Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Security System Protection Control Panel, Among Other Things


  • This topic is locked This topic is locked
19 replies to this topic

#1 xDestry

xDestry

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 28 April 2008 - 08:06 PM

Hi I have had the Security System Protection Control Panel popup where it prompts me to go download an anti-spyware program come up a few times. Also my computer starts running at 100% randomly and I get random popups. Here is my HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:25 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Lcass.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\ybktmnud.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lcass.exe] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [Lcass] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [b4b58fc5] rundll32.exe "C:\WINDOWS\system32\wmdrlihy.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [fyrjgtuq] C:\WINDOWS\system32\ybktmnud.exe
O4 - HKLM\..\Policies\Explorer\Run: [4S01UkXOig] C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\trcTMP\kmdmns2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O21 - SSODL: RomPrx - {2fb706a4-915b-43f4-8da4-68504aa5c9e5} - C:\WINDOWS\Resources\RomPrx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5799 bytes












Please help! Thank you!

BC AdBot (Login to Remove)

 


m

#2 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 28 April 2008 - 10:07 PM

this is kaspersky


KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 8:05:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 729653
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\WEICHE~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 12558
Number of viruses found 12
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 00:14:23

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{cde98ea8-b2f8-45e1-8fb5-ef3f345d6f40}\zip.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\WINDOWS\npqtsrak.exe Infected: Trojan.Win32.Vapsup.eet skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\AWTTUUSP.DLL.del Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcDwWqR.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoi skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\usbehcii.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkkhiifg.dll Infected: Trojan.Win32.Agent.eek skipped
C:\WINDOWS\system32\jkkklJdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfq skipped
C:\WINDOWS\system32\Lcass.exe Infected: Worm.Win32.VB.gd skipped
C:\WINDOWS\system32\mlJDTmjh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\WINDOWS\system32\qoMgdaXR.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\WINDOWS\system32\uslvcgcj.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\vtUlIcBR.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoi skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmdrlihy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qre skipped
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\WINDOWS\system32\ybktmnud.exe Infected: Trojan-Downloader.Win32.Obfuscated.un skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\WEICHE~1\LOCALS~1\Temp\xrun.exe Infected: Trojan-Downloader.Win32.Agent.brq skipped
C:\DOCUME~1\WEICHE~1\LOCALS~1\Temp\~DFA94.tmp Object is locked skipped
Scan process completed.

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 29 April 2008 - 04:19 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 29 April 2008 - 03:30 PM

Thank you for taking the time to help.

#5 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 30 April 2008 - 12:50 AM

Here's a new HJT scan, i seem to have gained some processes ^^;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:17 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Lcass.EXE
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\ybktmnud.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\3ivx\3ivx MPEG-4 5.0.1\3ivxRegister.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\pnVes01\pnVes011065.exe
C:\DOCUME~1\WEICHE~1\APPLIC~1\STEM32~1\nopdb.exe
C:\WINDOWS\17PHolmes572.exe
C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
C:\Documents and Settings\wei cheng\Application Data\SpeedRunner\SpeedRunner.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\d2VpIGNoZW5n\command.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\?ppPatch\d?xplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lcass.exe] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [Lcass] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [b4b58fc5] rundll32.exe "C:\WINDOWS\system32\mfdapgck.dll",b
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\WEICHE~1\LOCALS~1\Temp\2008429142354_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\WEICHE~1\LOCALS~1\Temp\2008429142352_mcinfo.exe /insfin
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [fyrjgtuq] C:\WINDOWS\system32\ybktmnud.exe
O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\WEICHE~1\APPLIC~1\STEM32~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Kcg] "C:\Program Files\?ppPatch\d?xplore.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\wei cheng\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
O4 - HKLM\..\Policies\Explorer\Run: [4S01UkXOig] C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\trcTMP\kmdmns2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O21 - SSODL: RomPrx - {2fb706a4-915b-43f4-8da4-68504aa5c9e5} - C:\WINDOWS\Resources\RomPrx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2VpIGNoZW5n\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7043 bytes

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 30 April 2008 - 03:42 AM

Hi,

Go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.


Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 30 April 2008 - 08:19 PM

Hi there, thanks again!

Here's HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:10 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\d2VpIGNoZW5n\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Lcass.EXE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\ybktmnud.exe
C:\Program Files\Vcsron\Vcsron.exe
C:\DOCUME~1\WEICHE~1\APPLIC~1\STEM32~1\nopdb.exe
C:\Program Files\?ppPatch\d?xplore.exe
C:\Documents and Settings\wei cheng\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
C:\PROGRA~1\COMMON~1\muwf\muwfm.exe
C:\PROGRA~1\COMMON~1\muwf\muwfa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\3ivx\3ivx MPEG-4 5.0.1\3ivxRegister.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E6F670A-62B6-44DD-94BE-5F412FDE64D2} - C:\WINDOWS\system32\jkkklJdb.dll
O2 - BHO: (no name) - {6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3} - C:\WINDOWS\system32\qoMgdaXR.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {CEF864FD-846F-D1ED-1196-A18F00552B9F} - C:\WINDOWS\system32\vqaehf.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lcass.exe] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [Lcass] C:\WINDOWS\system32\Lcass.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [b4b58fc5] rundll32.exe "C:\WINDOWS\system32\mfdapgck.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [fyrjgtuq] C:\WINDOWS\system32\ybktmnud.exe
O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\WEICHE~1\APPLIC~1\STEM32~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Kcg] "C:\Program Files\?ppPatch\d?xplore.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\wei cheng\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
O4 - HKCU\..\Run: [muwf] C:\PROGRA~1\COMMON~1\muwf\muwfm.exe
O4 - HKLM\..\Policies\Explorer\Run: [4S01UkXOig] C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\trcTMP\kmdmns2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: qoMgdaXR - C:\WINDOWS\SYSTEM32\qoMgdaXR.dll
O21 - SSODL: RomPrx - {2fb706a4-915b-43f4-8da4-68504aa5c9e5} - C:\WINDOWS\Resources\RomPrx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2VpIGNoZW5n\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7512 bytes








Now Combofix

ComboFix 08-04-26.3 - wei cheng 2008-04-30 17:56:41.1 - NTFSx86
Running from: C:\Documents and Settings\wei cheng\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\wei cheng\Application Data\PPATCH~1
C:\Documents and Settings\wei cheng\Application Data\STEM32~1
C:\Documents and Settings\wei cheng\Application Data\STEM32~1\??stem32\
C:\Documents and Settings\wei cheng\Application Data\STEM32~1\nopdb.exe
C:\Documents and Settings\wei cheng\Desktopblackbird.jpg
C:\Documents and Settings\wei cheng\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\wei cheng\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\wei cheng\Desktopfilemanagerclient.exe
C:\Documents and Settings\wei cheng\Desktopfkwp1.5.exe
C:\Documents and Settings\wei cheng\Desktopfkwp2.0.exe
C:\Documents and Settings\wei cheng\Desktopfwebd.exe
C:\Documents and Settings\wei cheng\DesktopFWebdEditor.exe
C:\Documents and Settings\wei cheng\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\wei cheng\Desktopvirii
C:\Documents and Settings\wei cheng\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\wei cheng\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\wei cheng\My Documents\ASKS~1
C:\Documents and Settings\wei cheng\Start Menu\Programs\Outerinfo
C:\Documents and Settings\wei cheng\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\wei cheng\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\wei cheng\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\muwf
C:\Program Files\Common Files\muwf\muwfa.exe
C:\Program Files\Common Files\muwf\muwfa.lck
C:\Program Files\Common Files\muwf\muwfd\class-barrel
C:\Program Files\Common Files\muwf\muwfd\muwfc.dll
C:\Program Files\Common Files\muwf\muwfd\vocabulary
C:\Program Files\Common Files\muwf\muwfl.exe
C:\Program Files\Common Files\muwf\muwfl.lck
C:\Program Files\Common Files\muwf\muwfm.exe
C:\Program Files\Common Files\muwf\muwfm.lck
C:\Program Files\Common Files\muwf\muwfp.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\CPV
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\d?xplore.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\a.bat
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\b999.exe
C:\WINDOWS\bdn.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\d2VpIGNoZW5n\
C:\WINDOWS\d2VpIGNoZW5n\\asappsrv.dll
C:\WINDOWS\d2VpIGNoZW5n\\command.exe
C:\WINDOWS\d2VpIGNoZW5n\\xZpDK3hCtqcB.vbs
C:\WINDOWS\d2VpIGNoZW5n\command.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mssecu.exe
C:\WINDOWS\muwf
C:\WINDOWS\muwf\muwf.dat
C:\WINDOWS\muwf\wu
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bdJlkkkj.ini
C:\WINDOWS\system32\bdJlkkkj.ini2
C:\WINDOWS\system32\ddcDwWqR.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\usbehcii.sys
C:\WINDOWS\system32\efcBsPHa.dll
C:\WINDOWS\system32\jkkklJdb.dll
C:\WINDOWS\system32\kcgpadfm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfdapgck.dll
C:\WINDOWS\system32\mlJDTmjh.dll
C:\WINDOWS\system32\nnnklKab.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Psuuttwa.ini
C:\WINDOWS\system32\Psuuttwa.ini2
C:\WINDOWS\system32\qoMgdaXR.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\vqaehf.dll
C:\WINDOWS\system32\vtUlIcBR.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Legacy_USBEHCII
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_TnIDriver
-------\Service_usbehcii


