C:\Documents and Settings\isa\Application Data\DAEMON Tools Pro
2008-04-06 17:43 . 2008-04-06 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-04-06 14:59 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\isa\Application Data\DAEMON Tools
2008-04-06 14:59 . 2008-04-06 14:59 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-05 21:19 . 2008-04-05 21:19 <DIR> d-------- C:\Program Files\NCH Software
2008-04-05 18:23 . 2008-04-10 16:39 <DIR> d-------- C:\Documents and Settings\isa\Application Data\NCH Swift Sound
2008-04-05 15:25 . 2008-04-05 15:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-02 18:26 . 2008-04-02 18:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-02 01:23 . 2008-04-06 17:22 <DIR> d-------- C:\Program Files\Google
2008-04-01 12:14 . 2008-04-01 12:14 <DIR> d-------- C:\Program Files\Chami
2008-03-25 13:16 . 2008-03-25 13:16 <DIR> d-------- C:\Documents and Settings\isa\Application Data\teamspeak2
2008-03-25 13:16 . 2008-03-25 13:16 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-03-25 13:15 . 2008-03-25 13:16 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-03-25 13:10 . 2008-03-25 16:37 <DIR> d-------- C:\Program Files\Silkroad
2008-03-13 01:37 . 2008-03-13 01:37 <DIR> d-------- C:\Documents and Settings\isa\Application Data\Talkback
2008-03-13 00:35 . 2008-04-08 14:38 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-12 12:41 . 2008-03-12 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 07:58 --------- d-----w C:\Documents and Settings\isa\Application Data\DNA
2008-04-12 07:46 --------- d-----w C:\Program Files\Steam
2008-04-12 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-11 23:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 05:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 00:48 --------- d-----w C:\Program Files\Xfire
2008-04-10 21:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 21:39 --------- d-----w C:\Program Files\Panasonic
2008-04-10 21:38 --------- d-----w C:\Documents and Settings\isa\Application Data\Panasonic
2008-04-09 13:31 --------- d-----w C:\Documents and Settings\isa\Application Data\BitTorrent
2008-04-09 01:29 --------- d-----w C:\Documents and Settings\isa\Application Data\OpenOffice.org2
2008-04-08 05:48 --------- d-----w C:\Documents and Settings\isa\Application Data\Xfire
2008-04-06 20:15 --------- d-----w C:\Program Files\Bonjour
2008-03-10 08:52 --------- d-----w C:\Program Files\Java
2008-03-10 08:26 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-10 08:26 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-03-10 08:23 822,272 ----a-w C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-03-10 08:23 --------- d-----w C:\Program Files\Broadcom
2008-03-03 02:04 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-23 09:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-23 00:54 --------- d-----w C:\Program Files\iTunes
2008-02-23 00:54 --------- d-----w C:\Program Files\iPod
2008-02-16 08:11 --------- d-----w C:\Program Files\QuickTime
2008-02-16 06:32 --------- d-----w C:\Program Files\AIM6
2008-02-16 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-16 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-21 10:02 24,192 ----a-w C:\Documents and Settings\isa\usbsermptxp.sys
2008-01-21 10:02 22,768 ----a-w C:\Documents and Settings\isa\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2765DD3A-7AB1-4813-9612-C14A5981728A}"= "C:\WINDOWS\vnbptxlf.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{2765dd3a-7ab1-4813-9612-c14a5981728a}]
[HKEY_CLASSES_ROOT\vnbptxlf.1]
[HKEY_CLASSES_ROOT\TypeLib\{77ECF945-2592-41EE-8DCB-ECAC3CB628FB}]
[HKEY_CLASSES_ROOT\vnbptxlf]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-10 22:25 288576]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 11:07 1271032]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 18:15 480560]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 05:41 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-21 00:32 8429568]
"nwiz"="nwiz.exe" [2007-04-21 00:32 1626112 C:\WINDOWS\system32\nwiz.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [ ]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 22:29 102400]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 17:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-21 00:32 81920]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 19:51 64256]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 02:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 16:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 01:16 39792]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 13:28 202032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\isa\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-01-07 00:29:31 3450608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ComponentDrive"= {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll [ ]
"AlrtKernel"= {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 16:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\windows\\system32\\gpld0.exe"=
"C:\\WINDOWS\\system32\\vqjtju.exe"=

