Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 Kougarz

Kougarz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 15 May 2008 - 01:43 PM

Spybot and Ad-Aware recognize it as Virtumonde but neither clean it completely. Even cleaned out the boot startup stuff in Sysinternals Autorun and deleted suspect DLL files running in Linux but they still came back. The pop ups are so bad I'm entering this from another computer. Ran RSS and then HJT. Here is the logs. Thanks in advance...

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:53 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Temporary\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [BM6f135cf6] Rundll32.exe "C:\WINDOWS\system32\sjlrjpcj.dll",s
O4 - HKLM\..\Run: [6c206f6a] rundll32.exe "C:\WINDOWS\system32\vwxnrqfk.dll",b
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXSelect.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FK - Unknown owner - C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


DSS LOG:
Deckard's System Scanner v20071014.68
Run by Ed on 2008-05-15 14:53:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:30 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Ed\Desktop\dss.exe
C:\TEMPOR~1\Ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {2AA0726C-95B7-4216-AA43-B5BDD524892F} - C:\WINDOWS\system32\jkkkIXpm.dll
O2 - BHO: (no name) - {3F0EA630-9DAD-460A-9F95-B0E534862DB9} - C:\WINDOWS\system32\mlJARHbB.dll (file missing)
O2 - BHO: (no name) - {4A564931-5062-498E-9C69-54EAAEA8C2CA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BBBB486-1A72-4711-98D6-2A92FDD846E7} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {84EF105F-C99E-4D5C-A060-A11F542C4687} - (no file)
O2 - BHO: {5e452d85-12ad-4088-79c4-82561c50f8e9} - {9e8f05c1-6528-4c97-8804-da2158d254e5} - C:\WINDOWS\system32\ysmvuyaq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {aeffc368-0294-4f47-aea9-456190b215d1} - (no file)
O2 - BHO: (no name) - {b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9} - (no file)
O2 - BHO: (no name) - {B52D75CC-DB9A-449F-A755-7848056E6F57} - C:\WINDOWS\system32\ddcDVLda.dll (file missing)
O2 - BHO: (no name) - {B795C471-162D-42F6-9133-EF5774060BD8} - (no file)
O2 - BHO: (no name) - {C4BD6AFF-C227-4F83-846F-F35AA93B0E8E} - (no file)
O2 - BHO: (no name) - {dd0b4e3a-1ccf-4020-8083-d9aa84d49eba} - (no file)
O2 - BHO: (no name) - {F0824B18-85A4-4B68-9AA9-4B93D3D25B94} - C:\WINDOWS\system32\qoMdEVOE.dll
O2 - BHO: (no name) - {f85448d5-5235-4c4d-a82d-e850c2d2626e} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [BM6f135cf6] Rundll32.exe "C:\WINDOWS\system32\sjlrjpcj.dll",s
O4 - HKLM\..\Run: [6c206f6a] rundll32.exe "C:\WINDOWS\system32\vwxnrqfk.dll",b
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXSelect.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: jkkkIXpm - C:\WINDOWS\SYSTEM32\jkkkIXpm.dll
O20 - Winlogon Notify: rqrroop - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FK - Unknown owner - C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14513 bytes

-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 13:42:19 0 dr-h----- C:\Documents and Settings\Ed\Recent
2008-05-15 13:31:34 0 d-------- C:\WINDOWS\pss
2008-05-15 13:16:13 133120 --a------ C:\WINDOWS\system32\ysmvuyaq.dll
2008-05-15 13:16:12 2048 --a------ C:\WINDOWS\system32\qcccjfub.exe
2008-05-15 13:12:42 125952 --a------ C:\WINDOWS\system32\sjlrjpcj.dll
2008-05-15 12:16:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 12:16:25 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 11:42:33 133120 --a------ C:\WINDOWS\system32\aijvdccd.dll
2008-05-15 11:37:21 2048 --a------ C:\WINDOWS\system32\geelsmbe.exe
2008-05-15 11:37:13 125952 --a------ C:\WINDOWS\system32\idtwrgnv.dll
2008-05-15 11:05:01 2048 --a------ C:\WINDOWS\system32\hllgoiem.exe
2008-05-15 11:02:10 116736 -----n--- C:\WINDOWS\system32\emcoannf.dll
2008-05-15 11:00:15 133120 --a------ C:\WINDOWS\system32\rctlapky.dll
2008-05-15 11:00:05 125952 --a------ C:\WINDOWS\system32\yypmgssg.dll
2008-05-15 10:55:23 116736 --a------ C:\WINDOWS\system32\rlfvebin.dll
2008-05-15 10:52:34 2048 --a------ C:\WINDOWS\system32\bvchneqv.exe
2008-05-15 10:52:19 125952 --a------ C:\WINDOWS\system32\uwqnsyev.dll
2008-05-15 10:49:21 1032 --ahs---- C:\WINDOWS\system32\EOVEdMoq.ini2
2008-05-15 10:49:02 370176 -----n--- C:\WINDOWS\system32\qoMdEVOE.dll
2008-05-15 10:12:08 133120 --a------ C:\WINDOWS\system32\itkdaupp.dll
2008-05-15 10:12:07 2048 --a------ C:\WINDOWS\system32\fvkbokkm.exe
2008-05-15 10:09:29 116736 -----n--- C:\WINDOWS\system32\pymcvdna.dll
2008-05-15 10:09:11 125952 --a------ C:\WINDOWS\system32\csgcukww.dll
2008-05-15 07:53:41 134144 --a------ C:\WINDOWS\system32\sxbckaiw.dll
2008-05-15 07:50:40 114176 -----n--- C:\WINDOWS\system32\kqvgbqch.dll
2008-05-15 07:47:40 2048 --a------ C:\WINDOWS\system32\waaplyrq.exe
2008-05-15 07:42:32 125440 --a------ C:\WINDOWS\system32\lypmqfji.dll
2008-05-14 18:00:18 133120 --a------ C:\WINDOWS\system32\fveupdci.dll
2008-05-14 17:54:33 2048 --a------ C:\WINDOWS\system32\adkabhte.exe
2008-05-14 17:50:21 126464 --a------ C:\WINDOWS\system32\bjbwktyl.dll
2008-05-14 17:05:21 133120 --a------ C:\WINDOWS\system32\umtvmuvu.dll
2008-05-14 17:00:54 2048 --a------ C:\WINDOWS\system32\dinwaaen.exe
2008-05-14 16:56:33 126464 --a------ C:\WINDOWS\system32\hvfdiytt.dll
2008-05-14 16:36:12 68096 --a------ C:\WINDOWS\zip.exe
2008-05-14 16:36:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 16:36:12 98816 --a------ C:\WINDOWS\sed.exe
2008-05-14 16:36:12 80412 --a------ C:\WINDOWS\grep.exe
2008-05-14 16:36:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-14 16:36:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 16:36:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 16:36:11 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-14 14:14:22 2112 --a------ C:\WINDOWS\system32\enrslyky.exe
2008-05-14 12:55:04 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-14 12:55:04 2539 --a------ C:\WINDOWS\unins000.dat
2008-05-14 10:22:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-14 10:21:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 10:00:06 2112 --a------ C:\WINDOWS\system32\smjodmak.exe
2008-05-14 09:41:14 2112 --a------ C:\WINDOWS\system32\psynohkq.exe
2008-05-13 11:25:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13:49 0 d-------- C:\Program Files\SlySoft
2008-05-13 10:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:01:24 57344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll
2008-05-13 09:49:25 0 d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05:02 0 d-------- C:\WINDOWS\Sun
2008-05-12 23:05:02 0 d-------- C:\Documents and Settings\Ed\Application Data\Sun
2008-05-12 23:04:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-12 23:04:34 0 d-------- C:\Program Files\Google
2008-05-12 23:03:31 0 d-------- C:\Program Files\Java
2008-05-12 23:01:43 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