((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-29 22:50 . 2008-04-29 22:50 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-04-29 22:04 . 2008-04-29 22:04 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-29 20:04 . 2008-04-29 20:14 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\SpeedRunner
2008-04-29 14:24 . 2008-04-29 14:24 <DIR> d-------- C:\Program Files\Vcsron
2008-04-29 13:37 . 2008-04-29 13:37 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-04-29 13:34 . 2008-04-29 13:34 <DIR> d-------- C:\WINDOWS\system32\pnVes01
2008-04-29 13:34 . 2008-04-29 13:34 <DIR> d-------- C:\Temp\zvebs14
2008-04-29 13:34 . 2008-04-29 13:34 <DIR> d-------- C:\Temp\kvebs14
2008-04-28 19:01 . 2008-04-28 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 19:00 . 2008-04-28 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 18:15 . 2008-04-29 13:43 1,506,074 --ahs---- C:\WINDOWS\system32\jcgcvlsu.ini
2008-04-28 18:05 . 2008-04-28 18:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 15:52 . 2008-04-28 17:54 1,505,862 --ahs---- C:\WINDOWS\system32\yhilrdmw.ini
2008-04-24 13:54 . 2008-04-26 15:51 1,505,499 --ahs---- C:\WINDOWS\system32\jwgdxbln.ini
2008-04-23 23:33 . 2008-04-23 23:33 106,496 --a------ C:\WINDOWS\system32\ybktmnud.exe
2008-04-22 15:10 . 2008-04-22 15:10 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-22 15:07 . 2008-04-22 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-21 15:17 . 2008-04-21 15:17 106,496 --a------ C:\WINDOWS\system32\larkxchs.exe
2008-04-21 00:25 . 2008-04-21 00:25 106,496 --a------ C:\WINDOWS\system32\xufahijs.exe
2008-04-20 23:24 . 2008-04-21 00:08 0 --ahs---- C:\Documents and Settings\wei cheng\Application Data\0000000000at.dat
2008-04-20 23:21 . 2008-04-20 23:21 485,888 --a------ C:\Documents and Settings\wei cheng\installer.exe
2008-04-20 17:12 . 2008-04-20 23:17 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-04-20 17:10 . 2008-04-20 17:10 <DIR> d-------- C:\Program Files\Greatis
2008-04-20 17:10 . 2008-04-20 17:08 13,824 --a------ C:\Documents and Settings\wei cheng\Application Data\knxoo.exe
2008-04-20 17:08 . 2008-04-20 17:08 13,824 --a------ C:\DmPX.exe
2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Program Files\Real Alternative
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\Media Player Classic
2008-04-19 02:47 . 2008-04-19 02:47 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\vlc
2008-04-19 02:44 . 2008-04-19 02:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-19 02:42 . 2008-04-19 02:42 <DIR> d-------- C:\WINDOWS\resources
2008-04-19 02:42 . 2008-04-30 18:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 02:42 . 2008-04-19 02:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 02:35 . 2008-04-19 02:35 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 02:11 . 2008-04-22 01:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-19 02:10 . 2008-04-19 02:10 <DIR> d-------- C:\Program Files\CCleaner
2008-04-19 02:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-19 02:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-19 02:07 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-19 02:07 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-19 02:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-19 02:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-19 02:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-19 01:27 . 2008-04-19 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 01:26 . 2008-04-19 02:30 <DIR> d-------- C:\WINDOWS\system32\trcTMP
2008-04-19 01:26 . 2008-04-28 20:29 <DIR> d-------- C:\WINDOWS\system32\slNew
