Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Variant?


  • This topic is locked This topic is locked
3 replies to this topic

#1 hexed

hexed

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 15 May 2008 - 11:20 AM

Computer running extremely slow. Sometimes hangs during logon. Constant popups. Uploaded tulcysrh.dll to virustotal, flagged as Vundo and/or rootkit. Vundofix is unable to detect. DSS extra.txt attached. DSS main.txt log:

Deckard's System Scanner v20071014.68
Run by Becky on 2008-05-15 11:46:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
73: 2008-05-15 15:46:26 UTC - RP85 - Deckard's System Scanner Restore Point
72: 2008-05-15 15:09:35 UTC - RP84 - Last known good configuration
71: 2008-05-15 15:09:29 UTC - RP83 - Restore Operation
70: 2008-05-15 15:09:29 UTC - RP82 - Last known good configuration
69: 2008-05-15 15:09:28 UTC - RP81 - ComboFix created restore point


-- First Restore Point --
1: 2008-05-15 15:09:20 UTC - RP13 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Becky.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:18 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ni_nic.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Becky\My Documents\My Downloads\dss.exe
C:\DOCUME~1\MIKE-H~1\MYDOCU~1\DOWNLO~1\Becky.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tampabay.rr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {3F6634F9-8D07-40EF-9C88-A09042C35D54} - C:\WINDOWS\system32\tULcYsRh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\mLeDtqoM.dll (file missing)
O2 - BHO: (no name) - {D7D314C9-893D-4005-8D4C-9D77FDF1B673} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: {d606b16d-3871-956b-0e44-da8e74c1f0cf} - {fc0f1c47-e8ad-44e0-b659-1783d61b606d} - C:\WINDOWS\system32\nxecimak.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [70e9a3d9] rundll32.exe "C:\WINDOWS\system32\kojpxrfj.dll",b
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [BM73da9045] Rundll32.exe "C:\WINDOWS\system32\tlchsvcp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZKxdm021MWUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1CD4FAEE-09F6-4B77-8A49-EF2A9EBC8D46} (RSUpCtrl Control) - http://rsup.net/cab/rsupctrl.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197409496520
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: mLeDtqoM - mLeDtqoM.dll (file missing)
O20 - Winlogon Notify: mljhhig - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel Client Instrumentation for DMI (ni_nic) - Intel® Corporation - C:\WINDOWS\system32\ni_nic.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Becky\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

--
End of file - 10306 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\MIKE-H~1\MYDOCU~1\DOWNLO~1\backups\) --

backup-20080515-091208-199 O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Becky\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
backup-20080515-091208-360 O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
backup-20080515-091208-580 O4 - HKLM\..\Run: [BM73da9045] Rundll32.exe "C:\WINDOWS\system32\hagsgebb.dll",s
backup-20080515-091208-663 O4 - HKLM\..\Run: [70e9a3d9] rundll32.exe "C:\WINDOWS\system32\kojpxrfj.dll",b
backup-20080515-091208-694 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
backup-20080515-091208-755 O4 - HKCU\..\Run: [BM73da9045] Rundll32.exe "C:\WINDOWS\system32\tlchsvcp.dll",s
backup-20080515-093616-200 O16 - DPF: {1CD4FAEE-09F6-4B77-8A49-EF2A9EBC8D46} (RSUpCtrl Control) - http://rsup.net/cab/rsupctrl.cab
backup-20080515-093616-346 O4 - HKLM\..\Run: [BM73da9045] Rundll32.exe "C:\WINDOWS\system32\hagsgebb.dll",s
backup-20080515-093617-653 O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
backup-20080515-093617-811 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
backup-20080515-093617-830 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IdeBusDr - c:\windows\system32\drivers\idebusdr.sys <Not Verified; Intel Corporation; Intel Application Accelerator Driver>
R0 IdeChnDr (Intel® Ultra ATA Controller) - c:\windows\system32\drivers\idechndr.sys <Not Verified; Intel Corporation; Intel Application Accelerator Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; Avanquest Software; BVRPNDIS Rawether for Windows>
S3 RT73 (Belkin USB Network Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Fix-It Task Manager - c:\progra~1\vcom\fix-it\mxtask.exe -service <Not Verified; Avanquest Publishing USA, Inc.; >
R2 ni_nic (Intel Client Instrumentation for DMI) - c:\windows\system32\ni_nic.exe <Not Verified; Intel® Corporation; Intel® DMI 2.0 Instrumenation loader for Windows NT>
R2 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>