2008-05-15 13:40:04 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2008-05-15 13:40:04 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2008-05-14 12:32:22 0 d-------- C:\Program Files\McAfee
2008-05-14 10:22:27 0 d-------- C:\Program Files\Lavasoft
2008-05-14 10:21:35 0 d-------- C:\Program Files\Common Files
2008-05-14 10:00:09 0 d-------- C:\Program Files\Apollo iPod Video Converter
2008-05-12 23:25:18 0 d-------- C:\Program Files\ImageSplitter
2008-05-12 23:23:27 0 d-------- C:\Program Files\Quicken


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
05/13/2008 10:01 AM 57344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F0EA630-9DAD-460A-9F95-B0E534862DB9}]
C:\WINDOWS\system32\mlJARHbB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A564931-5062-498E-9C69-54EAAEA8C2CA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBBB486-1A72-4711-98D6-2A92FDD846E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84EF105F-C99E-4D5C-A060-A11F542C4687}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9e8f05c1-6528-4c97-8804-da2158d254e5}]
05/15/2008 01:16 PM 133120 --a------ C:\WINDOWS\system32\ysmvuyaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aeffc368-0294-4f47-aea9-456190b215d1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52D75CC-DB9A-449F-A755-7848056E6F57}]
C:\WINDOWS\system32\ddcDVLda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B795C471-162D-42F6-9133-EF5774060BD8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BD6AFF-C227-4F83-846F-F35AA93B0E8E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd0b4e3a-1ccf-4020-8083-d9aa84d49eba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0824B18-85A4-4B68-9AA9-4B93D3D25B94}]
05/15/2008 10:49 AM 370176 --------- C:\WINDOWS\system32\qoMdEVOE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f85448d5-5235-4c4d-a82d-e850c2d2626e}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [02/07/2002 07:01 PM C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [10/04/2001 01:00 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"Tweak UI"="TWEAKUI.CPL" [06/18/2000 02:03 PM C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [05/18/2007 10:50 AM C:\WINDOWS\system32\WDBtnMgr.exe]
"RegistryMechanic"="" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [03/20/2007 04:40 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 11:56 AM]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [09/26/2005 08:34 PM]
"BM6f135cf6"="C:\WINDOWS\system32\sjlrjpcj.dll" [05/15/2008 01:12 PM]
"6c206f6a"="C:\WINDOWS\system32\vwxnrqfk.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [09/11/2006 01:23 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [5/16/2007 11:15:18 PM]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [10/23/2006 12:01:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\jkkkIXpm.dll [05/13/2008 10:01 AM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
jkkkIXpm.dll 05/13/2008 10:01 AM 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkIXpm]
jkkkIXpm.dll 05/13/2008 10:01 AM 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrroop]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMdEVOE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6c206f6a]
rundll32.exe "C:\WINDOWS\system32\nekcinnh.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6f135cf6]
Rundll32.exe "C:\WINDOWS\system32\sjlrjpcj.dll",s

*Newly Created Service* - NMSCFG



-- End of Deckard's System Scanner: finished at 2008-05-15 14:54:56 ------------

Edited by Kougarz, 15 May 2008 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 15 May 2008 - 07:14 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 16 May 2008 - 07:32 AM

Renato,

thx for your assistance... I'll hold tight until you get back with specific instructions.

Kougarz

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 17 May 2008 - 10:31 AM

Hi,

Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable Spybot-S&D for the duration of your malware cleanup. It may be the case that this program will automatically restart upon reboot; it will be necessary to repeat these disabling steps as required. Once we have successfully removed all of the malware in your system, it is important that you re-enable it once again to prevent future reinfection.
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.
Next

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review, but you have to rename Hijackthis BEFORE make the log (Right click on Hijackthis.exe and select 'Rename', rename it to filter.exe).
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 18 May 2008 - 09:13 AM

thx!

Did as instructed... please find the combofix and HJT logs below.