2008-04-19 01:26 . 2008-04-19 01:54 <DIR> d-------- C:\WINDOWS\system32\iTmp
2008-04-19 01:25 . 2008-04-19 01:25 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-19 01:25 . 2008-04-19 01:26 <DIR> d-------- C:\Temp\berDrv11
2008-04-19 01:25 . 2008-04-30 17:59 <DIR> d-------- C:\Temp
2008-04-19 01:14 . 2008-04-19 01:14 275,456 --a------ C:\WINDOWS\system32\AWTTUUSP.DLL.del
2008-04-19 01:12 . 2008-04-22 15:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 01:07 . 2008-04-19 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\uhenotij
2008-04-19 01:06 . 2008-04-18 08:48 106,496 --a------ C:\WINDOWS\npqtsrak.exe
2008-04-17 19:57 . 2008-04-17 19:57 <DIR> dr-h----- C:\Documents and Settings\wei cheng\Application Data\SecuROM
2008-04-17 19:57 . 2008-04-17 20:04 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 19:32 . 2008-04-17 19:32 <DIR> d-------- C:\Program Files\Sierra
2008-04-17 19:27 . 2008-04-17 19:27 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\InstallShield
2008-04-11 09:20 . 2008-04-11 09:20 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-08 00:06 . 2008-04-08 00:06 <DIR> d-------- C:\Program Files\Cognaxon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 06:58 --------- d-----w C:\Program Files\McAfee.com
2008-04-29 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-25 03:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 22:24 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 22:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-22 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-19 08:07 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Azureus
2008-04-18 04:16 --------- d-----w C:\Program Files\Warcraft III
2008-04-16 23:42 --------- d-----w C:\Program Files\Azureus
2008-03-19 23:13 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Move Networks
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-03-06 16:54 212,992 --sha-r C:\WINDOWS\system32\Lcass.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 19:00 299008]
"fyrjgtuq"="C:\WINDOWS\system32\ybktmnud.exe" [2008-04-23 23:33 106496]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-29 13:39 57344]
"Sen"="C:\DOCUME~1\WEICHE~1\APPLIC~1\STEM32~1\nopdb.exe" [ ]
"Kcg"="C:\Program Files\?ppPatch\d?xplore.exe" [ ]
"SpeedRunner"="C:\Documents and Settings\wei cheng\Application Data\SpeedRunner\SpeedRunner.exe" [2008-04-29 20:04 181248]
"SfKg6wIP"="C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe" [2008-04-29 20:04 35328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Lcass.exe"="C:\WINDOWS\system32\Lcass.EXE" [2007-03-06 09:54 212992]
"Lcass"="C:\WINDOWS\system32\Lcass.EXE" [2007-03-06 09:54 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4S01UkXOig"= C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomPrx"= {2fb706a4-915b-43f4-8da4-68504aa5c9e5} - C:\WINDOWS\Resources\RomPrx.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\WINDOWS\\system32\\Lcass.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 10:31]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 10:55]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-20 23:17]
S3 Revolution1;Revolution1;C:\Documents and Settings\wei cheng\Desktop\Revolution Engine 8.3 ShaK3\SHAK3.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 11:11]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 11:11]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 11:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 15:25:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:12:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:18:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 01:18:19