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 13:31]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-02-16 11:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 16:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 03:00:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
.
**************************************************************************
.
Completion time: 2008-04-12 3:06:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 08:06:07
Pre-Run: 117,299,433,472 bytes free
Post-Run: 117,213,642,752 bytes free
.
2008-04-09 13:15:56 --- E O F ---
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 12 April 2008 - 11:22 AM

Hello,

Could I see a new HijackThis log also, please? :thumbsup: How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 13 April 2008 - 06:54 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:41 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - C:\WINDOWS\vnbptxlf.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O21 - SSODL: ComponentDrive - {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll (file missing)
O21 - SSODL: AlrtKernel - {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7772 bytes
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 13 April 2008 - 08:12 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - C:\WINDOWS\vnbptxlf.dll (file missing)
O21 - SSODL: ComponentDrive - {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll (file missing)
O21 - SSODL: AlrtKernel - {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Are you still having the original problems? :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 13 April 2008 - 08:56 PM

Original problems are now non-existent as far as I can tell but...

My desktop wallpaper is still the same when I was infected, and the start up is noticeably slower.
The start-up issues I'm sure I can figure out myself, but the desktop problem makes it seem like there's still some infection somewhere. I actually had to manually enable regeidt and taskmanger from being disabled, so I honestly don't know if the infection is completely gone.
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 13 April 2008 - 09:17 PM

Thanks. :thumbsup: Try this for the desktop :

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Uninstall Viewpoint via Add/Remove Programs.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O3 - Toolbar: vnbptxlf - {2765DD3A-7AB1-4813-9612-C14A5981728A} - C:\WINDOWS\vnbptxlf.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O21 - SSODL: ComponentDrive - {4b063297-0b74-49c6-a054-3cae44002824} - C:\WINDOWS\Resources\ComponentDrive.dll (file missing)
O21 - SSODL: AlrtKernel - {e8282a4d-669e-4863-9dbd-6d416fd53c53} - C:\WINDOWS\Resources\AlrtKernel.dll (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folders (if they exist):

C:\Program Files\Viewpoint
Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 14 April 2008 - 12:28 AM

MBAM log
Malwarebytes' Anti-Malware 1.11
Database version: 615

Scan type: Quick Scan
Objects scanned: 31438
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HJthis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:29 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5397 bytes


When the PC boots, I see the chosen desktop for a few moments and then it reverts to the white background.
there wasn't anything on the customize desktop besides my current home page, and i removed the viewpoint media manager..
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 15 April 2008 - 01:35 AM

Hello,

Did you make sure to remove the checkmark from the the Lock Desktop Items box if it was checked? That will make a difference too....and was there a reboot involved after you did the last fixes?

There is totally nothing in either of the last logs you gave me, so I'm going to lean to this being a different issue as of right now. The malware looks to be all gone. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 andrewpsp

andrewpsp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:miami/st.louis
  • Local time:06:49 AM

Posted 18 April 2008 - 04:07 AM

Yea , I now know how to troubleshoot with this unfamiliar malware thanks to this forum, thanks alot.
Regarding this desktop issue, what could be the problem, I know for a fact that the desktop isn't locked via customized desktop. Any expertise at all ?
1. f'sho


a lazy way of expressing compliance to a fellow peer


Peer 1: yo dawg, y'all wanna roll wit lorenzo he be ridin' in da benzo!

Peer 2: f'sho, f'sho

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 AM

Posted 18 April 2008 - 12:36 PM

Thread reopened at the request of topic starter.

Please tell anything you've done in the last 3 weeks, and how it's running/behaving now.

Thanks,
tea

Edited by teacup61, 09 May 2008 - 10:47 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users