ComboFix 08-05-15.3 - Ed 2008-05-17 14:57:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.339 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adkabhte.exe
C:\WINDOWS\system32\bvchneqv.exe
C:\WINDOWS\system32\dinwaaen.exe
C:\WINDOWS\system32\enrslyky.exe
C:\WINDOWS\system32\EOVEdMoq.ini
C:\WINDOWS\system32\EOVEdMoq.ini2
C:\WINDOWS\system32\fnnaocme.ini
C:\WINDOWS\system32\fvkbokkm.exe
C:\WINDOWS\system32\geelsmbe.exe
C:\WINDOWS\system32\goffrgdx.ini
C:\WINDOWS\system32\hgxttgbq.exe
C:\WINDOWS\system32\hllgoiem.exe
C:\WINDOWS\system32\hnnicken.ini
C:\WINDOWS\system32\nibevflr.ini
C:\WINDOWS\system32\psynohkq.exe
C:\WINDOWS\system32\qcccjfub.exe
C:\WINDOWS\system32\smjodmak.exe
C:\WINDOWS\system32\waaplyrq.exe
C:\WINDOWS\system32\ywmwmbcm.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 15:03 . 2008-05-17 15:04 22 --a------ C:\WINDOWS\pskt.ini
2008-05-17 13:25 . 2008-05-17 13:25 134,144 --a------ C:\WINDOWS\system32\iapiqsoy.dll
2008-05-17 13:25 . 2008-05-17 13:25 125,952 --a------ C:\WINDOWS\system32\hktfrmdr.dll
2008-05-16 11:59 . 2008-05-16 11:59 135,680 --a------ C:\WINDOWS\system32\kknwijlg.dll
2008-05-16 11:59 . 2008-05-16 11:59 125,952 --a------ C:\WINDOWS\system32\uupotuyl.dll
2008-05-15 13:16 . 2008-05-15 13:16 133,120 --a------ C:\WINDOWS\system32\ysmvuyaq.dll
2008-05-15 13:12 . 2008-05-15 13:12 <DIR> d-------- C:\Deckard
2008-05-15 13:12 . 2008-05-15 13:12 125,952 --a------ C:\WINDOWS\system32\sjlrjpcj.dll
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 11:42 . 2008-05-15 11:42 133,120 --a------ C:\WINDOWS\system32\aijvdccd.dll
2008-05-15 11:37 . 2008-05-15 11:37 125,952 --a------ C:\WINDOWS\system32\idtwrgnv.dll
2008-05-15 11:02 . 2008-05-15 11:02 116,736 --------- C:\WINDOWS\system32\emcoannf.dll
2008-05-15 11:00 . 2008-05-15 11:00 133,120 --a------ C:\WINDOWS\system32\rctlapky.dll
2008-05-15 11:00 . 2008-05-15 11:00 125,952 --a------ C:\WINDOWS\system32\yypmgssg.dll
2008-05-15 10:55 . 2008-05-15 10:55 116,736 --a------ C:\WINDOWS\system32\rlfvebin.dll
2008-05-15 10:52 . 2008-05-15 10:52 125,952 --a------ C:\WINDOWS\system32\uwqnsyev.dll
2008-05-15 10:49 . 2008-05-15 10:49 370,176 --------- C:\WINDOWS\system32\qoMdEVOE.dll
2008-05-15 10:12 . 2008-05-15 10:12 133,120 --a------ C:\WINDOWS\system32\itkdaupp.dll
2008-05-15 10:09 . 2008-05-15 10:09 125,952 --a------ C:\WINDOWS\system32\csgcukww.dll
2008-05-15 10:09 . 2008-05-15 10:09 116,736 --------- C:\WINDOWS\system32\pymcvdna.dll
2008-05-15 09:33 . 2008-05-15 09:33 370,176 --a------ C:\WINDOWS\system32\mlJARHbB.dll_old
2008-05-15 07:53 . 2008-05-15 07:53 134,144 --a------ C:\WINDOWS\system32\sxbckaiw.dll
2008-05-15 07:50 . 2008-05-15 07:50 114,176 --------- C:\WINDOWS\system32\kqvgbqch.dll
2008-05-15 07:42 . 2008-05-15 07:42 125,440 --a------ C:\WINDOWS\system32\lypmqfji.dll
2008-05-14 18:00 . 2008-05-14 18:00 133,120 --a------ C:\WINDOWS\system32\fveupdci.dll
2008-05-14 17:52 . 2008-05-14 19:10 594 --ahs---- C:\WINDOWS\system32\kfqrnxwv.ini
2008-05-14 17:50 . 2008-05-14 17:50 126,464 --a------ C:\WINDOWS\system32\bjbwktyl.dll
2008-05-14 17:44 . 2008-05-14 17:44 294 --ahs---- C:\WINDOWS\system32\ylftoqop.ini
2008-05-14 17:05 . 2008-05-14 17:05 133,120 --a------ C:\WINDOWS\system32\umtvmuvu.dll
2008-05-14 16:56 . 2008-05-14 16:56 126,464 --a------ C:\WINDOWS\system32\hvfdiytt.dll
2008-05-14 10:22 . 2008-05-17 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-14 09:37 . 2008-05-17 15:04 109,803 --a------ C:\WINDOWS\BM6f135cf6.xml
2008-05-13 11:25 . 2008-05-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13 . 2008-05-13 11:13 <DIR> d-------- C:\Program Files\SlySoft
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:28 . 2008-05-14 09:56 83 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-05-13 10:01 . 2008-05-13 10:01 57,344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll
2008-05-13 09:51 . 2008-05-13 11:25 48 ---hs---- C:\WINDOWS\SE6D13403.tmp
2008-05-13 09:49 . 2008-05-14 10:02 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05 . 2008-05-12 23:05 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 23:04 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Google
2008-05-12 23:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 23:03 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Java
2008-05-12 23:01 . 2008-05-12 23:01 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 17:27 --------- d-----w C:\Program Files\Lavasoft
2008-05-17 17:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:02 --------- d-----w C:\Program Files\McAfee
2008-05-14 14:00 --------- d-----w C:\Program Files\Apollo iPod Video Converter
2008-05-13 03:25 --------- d-----w C:\Program Files\ImageSplitter
2008-05-13 03:23 --------- d-----w C:\Program Files\Quicken
2007-07-03 17:48 2,917 ----a-w C:\Documents and Settings\Ed\Application Data\SAS7_000.DAT
2007-01-10 15:29 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-18 13:48 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-03 22:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 17:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB884020$\tcpip.sys
2004-08-13 18:50 359040 4092c56967175f009dc8458dc434358e C:\WINDOWS\$NtUninstallKB889527$\tcpip.sys
2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-05-14_16.59.42.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 20:50:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 19:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 18:03:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 18:03:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2008-01-19 03:34:28 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
- 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2008-01-19 03:35:26 280,064 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
- 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2008-01-19 03:34:28 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
- 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2008-01-19 03:35:28 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
- 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2008-01-19 03:34:30 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
- 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2008-01-19 03:35:28 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
- 2006-11-02 09:46:11 79,872 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZPRLHN.DLL
+ 2008-01-19 03:35:30 79,872 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZPRLHN.DLL
- 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2008-01-19 03:28:52 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
- 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2008-01-19 03:28:54 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
- 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
+ 2008-01-19 03:35:30 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2008-01-19 03:36:46 373,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2008-01-19 03:35:34 744,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2008-01-19 03:30:26 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2008-05-17 19:02:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_798.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
2008-05-13 10:01 57344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F0EA630-9DAD-460A-9F95-B0E534862DB9}]
C:\WINDOWS\system32\mlJARHbB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A564931-5062-498E-9C69-54EAAEA8C2CA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBBB486-1A72-4711-98D6-2A92FDD846E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84EF105F-C99E-4D5C-A060-A11F542C4687}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABDFB34-0BFD-40C8-A8E3-A3CEC0D499EA}]
2008-05-15 10:49 370176 --------- C:\WINDOWS\system32\qoMdEVOE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92571C7E-DDF4-47BC-909C-A272D983DACD}]
2008-05-17 15:08 371712 --a------ C:\WINDOWS\system32\tuvWomJb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab12d6c2-edda-41bf-a21c-45be0cf29632}]
2008-05-17 13:25 134144 --a------ C:\WINDOWS\system32\iapiqsoy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aeffc368-0294-4f47-aea9-456190b215d1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52D75CC-DB9A-449F-A755-7848056E6F57}]
C:\WINDOWS\system32\ddcDVLda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B795C471-162D-42F6-9133-EF5774060BD8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BD6AFF-C227-4F83-846F-F35AA93B0E8E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd0b4e3a-1ccf-4020-8083-d9aa84d49eba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f85448d5-5235-4c4d-a82d-e850c2d2626e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-11 13:23 144448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 19:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-18 10:50 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RegistryMechanic"="" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"6c206f6a"="C:\WINDOWS\system32\xdgrffog.dll" [ ]
"BM6f135cf6"="C:\WINDOWS\system32\ktisouub.dll" [2008-05-17 15:10 125952]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-16 23:15:18 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\jkkkIXpm.dll [2008-05-13 10:01 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
jkkkIXpm.dll 2008-05-13 10:01 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkIXpm]
jkkkIXpm.dll 2008-05-13 10:01 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrroop]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\tuvWomJb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6c206f6a]
C:\WINDOWS\system32\nekcinnh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6f135cf6]
--a------ 2008-05-15 13:12 125952 C:\WINDOWS\system32\sjlrjpcj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Temporary\\utorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-05-03 12:36]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 10:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 10:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 10:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 0300091210935765mcinstcleanup;McAfee Application Installer Cleanup (0300091210935765);C:\WINDOWS\TEMP\030009~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 FK;FK;C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe []

*Newly Created Service* - 0300091210935765MCINSTCLEANUP
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 21:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-15 05:16:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-01 05:00:42 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 15:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\tuvWomJb.dll 371712 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkkIXpm.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ktisouub.dll
-> C:\WINDOWS\system32\tuvWomJb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-17 15:13:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 19:12:16
ComboFix2.txt 2008-05-15 14:57:22
ComboFix3.txt 2008-05-14 23:22:14
ComboFix4.txt 2008-05-14 22:22:18
ComboFix5.txt 2008-05-14 21:54:29

Pre-Run: 60,863,975,424 bytes free
Post-Run: 60,990,242,816 bytes free

313

--------- HJT below --------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:53 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Temporary\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [BM6f135cf6] Rundll32.exe "C:\WINDOWS\system32\sjlrjpcj.dll",s
O4 - HKLM\..\Run: [6c206f6a] rundll32.exe "C:\WINDOWS\system32\vwxnrqfk.dll",b
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXSelect.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FK - Unknown owner - C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12496 bytes

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 19 May 2008 - 06:55 AM

Hi,

Please, look the date of your Hijackthis log on your last post:

Scan saved at 1:44:53 PM, on 5/15/2008


I need a NEW Hijackthis log (don't forget to rename Hijackthis as I said before).

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 19 May 2008 - 08:27 AM

Recovery Console installed ComboFix and HJT logs below. Thx again.