Pre-Run: 13,734,207,488 bytes free
Post-Run: 13,830,864,896 bytes free

335 --- E O F --- 2008-04-19 10:05:55

#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 02 May 2008 - 04:18 AM

Hello,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files.
A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care.
Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software
infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.



Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

SpeedRunner



Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Program Files\Vcsron
C:\WINDOWS\system32\pnVes01
C:\Temp\zvebs14
C:\Temp\kvebs14
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\iTmp
C:\WINDOWS\system32\xcsDd01
C:\Temp\berDrv11
C:\Documents and Settings\All Users\Application Data\uhenotij
C:\Documents and Settings\wei cheng\Application Data\SpeedRunner
File::
C:\WINDOWS\system32\jcgcvlsu.ini
C:\WINDOWS\system32\yhilrdmw.ini
C:\WINDOWS\system32\jwgdxbln.ini
C:\WINDOWS\system32\ybktmnud.exe
C:\WINDOWS\system32\larkxchs.exe
C:\WINDOWS\system32\xufahijs.exe
C:\Documents and Settings\wei cheng\Application Data\0000000000at.dat
C:\Documents and Settings\wei cheng\Application Data\knxoo.exe
C:\DmPX.exe
C:\WINDOWS\system32\AWTTUUSP.DLL.del
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\system32\Lcass.exe
C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
C:\WINDOWS\Resources\RomPrx.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fyrjgtuq"=-
"Vcsron"=-
"Sen"=-
"Kcg"=-
"SpeedRunner"=-
"SfKg6wIP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lcass.exe"=-
"Lcass"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"4S01UkXOig"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomPrx"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\Lcass.exe"=-
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\msoffice.ini
  • Please post back the results of the scan in your next post.
  • You can try the same at Virustotal: http://www.virustotal.com/
In your next reply, please post:
- The results from ComboFix.
- The rusulst from Jotti's.
- A new HijackThis log.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 03 May 2008 - 01:07 AM