S2 SessionLauncher - c:\docume~1\becky\locals~1\temp\dx9\sessionlauncher.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 11:01:47 0 d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-05-15 10:46:43 0 d-------- C:\Documents and Settings\Becky\Application Data\VCOM
2008-05-15 08:37:10 3379200 --a------ C:\Documents and Settings\Mike - Home\ntuser.dat
2008-05-15 08:37:10 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-05-15 08:36:45 815 --ahs---- C:\WINDOWS\system32\hRsYcLUt.ini2
2008-05-15 08:17:29 68096 --a------ C:\WINDOWS\zip.exe
2008-05-15 08:17:29 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-15 08:17:29 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-15 08:17:29 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-15 08:17:29 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-15 08:17:29 98816 --a------ C:\WINDOWS\sed.exe
2008-05-15 08:17:29 80412 --a------ C:\WINDOWS\grep.exe
2008-05-15 08:17:29 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-15 08:12:17 0 dr-hs---- C:\cmdcons
2008-05-15 08:12:15 0 d-------- C:\WINDOWS\setup.pss
2008-05-15 08:12:02 0 d-------- C:\WINDOWS\setupupd
2008-05-15 07:26:28 0 d-------- C:\VundoFix Backups
2008-05-14 17:51:10 2112 --a------ C:\WINDOWS\system32\ridxnubs.exe
2008-05-14 17:51:05 94272 --a------ C:\WINDOWS\system32\kojpxrfj.dll
2008-05-14 17:50:14 115776 --a------ C:\WINDOWS\system32\nxecimak.dll
2008-05-14 17:46:11 108096 --a------ C:\WINDOWS\system32\pymhbhwp.dll
2008-05-14 16:38:25 0 d-------- C:\WINDOWS\5158974E2D28401893357694C2974746.TMP
2008-05-14 16:30:11 0 d-------- C:\Documents and Settings\NetworkService\Application Data\VCOM
2008-05-14 16:27:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2008-05-14 16:23:42 0 dr-hs---- C:\_Backup.RC
2008-05-14 16:23:39 0 d--h----- C:\VCOM
2008-05-14 16:23:18 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\VCOM
2008-05-14 16:22:49 0 d-------- C:\Program Files\VCOM
2008-05-14 16:16:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 16:16:17 94272 --a------ C:\WINDOWS\system32\dctotovs.dll
2008-05-14 16:13:24 115776 --a------ C:\WINDOWS\system32\udutspre.dll
2008-05-14 16:10:40 2112 --a------ C:\WINDOWS\system32\gymicgqo.exe
2008-05-14 16:10:32 108096 --a------ C:\WINDOWS\system32\tlchsvcp.dll
2008-05-13 16:15:56 2112 --a------ C:\WINDOWS\system32\ckwyhqmm.exe
2008-05-13 16:10:12 115776 --a------ C:\WINDOWS\system32\pbhpsuts.dll
2008-05-12 16:39:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-12 16:39:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-12 16:37:42 0 d--hs---- C:\WINDOWS\CSC
2008-05-12 16:33:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-12 16:33:31 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-12 16:33:05 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-12 16:29:41 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-12 16:09:40 2112 --a------ C:\WINDOWS\system32\syixkwew.exe
2008-05-12 16:08:18 370688 --a------ C:\WINDOWS\system32\tULcYsRh.dll
2008-05-12 16:03:50 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-12 16:03:33 401972 --a------ C:\WINDOWS\system32\g63.exe
2008-05-12 16:03:28 0 d--hs---- C:\WINDOWS\TWlrZSBIb2dhbg
2008-05-12 16:03:24 0 d-------- C:\Program Files\winvi
2008-05-12 16:03:22 0 d-------- C:\WINDOWS\system32\winRem
2008-05-12 16:03:22 0 d-------- C:\WINDOWS\system32\spoolX
2008-05-12 16:03:22 0 d-------- C:\WINDOWS\system32\MUI2
2008-05-12 16:03:22 0 d-------- C:\WINDOWS\system32\1036a
2008-05-12 16:03:20 0 d-------- C:\WINDOWS\system32\dFrnx05
2008-05-12 16:03:19 0 d-------- C:\Temp
2008-05-12 15:39:19 0 d-------- C:\Documents and Settings\Becky\Application Data\Subversion
2008-05-12 13:32:29 0 d-------- C:\Program Files\FrostWire
2008-05-12 13:29:55 0 d-------- C:\My Downloads
2008-05-12 13:29:55 0 d-------- C:\Documents and Settings\Becky\Application Data\iMesh
2008-05-11 20:32:57 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\MySpace
2008-05-09 14:41:14 0 d-------- C:\Documents and Settings\Becky\Application Data\XLink Kai
2008-05-07 08:12:45 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\XLink Kai
2008-05-07 07:51:37 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\FileZilla
2008-05-06 16:45:38 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-06 12:56:44 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\WinRAR
2008-05-05 19:46:25 0 d-------- C:\Documents and Settings\Mike - Home\Application Data\Roxio
2008-05-03 09:58:36 0 d-------- C:\Program Files\SkillSoft
2008-04-25 21:26:34 0 d-------- C:\Documents and Settings\Becky\Application Data\MySpace
2008-04-25 21:26:28 0 d-------- C:\Program Files\MySpace
2008-04-22 13:36:14 0 d-------- C:\Documents and Settings\Becky\Application Data\Xbins
2008-04-17 15:06:27 0 d-------- C:\Documents and Settings\Becky\.zenmap
2008-04-16 19:12:52 0 d-------- C:\Downloads
2008-04-15 07:32:39 0 d-------- C:\WINDOWS\system32\UNINSTALL
2008-04-15 07:32:38 45056 -ra------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-15 07:32:38 16512 -ra------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Find3M Report ---------------------------------------------------------------