------ ComboFix.txt ---------

ComboFix 08-05-15.3 - Ed 2008-05-19 9:06:22.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bjtrtjpl.exe
C:\WINDOWS\system32\eeiimkcx.exe
C:\WINDOWS\system32\EOVEdMoq.ini
C:\WINDOWS\system32\EOVEdMoq.ini2
C:\WINDOWS\system32\MWaHNqru.ini
C:\WINDOWS\system32\MWaHNqru.ini2
C:\WINDOWS\system32\ruoombnw.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 09:13 . 2008-05-19 09:13 22 --a------ C:\WINDOWS\pskt.ini
2008-05-19 08:58 . 2008-05-19 08:58 132,608 --a------ C:\WINDOWS\system32\kqpaoxof.dll
2008-05-19 08:55 . 2008-05-19 08:55 124,928 --a------ C:\WINDOWS\system32\lraxcpaf.dll
2008-05-19 08:46 . 2008-05-19 08:46 124,928 --a------ C:\WINDOWS\system32\louumpjx.dll
2008-05-19 08:44 . 2008-05-19 08:44 371,712 --------- C:\WINDOWS\system32\urqNHaWM.dll
2008-05-19 08:24 . 2008-05-19 08:24 132,608 --a------ C:\WINDOWS\system32\epspdxyu.dll
2008-05-19 08:21 . 2008-05-19 08:21 124,928 --a------ C:\WINDOWS\system32\anulehtj.dll
2008-05-17 15:19 . 2008-05-17 15:19 8 --a------ C:\WINDOWS\system32\6c207de4
2008-05-17 15:16 . 2008-05-17 15:16 134,144 --a------ C:\WINDOWS\system32\jfemoqde.dll
2008-05-17 15:10 . 2008-05-17 15:10 125,952 --a------ C:\WINDOWS\system32\ktisouub.dll
2008-05-17 15:08 . 2008-05-17 15:08 371,712 --------- C:\WINDOWS\system32\tuvWomJb.dll
2008-05-17 15:08 . 2008-05-17 15:19 345 --ahs---- C:\WINDOWS\system32\bJmoWvut.ini
2008-05-17 13:25 . 2008-05-17 13:25 134,144 --a------ C:\WINDOWS\system32\iapiqsoy.dll
2008-05-17 13:25 . 2008-05-17 13:25 125,952 --a------ C:\WINDOWS\system32\hktfrmdr.dll
2008-05-16 11:59 . 2008-05-16 11:59 135,680 --a------ C:\WINDOWS\system32\kknwijlg.dll
2008-05-16 11:59 . 2008-05-16 11:59 125,952 --a------ C:\WINDOWS\system32\uupotuyl.dll
2008-05-15 13:16 . 2008-05-15 13:16 133,120 --a------ C:\WINDOWS\system32\ysmvuyaq.dll
2008-05-15 13:12 . 2008-05-15 13:12 <DIR> d-------- C:\Deckard
2008-05-15 13:12 . 2008-05-15 13:12 125,952 --a------ C:\WINDOWS\system32\sjlrjpcj.dll
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-15 11:42 . 2008-05-15 11:42 133,120 --a------ C:\WINDOWS\system32\aijvdccd.dll
2008-05-15 11:37 . 2008-05-15 11:37 125,952 --a------ C:\WINDOWS\system32\idtwrgnv.dll
2008-05-15 11:02 . 2008-05-15 11:02 116,736 --------- C:\WINDOWS\system32\emcoannf.dll
2008-05-15 11:00 . 2008-05-15 11:00 133,120 --a------ C:\WINDOWS\system32\rctlapky.dll
2008-05-15 11:00 . 2008-05-15 11:00 125,952 --a------ C:\WINDOWS\system32\yypmgssg.dll
2008-05-15 10:55 . 2008-05-15 10:55 116,736 --a------ C:\WINDOWS\system32\rlfvebin.dll
2008-05-15 10:52 . 2008-05-15 10:52 125,952 --a------ C:\WINDOWS\system32\uwqnsyev.dll
2008-05-15 10:49 . 2008-05-15 10:49 370,176 --------- C:\WINDOWS\system32\qoMdEVOE.dll
2008-05-15 10:12 . 2008-05-15 10:12 133,120 --a------ C:\WINDOWS\system32\itkdaupp.dll
2008-05-15 10:09 . 2008-05-15 10:09 125,952 --a------ C:\WINDOWS\system32\csgcukww.dll
2008-05-15 10:09 . 2008-05-15 10:09 116,736 --------- C:\WINDOWS\system32\pymcvdna.dll
2008-05-15 09:33 . 2008-05-15 09:33 370,176 --a------ C:\WINDOWS\system32\mlJARHbB.dll_old
2008-05-15 07:53 . 2008-05-15 07:53 134,144 --a------ C:\WINDOWS\system32\sxbckaiw.dll
2008-05-15 07:50 . 2008-05-15 07:50 114,176 --------- C:\WINDOWS\system32\kqvgbqch.dll
2008-05-15 07:42 . 2008-05-15 07:42 125,440 --a------ C:\WINDOWS\system32\lypmqfji.dll
2008-05-14 18:00 . 2008-05-14 18:00 133,120 --a------ C:\WINDOWS\system32\fveupdci.dll
2008-05-14 17:52 . 2008-05-14 19:10 594 --ahs---- C:\WINDOWS\system32\kfqrnxwv.ini
2008-05-14 17:50 . 2008-05-14 17:50 126,464 --a------ C:\WINDOWS\system32\bjbwktyl.dll
2008-05-14 17:44 . 2008-05-14 17:44 294 --ahs---- C:\WINDOWS\system32\ylftoqop.ini
2008-05-14 17:05 . 2008-05-14 17:05 133,120 --a------ C:\WINDOWS\system32\umtvmuvu.dll
2008-05-14 16:56 . 2008-05-14 16:56 126,464 --a------ C:\WINDOWS\system32\hvfdiytt.dll
2008-05-14 10:22 . 2008-05-17 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-14 09:37 . 2008-05-19 09:13 109,803 --a------ C:\WINDOWS\BM6f135cf6.xml
2008-05-13 11:25 . 2008-05-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13 . 2008-05-13 11:13 <DIR> d-------- C:\Program Files\SlySoft
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:28 . 2008-05-14 09:56 83 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-05-13 10:01 . 2008-05-13 10:01 57,344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll
2008-05-13 09:51 . 2008-05-13 11:25 48 ---hs---- C:\WINDOWS\SE6D13403.tmp
2008-05-13 09:49 . 2008-05-14 10:02 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05 . 2008-05-12 23:05 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 23:04 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Google
2008-05-12 23:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 23:03 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Java
2008-05-12 23:01 . 2008-05-12 23:01 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 17:27 --------- d-----w C:\Program Files\Lavasoft
2008-05-17 17:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:02 --------- d-----w C:\Program Files\McAfee
2008-05-14 14:00 --------- d-----w C:\Program Files\Apollo iPod Video Converter
2008-05-13 03:25 --------- d-----w C:\Program Files\ImageSplitter
2008-05-13 03:23 --------- d-----w C:\Program Files\Quicken
2007-07-03 17:48 2,917 ----a-w C:\Documents and Settings\Ed\Application Data\SAS7_000.DAT
2007-01-10 15:29 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-18 13:48 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-03 22:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 17:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB884020$\tcpip.sys
2004-08-13 18:50 359040 4092c56967175f009dc8458dc434358e C:\WINDOWS\$NtUninstallKB889527$\tcpip.sys
2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot_2008-05-17_15.11.17.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 13:11:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-19 10:58:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-19 10:58:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-19 13:11:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
2008-05-13 10:01 57344 --a------ C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F0EA630-9DAD-460A-9F95-B0E534862DB9}]
C:\WINDOWS\system32\mlJARHbB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A564931-5062-498E-9C69-54EAAEA8C2CA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBBB486-1A72-4711-98D6-2A92FDD846E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84EF105F-C99E-4D5C-A060-A11F542C4687}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6D41797-3D05-4911-BB76-173378EB7C89}]
2008-05-19 08:44 371712 --------- C:\WINDOWS\system32\urqNHaWM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{abe71b60-8c5b-4929-bd4f-9dfb6570b7f7}]
2008-05-19 08:58 132608 --a------ C:\WINDOWS\system32\kqpaoxof.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aeffc368-0294-4f47-aea9-456190b215d1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52D75CC-DB9A-449F-A755-7848056E6F57}]
C:\WINDOWS\system32\ddcDVLda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B795C471-162D-42F6-9133-EF5774060BD8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BD6AFF-C227-4F83-846F-F35AA93B0E8E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd0b4e3a-1ccf-4020-8083-d9aa84d49eba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f85448d5-5235-4c4d-a82d-e850c2d2626e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-11 13:23 144448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 19:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-18 10:50 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RegistryMechanic"="" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"6c206f6a"="C:\WINDOWS\system32\wnbmoour.dll" [ ]
"BM6f135cf6"="C:\WINDOWS\system32\lraxcpaf.dll" [2008-05-19 08:55 124928]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-16 23:15:18 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\jkkkIXpm.dll [2008-05-13 10:01 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
jkkkIXpm.dll 2008-05-13 10:01 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkIXpm]
jkkkIXpm.dll 2008-05-13 10:01 57344 C:\WINDOWS\system32\jkkkIXpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrroop]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6c206f6a]
C:\WINDOWS\system32\nekcinnh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6f135cf6]
--a------ 2008-05-15 13:12 125952 C:\WINDOWS\system32\sjlrjpcj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Temporary\\utorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-05-03 12:36]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 10:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 10:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 10:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 0226111211114118mcinstcleanup;McAfee Application Installer Cleanup (0226111211114118);C:\WINDOWS\TEMP\022611~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 FK;FK;C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe []

*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 21:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-15 05:16:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-01 05:00:42 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 09:13:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkkIXpm.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lraxcpaf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-19 9:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 13:19:21
ComboFix2.txt 2008-05-19 12:48:54
ComboFix3.txt 2008-05-17 19:13:43
ComboFix4.txt 2008-05-15 14:57:22
ComboFix5.txt 2008-05-14 23:22:14