COMBOFIX

ComboFix 08-04-26.3 - wei cheng 2008-05-02 22:58:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.282 [GMT -7:00]
Running from: C:\Documents and Settings\wei cheng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\wei cheng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DmPX.exe
C:\Documents and Settings\wei cheng\Application Data\0000000000at.dat
C:\Documents and Settings\wei cheng\Application Data\knxoo.exe
C:\Documents and Settings\wei cheng\Application Data\Microsoft\Windows\aetroxc.exe
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\Resources\RomPrx.dll
C:\WINDOWS\system32\AWTTUUSP.DLL.del
C:\WINDOWS\system32\jcgcvlsu.ini
C:\WINDOWS\system32\jwgdxbln.ini
C:\WINDOWS\system32\larkxchs.exe
C:\WINDOWS\system32\Lcass.exe
C:\WINDOWS\system32\xufahijs.exe
C:\WINDOWS\system32\ybktmnud.exe
C:\WINDOWS\system32\yhilrdmw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DmPX.exe
C:\Documents and Settings\All Users\Application Data\uhenotij
C:\Documents and Settings\All Users\Application Data\uhenotij\urubulmh.exe
C:\Documents and Settings\wei cheng\Application Data\0000000000at.dat
C:\Documents and Settings\wei cheng\Application Data\knxoo.exe
C:\Documents and Settings\wei cheng\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Program Files\Vcsron
C:\Program Files\Vcsron\Vcsron.exe
C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\system32\AWTTUUSP.DLL.del
C:\WINDOWS\system32\iTmp
C:\WINDOWS\system32\jcgcvlsu.ini
C:\WINDOWS\system32\jwgdxbln.ini
C:\WINDOWS\system32\larkxchs.exe
C:\WINDOWS\system32\Lcass.exe
C:\WINDOWS\system32\pnVes01
C:\WINDOWS\system32\pnVes01\pnVes011065.exe
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe
C:\WINDOWS\system32\xufahijs.exe
C:\WINDOWS\system32\yhilrdmw.ini
F:\autorun.inf
F:\RECYCLER\Lcass.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-01 14:15 . 2008-05-01 14:15 102,400 --a------ C:\WINDOWS\system32\xopazoxu.exe
2008-04-29 22:50 . 2008-04-29 22:50 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-04-29 22:04 . 2008-04-29 22:04 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-29 13:37 . 2008-04-29 13:37 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-04-28 19:01 . 2008-04-28 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 19:00 . 2008-04-28 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 18:05 . 2008-04-28 18:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 15:10 . 2008-04-22 15:10 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-22 15:07 . 2008-04-22 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-20 23:21 . 2008-04-20 23:21 485,888 --a------ C:\Documents and Settings\wei cheng\installer.exe
2008-04-20 17:12 . 2008-04-20 23:17 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-04-20 17:10 . 2008-04-20 17:10 <DIR> d-------- C:\Program Files\Greatis
2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Program Files\Real Alternative
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\Media Player Classic
2008-04-19 02:47 . 2008-04-19 02:47 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\vlc
2008-04-19 02:44 . 2008-04-19 02:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-19 02:42 . 2008-04-19 02:42 <DIR> d-------- C:\WINDOWS\resources
2008-04-19 02:42 . 2008-05-02 22:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 02:42 . 2008-04-19 02:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 02:35 . 2008-04-19 02:35 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 02:11 . 2008-04-22 01:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-19 02:10 . 2008-04-19 02:10 <DIR> d-------- C:\Program Files\CCleaner
2008-04-19 02:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-19 02:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-19 02:07 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-19 02:07 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-19 02:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-19 02:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-19 02:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-19 01:27 . 2008-04-19 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 01:25 . 2008-05-02 22:58 <DIR> d-------- C:\Temp
2008-04-19 01:12 . 2008-04-22 15:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 19:57 . 2008-04-17 19:57 <DIR> dr-h----- C:\Documents and Settings\wei cheng\Application Data\SecuROM
2008-04-17 19:57 . 2008-04-17 20:04 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 19:32 . 2008-04-17 19:32 <DIR> d-------- C:\Program Files\Sierra
2008-04-17 19:27 . 2008-04-17 19:27 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\InstallShield
2008-04-11 09:20 . 2008-04-11 09:20 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-08 00:06 . 2008-04-08 00:06 <DIR> d-------- C:\Program Files\Cognaxon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 06:58 --------- d-----w C:\Program Files\McAfee.com
2008-04-29 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-25 03:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 22:24 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 22:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-22 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-19 08:07 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Azureus
2008-04-18 04:16 --------- d-----w C:\Program Files\Warcraft III
2008-04-16 23:42 --------- d-----w C:\Program Files\Azureus
2008-03-19 23:13 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Move Networks
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_18.18.05.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:12:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 22:58:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 107,520 2005-03-18 20:02:04 C:\dell\MEDIAEXE\bak\PreODM.EXE

----a-w 50,528 2007-09-29 20:22:35 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,528 2008-01-03 16:15:06 C:\Program Files\AIM6\aim6.exe

----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 460,784 2007-03-15 18:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 950,272 2005-04-05 21:41:18 C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe

----a-w 53,248 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 98,304 2005-05-24 22:39:13 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 07:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 26,112 2005-05-24 22:38:44 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 77,824 2005-09-20 16:32:24 C:\WINDOWS\system32\hkcmd.exe

----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 94,208 2005-09-20 16:35:40 C:\WINDOWS\system32\igfxtray.exe

----a-w 45,056 2002-07-11 14:31:56 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 19:00 299008]
"jeopkvme"="C:\WINDOWS\system32\xopazoxu.exe" [2008-05-01 14:15 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 10:31]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 10:55]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-20 23:17]
S3 Revolution1;Revolution1;C:\Documents and Settings\wei cheng\Desktop\Revolution Engine 8.3 ShaK3\SHAK3.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 11:11]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 11:11]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 11:11]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 15:25:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 23:00:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 23:02:55
ComboFix-quarantined-files.txt 2008-05-03 06:02:23
ComboFix2.txt 2008-05-01 01:18:24

Pre-Run: 14,681,006,080 bytes free
Post-Run: 14,670,823,424 bytes free

205 --- E O F --- 2008-04-19 10:05:55



JOTTI
Scan taken on 03 May 2008 06:04:05 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing




HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:20 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\xopazoxu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\3ivx\3ivx MPEG-4 5.0.1\3ivxRegister.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [jeopkvme] C:\WINDOWS\system32\xopazoxu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4982 bytes



Thanks again for all your help! Is there anywhere I could donate?