2008-05-15 11:25:04 0 d-------- C:\Documents and Settings\Becky\Application Data\Adobe
2008-05-14 16:16:52 0 d-------- C:\Program Files\Common Files
2008-05-14 16:06:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-14 16:05:37 0 d-------- C:\Program Files\Foxit Software
2008-05-12 15:39:47 0 d-------- C:\Documents and Settings\Becky\Application Data\uTorrent
2008-05-12 15:27:59 0 d-------- C:\Documents and Settings\Becky\Application Data\FileZilla
2008-05-08 11:09:50 0 d-------- C:\Program Files\uTorrent
2008-05-05 10:50:16 0 d-------- C:\Program Files\FileZilla FTP Client
2008-04-19 07:55:38 0 d-------- C:\Documents and Settings\Becky\Application Data\Roxio
2008-04-13 21:25:12 0 d-------- C:\Program Files\Bomgar
2008-04-02 17:04:03 0 d-------- C:\Documents and Settings\Becky\Application Data\CoreFTP
2008-03-31 13:21:08 0 d-------- C:\Documents and Settings\Becky\Application Data\VMware
2008-03-26 14:43:59 0 d-------- C:\Program Files\Java
2008-03-24 17:47:25 0 -r-hs---- C:\config.sys
2008-03-22 20:05:21 19 --a------ C:\WINDOWS\popcinfot.dat
2008-03-20 14:57:56 0 d-------- C:\Program Files\InterActual
2008-03-20 14:45:19 0 d-------- C:\Program Files\Roxio
2008-03-20 14:44:43 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-20 14:44:27 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-20 14:37:21 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-18 18:16:05 0 d-------- C:\Program Files\Lexmark X74-X75
2008-03-16 17:36:22 0 --a------ C:\WINDOWS\popcreg.dat
2008-02-27 11:03:11 41724 ---hs---- C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
2008-02-16 23:55:04 192512 --a------ C:\WINDOWS\system32\NSNPShel.dll <Not Verified; Bomgar Corp.; Bomgar NetPush Shell Extension>
2008-02-16 03:39:19 1158 --a------ C:\WINDOWS\mozver.dat
2008-02-16 03:36:45 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 05:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F6634F9-8D07-40EF-9C88-A09042C35D54}]
05/12/2008 04:08 PM 370688 --a------ C:\WINDOWS\system32\tULcYsRh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
C:\WINDOWS\system32\mLeDtqoM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7D314C9-893D-4005-8D4C-9D77FDF1B673}]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc0f1c47-e8ad-44e0-b659-1783d61b606d}]
05/14/2008 05:50 PM 115776 --a------ C:\WINDOWS\system32\nxecimak.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [08/02/2002 07:00 AM C:\WINDOWS\SOUNDMAN.EXE]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 10:34 PM]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [08/22/2007 05:31 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [10/14/2002 03:09 PM]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [08/14/2007 03:44 AM]
"70e9a3d9"="C:\WINDOWS\system32\kojpxrfj.dll" [05/14/2008 05:51 PM]
"VirusScannerPro"="C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [09/07/2006 07:28 PM]
"BM73da9045"="C:\WINDOWS\system32\tlchsvcp.dll" [05/14/2008 04:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 07:27 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Becky\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 9:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 10:26:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\mLeDtqoM.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mLeDtqoM]
mLeDtqoM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhhig]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tULcYsRh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70e9a3d9]
rundll32.exe "C:\WINDOWS\system32\njexdqjl.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM73da9045]
Rundll32.exe "C:\WINDOWS\system32\vuquapdy.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTV Agent]
C:\Program Files\HTV\HTV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f786262-d5ae-11dc-a1bb-001b2fd020a5}]
AutoRun\command- G:\Setup.exe -auto

*Newly Created Service* - NMSCFG
*Newly Created Service* - PROCEXP111



-- End of Deckard's System Scanner: finished at 2008-05-15 11:50:08 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 hexed

hexed
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 15 May 2008 - 01:14 PM

Malware has also disabled microsoft/windows updates, please help.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:24 AM

Posted 16 May 2008 - 02:22 AM

Hello hexed,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:24 AM

Posted 29 May 2008 - 12:20 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users