Pre-Run: 61,008,936,960 bytes free
Post-Run: 61,000,232,960 bytes free

271

-------- HJT Log ---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:11 AM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Temporary\filter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {2AA0726C-95B7-4216-AA43-B5BDD524892F} - C:\WINDOWS\system32\jkkkIXpm.dll
O2 - BHO: (no name) - {3F0EA630-9DAD-460A-9F95-B0E534862DB9} - C:\WINDOWS\system32\mlJARHbB.dll (file missing)
O2 - BHO: (no name) - {4A564931-5062-498E-9C69-54EAAEA8C2CA} - (no file)
O2 - BHO: (no name) - {5BBBB486-1A72-4711-98D6-2A92FDD846E7} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {84EF105F-C99E-4D5C-A060-A11F542C4687} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: {7f7b0756-bfd9-f4db-9294-b5c806b17eba} - {abe71b60-8c5b-4929-bd4f-9dfb6570b7f7} - C:\WINDOWS\system32\kqpaoxof.dll
O2 - BHO: (no name) - {AE9991BF-2829-4887-BD03-4ED8817422DA} - C:\WINDOWS\system32\urqNHaWM.dll
O2 - BHO: (no name) - {aeffc368-0294-4f47-aea9-456190b215d1} - (no file)
O2 - BHO: (no name) - {b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9} - (no file)
O2 - BHO: (no name) - {B52D75CC-DB9A-449F-A755-7848056E6F57} - C:\WINDOWS\system32\ddcDVLda.dll (file missing)
O2 - BHO: (no name) - {B795C471-162D-42F6-9133-EF5774060BD8} - (no file)
O2 - BHO: (no name) - {C4BD6AFF-C227-4F83-846F-F35AA93B0E8E} - (no file)
O2 - BHO: (no name) - {dd0b4e3a-1ccf-4020-8083-d9aa84d49eba} - (no file)
O2 - BHO: (no name) - {f85448d5-5235-4c4d-a82d-e850c2d2626e} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [6c206f6a] rundll32.exe "C:\WINDOWS\system32\wnbmoour.dll",b
O4 - HKLM\..\Run: [BM6f135cf6] Rundll32.exe "C:\WINDOWS\system32\lraxcpaf.dll",s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://imgweb.charlestoncounty.org/appnet/...x/OBXSelect.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: awvvu - C:\WINDOWS\
O20 - Winlogon Notify: jkkkIXpm - C:\WINDOWS\SYSTEM32\jkkkIXpm.dll
O20 - Winlogon Notify: rqrroop - C:\WINDOWS\
O23 - Service: McAfee Application Installer Cleanup (0226111211114118) (0226111211114118mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022611~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FK - Unknown owner - C:\DOCUME~1\Ed\LOCALS~1\Temp\FK.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 13796 bytes

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 20 May 2008 - 07:01 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/top...tml#entry828823

Rootkit::
C:\WINDOWS\system32\tuvWomJb.dll

Collect::
C:\WINDOWS\system32\iapiqsoy.dll
C:\WINDOWS\system32\hktfrmdr.dll
C:\WINDOWS\system32\kknwijlg.dll
C:\WINDOWS\system32\uupotuyl.dll
C:\WINDOWS\system32\ysmvuyaq.dll
C:\WINDOWS\system32\sjlrjpcj.dll
C:\WINDOWS\system32\aijvdccd.dll
C:\WINDOWS\system32\idtwrgnv.dll
C:\WINDOWS\system32\emcoannf.dll
C:\WINDOWS\system32\rctlapky.dll
C:\WINDOWS\system32\yypmgssg.dll
C:\WINDOWS\system32\rlfvebin.dll
C:\WINDOWS\system32\uwqnsyev.dll
C:\WINDOWS\system32\qoMdEVOE.dll
C:\WINDOWS\system32\itkdaupp.dll
C:\WINDOWS\system32\csgcukww.dll
C:\WINDOWS\system32\pymcvdna.dll
C:\WINDOWS\system32\mlJARHbB.dll_old
C:\WINDOWS\system32\sxbckaiw.dll
C:\WINDOWS\system32\kqvgbqch.dll
C:\WINDOWS\system32\lypmqfji.dll
C:\WINDOWS\system32\fveupdci.dll
C:\WINDOWS\system32\kfqrnxwv.ini
C:\WINDOWS\system32\bjbwktyl.dll
C:\WINDOWS\system32\ylftoqop.ini
C:\WINDOWS\system32\umtvmuvu.dll
C:\WINDOWS\system32\hvfdiytt.dll
C:\WINDOWS\BM6f135cf6.xml
C:\WINDOWS\system32\jkkkIXpm.dll
C:\WINDOWS\SE6D13403.tmp
C:\WINDOWS\system32\ktisouub.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F0EA630-9DAD-460A-9F95-B0E534862DB9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A564931-5062-498E-9C69-54EAAEA8C2CA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BBBB486-1A72-4711-98D6-2A92FDD846E7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84EF105F-C99E-4D5C-A060-A11F542C4687}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABDFB34-0BFD-40C8-A8E3-A3CEC0D499EA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABDFB34-0BFD-40C8-A8E3-A3CEC0D499EA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92571C7E-DDF4-47BC-909C-A272D983DACD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab12d6c2-edda-41bf-a21c-45be0cf29632}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aeffc368-0294-4f47-aea9-456190b215d1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3bdf1e2-bd31-451d-9846-66a2f6c2d1d9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52D75CC-DB9A-449F-A755-7848056E6F57}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B795C471-162D-42F6-9133-EF5774060BD8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BD6AFF-C227-4F83-846F-F35AA93B0E8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd0b4e3a-1ccf-4020-8083-d9aa84d49eba}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f85448d5-5235-4c4d-a82d-e850c2d2626e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"=-
"6c206f6a"=-
"BM6f135cf6"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkIXpm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrroop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6c206f6a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6f135cf6]

Driver::
FK


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 20 May 2008 - 09:56 AM

Requested captured file submitted via file upload. ComboFix log below...



ComboFix 08-05-15.3 - Ed 2008-05-20 10:32:13.9 - NTFSx86
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6f135cf6.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SE6D13403.tmp
C:\WINDOWS\system32\aijvdccd.dll
C:\WINDOWS\system32\bjbwktyl.dll
C:\WINDOWS\system32\csgcukww.dll
C:\WINDOWS\system32\emcoannf.dll
C:\WINDOWS\system32\fveupdci.dll
C:\WINDOWS\system32\hktfrmdr.dll
C:\WINDOWS\system32\hvfdiytt.dll
C:\WINDOWS\system32\iapiqsoy.dll
C:\WINDOWS\system32\idtwrgnv.dll
C:\WINDOWS\system32\itkdaupp.dll
C:\WINDOWS\system32\jkkkIXpm.dll
C:\WINDOWS\system32\kfqrnxwv.ini
C:\WINDOWS\system32\kknwijlg.dll
C:\WINDOWS\system32\kqvgbqch.dll
C:\WINDOWS\system32\ktisouub.dll
C:\WINDOWS\system32\lypmqfji.dll
C:\WINDOWS\system32\mlJARHbB.dll_old
C:\WINDOWS\system32\mvpvrcxg.ini
C:\WINDOWS\system32\MWaHNqru.ini
C:\WINDOWS\system32\MWaHNqru.ini2
C:\WINDOWS\system32\pymcvdna.dll
C:\WINDOWS\system32\qoMdEVOE.dll
C:\WINDOWS\system32\rctlapky.dll
C:\WINDOWS\system32\rlfvebin.dll
C:\WINDOWS\system32\sjlrjpcj.dll
C:\WINDOWS\system32\sxbckaiw.dll
C:\WINDOWS\system32\tuvWomJb.dll
C:\WINDOWS\system32\umtvmuvu.dll
C:\WINDOWS\system32\uupotuyl.dll
C:\WINDOWS\system32\uwqnsyev.dll
C:\WINDOWS\system32\yipgevtk.exe
C:\WINDOWS\system32\ylftoqop.ini
C:\WINDOWS\system32\ysmvuyaq.dll
C:\WINDOWS\system32\yypmgssg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FK
-------\Service_FK