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 03 May 2008 - 04:34 AM

Hello,

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.



Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\xopazoxu.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jeopkvme"=-
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 03 May 2008 - 02:48 PM

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 05/03/2008
The current time is: 12:39:54.76


bak folders found
~~~~~~~~~~~


Directory of C:\DELL\MEDIAEXE\BAK

03/18/2005 01:02 PM 107,520 PreODM.EXE
1 File(s) 107,520 bytes

Directory of C:\PROGRA~1\AIM6\BAK

09/29/2007 01:22 PM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/24/2005 03:39 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/23/2005 02:31 PM 126,976 hkcmd.exe
01/23/2005 02:36 PM 155,648 igfxtray.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 05:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

04/05/2005 02:41 PM 950,272 MpfTray.exe
1 File(s) 950,272 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~3\BAK

09/14/2004 06:50 AM 131,072 mm_tray.exe
09/14/2004 06:50 AM 53,248 mmtask.exe
2 File(s) 184,320 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

05/24/2005 03:38 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 03:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/11/2002 07:31 AM 45,056 LMPDPSRV.EXE
1 File(s) 45,056 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

107520 Mar 18 2005 "C:\dell\MEDIAEXE\bak\PreODM.EXE"
50528 Jan 3 2008 "C:\Program Files\AIM6\aim6.exe"
50528 Sep 29 2007 "C:\Program Files\AIM6\bak\aim6.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
286720 Nov 15 2007 "C:\Program Files\QuickTime\QTTask.exe"
98304 May 24 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\hkcmd.exe"
126976 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\HKCMD.EXE"
126976 Jan 23 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
26636 Oct 18 2007 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\hkcmd.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\IGFXTRAY.EXE"
155648 Jan 23 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
26636 Oct 18 2007 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\igfxtray.exe"
1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\onboard\SMax4PNP.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
53248 Sep 14 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Sep 14 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
131072 Sep 14 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
131072 Sep 14 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
26112 May 24 2005 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
132760 Oct 28 2007 "C:\Program Files\Azureus\jre\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
45056 Jul 11 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\lexmarkx1258974\LMpdpsrv.exe"
45056 Jul 11 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE"


end of report




















ComboFix 08-04-26.3 - wei cheng 2008-05-03 12:42:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.236 [GMT -7:00]
Running from: C:\Documents and Settings\wei cheng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\wei cheng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\xopazoxu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xopazoxu.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-04-29 22:50 . 2008-04-29 22:50 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-04-29 22:04 . 2008-04-29 22:04 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-29 13:37 . 2008-04-29 13:37 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-04-28 19:01 . 2008-04-28 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 19:00 . 2008-04-28 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 18:05 . 2008-04-28 18:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 15:10 . 2008-04-22 15:10 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-22 15:07 . 2008-04-22 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-20 23:21 . 2008-04-20 23:21 485,888 --a------ C:\Documents and Settings\wei cheng\installer.exe
2008-04-20 17:12 . 2008-04-20 23:17 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-04-20 17:10 . 2008-04-20 17:10 <DIR> d-------- C:\Program Files\Greatis
2008-04-20 16:26 . 2008-04-20 16:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Program Files\Real Alternative
2008-04-19 02:51 . 2008-04-19 02:51 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\Media Player Classic
2008-04-19 02:47 . 2008-04-19 02:47 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\vlc
2008-04-19 02:44 . 2008-04-19 02:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-19 02:42 . 2008-04-19 02:42 <DIR> d-------- C:\WINDOWS\resources
2008-04-19 02:42 . 2008-05-03 12:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 02:42 . 2008-04-19 02:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 02:35 . 2008-04-19 02:35 2,204 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-19 02:11 . 2008-04-22 01:09 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-19 02:10 . 2008-04-19 02:10 <DIR> d-------- C:\Program Files\CCleaner