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 10:32 . 2008-05-20 10:32 0 --a------ C:\WINDOWS\system32\mvpvrcxg.tmp
2008-05-20 09:32 . 2008-05-20 09:32 135,168 --a------ C:\WINDOWS\system32\bgwykuay.dll
2008-05-20 09:29 . 2008-05-20 09:29 2,560 --a------ C:\WINDOWS\system32\cdatgooh.exe
2008-05-20 09:23 . 2008-05-20 09:23 126,976 --a------ C:\WINDOWS\system32\xrwbeqbg.dll
2008-05-19 09:23 . 2008-05-19 09:23 132,608 --a------ C:\WINDOWS\system32\mtvbodtm.dll
2008-05-19 09:21 . 2008-05-19 09:21 124,928 --a------ C:\WINDOWS\system32\qsvqwmwa.dll
2008-05-19 08:58 . 2008-05-19 08:58 132,608 --a------ C:\WINDOWS\system32\kqpaoxof.dll
2008-05-19 08:55 . 2008-05-19 08:55 124,928 --a------ C:\WINDOWS\system32\lraxcpaf.dll
2008-05-19 08:46 . 2008-05-19 08:46 124,928 --a------ C:\WINDOWS\system32\louumpjx.dll
2008-05-19 08:44 . 2008-05-19 08:44 371,712 --a------ C:\WINDOWS\system32\urqNHaWM.dll
2008-05-19 08:24 . 2008-05-19 08:24 132,608 --a------ C:\WINDOWS\system32\epspdxyu.dll
2008-05-19 08:21 . 2008-05-19 08:21 124,928 --a------ C:\WINDOWS\system32\anulehtj.dll
2008-05-17 15:19 . 2008-05-17 15:19 8 --a------ C:\WINDOWS\system32\6c207de4
2008-05-17 15:16 . 2008-05-17 15:16 134,144 --a------ C:\WINDOWS\system32\jfemoqde.dll
2008-05-17 15:08 . 2008-05-17 15:19 345 --ahs---- C:\WINDOWS\system32\bJmoWvut.ini
2008-05-15 13:12 . 2008-05-15 13:12 <DIR> d-------- C:\Deckard
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:22 . 2008-05-17 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 11:25 . 2008-05-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13 . 2008-05-13 11:13 <DIR> d-------- C:\Program Files\SlySoft
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:28 . 2008-05-14 09:56 83 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-05-13 09:49 . 2008-05-14 10:02 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05 . 2008-05-12 23:05 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 23:04 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Google
2008-05-12 23:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 23:03 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Java
2008-05-12 23:01 . 2008-05-12 23:01 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 17:27 --------- d-----w C:\Program Files\Lavasoft
2008-05-17 17:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:02 --------- d-----w C:\Program Files\McAfee
2008-05-14 14:00 --------- d-----w C:\Program Files\Apollo iPod Video Converter
2008-05-13 03:25 --------- d-----w C:\Program Files\ImageSplitter
2008-05-13 03:23 --------- d-----w C:\Program Files\Quicken
2007-07-03 17:48 2,917 ----a-w C:\Documents and Settings\Ed\Application Data\SAS7_000.DAT
2007-01-10 15:29 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-18 13:48 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-03 22:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 17:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB884020$\tcpip.sys
2004-08-13 18:50 359040 4092c56967175f009dc8458dc434358e C:\WINDOWS\$NtUninstallKB889527$\tcpip.sys
2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot_2008-05-17_15.11.17.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 14:40:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-20 14:27:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-20 14:27:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-20 14:40:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_77c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE9991BF-2829-4887-BD03-4ED8817422DA}]
2008-05-19 08:44 371712 --a------ C:\WINDOWS\system32\urqNHaWM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e198728a-5025-4615-a216-6e52c1e1dfda}]
2008-05-20 09:32 135168 --a------ C:\WINDOWS\system32\bgwykuay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-11 13:23 144448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 19:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-18 10:50 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-16 23:15:18 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Temporary\\utorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-05-03 12:36]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 10:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 10:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 10:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 0226111211114118mcinstcleanup;McAfee Application Installer Cleanup (0226111211114118);C:\WINDOWS\TEMP\022611~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-15 05:16:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-01 05:00:42 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 10:41:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-20 10:48:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 14:47:45
ComboFix2.txt 2008-05-19 13:19:47
ComboFix3.txt 2008-05-19 12:48:54
ComboFix4.txt 2008-05-17 19:13:43
ComboFix5.txt 2008-05-15 14:57:22

Pre-Run: 60,972,982,272 bytes free
Post-Run: 60,957,843,456 bytes free

239

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 21 May 2008 - 06:20 AM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mvpvrcxg.tmp
C:\WINDOWS\system32\bgwykuay.dll
C:\WINDOWS\system32\cdatgooh.exe
C:\WINDOWS\system32\xrwbeqbg.dll
C:\WINDOWS\system32\mtvbodtm.dll
C:\WINDOWS\system32\qsvqwmwa.dll
C:\WINDOWS\system32\kqpaoxof.dll
C:\WINDOWS\system32\lraxcpaf.dll
C:\WINDOWS\system32\louumpjx.dll
C:\WINDOWS\system32\urqNHaWM.dll
C:\WINDOWS\system32\epspdxyu.dll
C:\WINDOWS\system32\anulehtj.dll
C:\WINDOWS\system32\jfemoqde.dll
C:\WINDOWS\system32\bJmoWvut.ini
C:\WINDOWS\system32\urqNHaWM.dll
C:\WINDOWS\system32\bgwykuay.dll

Folder::
C:\WINDOWS\system32\6c207de4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE9991BF-2829-4887-BD03-4ED8817422DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e198728a-5025-4615-a216-6e52c1e1dfda}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 21 May 2008 - 10:24 AM

Here is the new log file based on your most recent request. Thanks again for your persistance. This is a nasty critter to get rid of...