2008-04-19 02:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-19 02:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-19 02:07 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-19 02:07 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-19 02:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-19 02:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-19 02:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-19 01:27 . 2008-04-19 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 01:25 . 2008-05-02 22:58 <DIR> d-------- C:\Temp
2008-04-19 01:12 . 2008-04-22 15:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 19:57 . 2008-04-17 19:57 <DIR> dr-h----- C:\Documents and Settings\wei cheng\Application Data\SecuROM
2008-04-17 19:57 . 2008-04-17 20:04 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 19:32 . 2008-04-17 19:32 <DIR> d-------- C:\Program Files\Sierra
2008-04-17 19:27 . 2008-04-17 19:27 <DIR> d-------- C:\Documents and Settings\wei cheng\Application Data\InstallShield
2008-04-11 09:20 . 2008-04-11 09:20 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-08 00:06 . 2008-04-08 00:06 <DIR> d-------- C:\Program Files\Cognaxon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 06:58 --------- d-----w C:\Program Files\McAfee.com
2008-04-29 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-25 03:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 22:24 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 22:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-22 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-19 08:07 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Azureus
2008-04-18 04:16 --------- d-----w C:\Program Files\Warcraft III
2008-04-16 23:42 --------- d-----w C:\Program Files\Azureus
2008-03-19 23:13 --------- d-----w C:\Documents and Settings\wei cheng\Application Data\Move Networks
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_18.18.05.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:12:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-03 19:29:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 107,520 2005-03-18 20:02:04 C:\dell\MEDIAEXE\bak\PreODM.EXE

----a-w 50,528 2007-09-29 20:22:35 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,528 2008-01-03 16:15:06 C:\Program Files\AIM6\aim6.exe

----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 460,784 2007-03-15 18:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 950,272 2005-04-05 21:41:18 C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe

----a-w 53,248 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

----a-w 131,072 2004-09-14 13:50:48 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 98,304 2005-05-24 22:39:13 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 07:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 26,112 2005-05-24 22:38:44 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w 126,976 2005-01-23 21:31:34 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 77,824 2005-09-20 16:32:24 C:\WINDOWS\system32\hkcmd.exe

----a-w 155,648 2005-01-23 21:36:10 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 94,208 2005-09-20 16:35:40 C:\WINDOWS\system32\igfxtray.exe

----a-w 45,056 2002-07-11 14:31:56 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 19:00 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 10:31]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-30 10:55]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-20 23:17]
S3 Revolution1;Revolution1;C:\Documents and Settings\wei cheng\Desktop\Revolution Engine 8.3 ShaK3\SHAK3.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 11:11]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 11:11]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 11:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 15:25:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 12:43:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-03 12:46:23
ComboFix-quarantined-files.txt 2008-05-03 19:45:54
ComboFix2.txt 2008-05-03 06:02:56
ComboFix3.txt 2008-05-01 01:18:24

Pre-Run: 14,623,436,800 bytes free
Post-Run: 14,611,644,416 bytes free

161 --- E O F --- 2008-04-19 10:05:55












Here's another HJT just in case :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:30 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\3ivx\3ivx MPEG-4 5.0.1\3ivxRegister.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4956 bytes

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 05 May 2008 - 09:18 AM

Hi

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\Program Files\AIM6\aim6.exe
  • Click on the submit button
  • Please post the results in your next reply.
  • Repeat for these: C:\Program Files\AIM6\bak\aim6.exe
    C:\DRIVERS\VIDEO\ONBOARD\HKCMD.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe
  • If Jotti's too busy, try on VirusTotal

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 06 May 2008 - 12:40 AM

All found nothing for all 4 files.


Computer seems to be running fine now I don't get anymore pop-ups and the Security System Control Panel is gone.


All seems well!

#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:01 AM

Posted 06 May 2008 - 03:48 AM

Hello,

Can you please post a new HijackThis log?

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 xDestry

xDestry
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 06 May 2008 - 09:07 PM

Here you go, thanks again!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:59 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117241978421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5138 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users