ComboFix 08-05-15.3 - Ed 2008-05-21 11:04:21.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\anulehtj.dll
C:\WINDOWS\system32\bgwykuay.dll
C:\WINDOWS\system32\bJmoWvut.ini
C:\WINDOWS\system32\cdatgooh.exe
C:\WINDOWS\system32\epspdxyu.dll
C:\WINDOWS\system32\jfemoqde.dll
C:\WINDOWS\system32\kqpaoxof.dll
C:\WINDOWS\system32\louumpjx.dll
C:\WINDOWS\system32\lraxcpaf.dll
C:\WINDOWS\system32\mtvbodtm.dll
C:\WINDOWS\system32\mvpvrcxg.tmp
C:\WINDOWS\system32\qsvqwmwa.dll
C:\WINDOWS\system32\urqNHaWM.dll
C:\WINDOWS\system32\xrwbeqbg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\6c207de4\
C:\WINDOWS\system32\anulehtj.dll
C:\WINDOWS\system32\bgwykuay.dll
C:\WINDOWS\system32\bJmoWvut.ini
C:\WINDOWS\system32\blkycqnl.ini
C:\WINDOWS\system32\cdatgooh.exe
C:\WINDOWS\system32\epspdxyu.dll
C:\WINDOWS\system32\jfemoqde.dll
C:\WINDOWS\system32\kqpaoxof.dll
C:\WINDOWS\system32\louumpjx.dll
C:\WINDOWS\system32\lraxcpaf.dll
C:\WINDOWS\system32\mtvbodtm.dll
C:\WINDOWS\system32\mvpvrcxg.tmp
C:\WINDOWS\system32\MWaHNqru.ini
C:\WINDOWS\system32\MWaHNqru.ini2
C:\WINDOWS\system32\qsvqwmwa.dll
C:\WINDOWS\system32\urqNHaWM.dll
C:\WINDOWS\system32\xrwbeqbg.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 11:02 . 2008-05-21 11:02 134,144 --a------ C:\WINDOWS\system32\bqpauxju.dll
2008-05-21 11:01 . 2008-05-21 11:02 115,200 --a------ C:\WINDOWS\system32\lnqcyklb.dll
2008-05-21 11:00 . 2008-05-21 11:00 126,464 --a------ C:\WINDOWS\system32\ymnoxycg.dll
2008-05-21 11:00 . 2008-05-21 11:09 109,807 --a------ C:\WINDOWS\BM6f135cf6.xml
2008-05-21 11:00 . 2008-05-21 11:00 2,560 --a------ C:\WINDOWS\system32\pgcboggp.exe
2008-05-17 15:19 . 2008-05-17 15:19 8 --a------ C:\WINDOWS\system32\6c207de4
2008-05-15 13:12 . 2008-05-15 13:12 <DIR> d-------- C:\Deckard
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:22 . 2008-05-17 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 11:25 . 2008-05-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13 . 2008-05-13 11:13 <DIR> d-------- C:\Program Files\SlySoft
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:28 . 2008-05-14 09:56 83 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-05-13 09:49 . 2008-05-14 10:02 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05 . 2008-05-12 23:05 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 23:04 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Google
2008-05-12 23:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 23:03 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Java
2008-05-12 23:01 . 2008-05-12 23:01 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 17:27 --------- d-----w C:\Program Files\Lavasoft
2008-05-17 17:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:02 --------- d-----w C:\Program Files\McAfee
2008-05-14 14:00 --------- d-----w C:\Program Files\Apollo iPod Video Converter
2008-05-13 03:25 --------- d-----w C:\Program Files\ImageSplitter
2008-05-13 03:23 --------- d-----w C:\Program Files\Quicken
2007-07-03 17:48 2,917 ----a-w C:\Documents and Settings\Ed\Application Data\SAS7_000.DAT
2007-01-10 15:29 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-18 13:48 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-03 22:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 17:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB884020$\tcpip.sys
2004-08-13 18:50 359040 4092c56967175f009dc8458dc434358e C:\WINDOWS\$NtUninstallKB889527$\tcpip.sys
2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot_2008-05-17_15.11.17.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 15:08:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-21 15:01:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-21 15:01:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-21 15:09:38 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-05-21 15:09:38 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-05-21 15:08:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_768.dat
+ 2008-05-21 15:09:38 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{acb195bc-6fd0-4eb3-948d-544ff3590f02}]
2008-05-21 11:02 134144 --a------ C:\WINDOWS\system32\bqpauxju.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-11 13:23 144448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 19:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-18 10:50 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"6c206f6a"="C:\WINDOWS\system32\lnqcyklb.dll" [2008-05-21 11:02 115200]
"BM6f135cf6"="C:\WINDOWS\system32\ymnoxycg.dll" [2008-05-21 11:00 126464]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-16 23:15:18 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Temporary\\utorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-05-03 12:36]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 10:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 10:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 10:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 0128871211382068mcinstcleanup;McAfee Application Installer Cleanup (0128871211382068);C:\WINDOWS\TEMP\012887~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - 0128871211382068MCINSTCLEANUP
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-15 05:16:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-01 05:00:42 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 11:09:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lnqcyklb.dll
-> C:\WINDOWS\system32\ymnoxycg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-21 11:15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 15:15:00
ComboFix2.txt 2008-05-20 14:48:04
ComboFix3.txt 2008-05-19 13:19:47
ComboFix4.txt 2008-05-19 12:48:54
ComboFix5.txt 2008-05-17 19:13:43

Pre-Run: 60,960,591,872 bytes free
Post-Run: 60,950,487,040 bytes free

236

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 21 May 2008 - 12:39 PM

Hi,

Please, avoid to use internet until we complete the disinfection.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\bqpauxju.dll
C:\WINDOWS\system32\lnqcyklb.dll
C:\WINDOWS\system32\ymnoxycg.dll
C:\WINDOWS\BM6f135cf6.xml
C:\WINDOWS\system32\pgcboggp.exe
C:\WINDOWS\system32\lnqcyklb.dll
C:\WINDOWS\system32\ymnoxycg.dll

Folder::
C:\WINDOWS\system32\6c207de4

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"6c206f6a"=-
"BM6f135cf6"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#13 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 22 May 2008 - 03:40 PM

Newest Log file...

ComboFix 08-05-15.3 - Ed 2008-05-22 13:52:45.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.564 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM6f135cf6.xml
C:\WINDOWS\system32\bqpauxju.dll
C:\WINDOWS\system32\lnqcyklb.dll
C:\WINDOWS\system32\pgcboggp.exe
C:\WINDOWS\system32\ymnoxycg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6f135cf6.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\6c207de4\
C:\WINDOWS\system32\blkycqnl.ini
C:\WINDOWS\system32\bqpauxju.dll
C:\WINDOWS\system32\lnqcyklb.dll
C:\WINDOWS\system32\pgcboggp.exe
C:\WINDOWS\system32\ymnoxycg.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-17 15:19 . 2008-05-17 15:19 8 --a------ C:\WINDOWS\system32\6c207de4
2008-05-15 13:12 . 2008-05-15 13:12 <DIR> d-------- C:\Deckard
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 12:16 . 2008-05-15 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:22 . 2008-05-17 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 11:25 . 2008-05-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-13 11:13 . 2008-05-13 11:13 <DIR> d-------- C:\Program Files\SlySoft
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-13 10:28 . 2008-05-14 09:56 83 ---hs---- C:\Documents and Settings\All Users\Application Data\.zreglib
2008-05-13 09:49 . 2008-05-14 10:02 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-05-12 23:05 . 2008-05-12 23:05 <DIR> d-------- C:\WINDOWS\Sun
2008-05-12 23:04 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Google
2008-05-12 23:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-12 23:03 . 2008-05-12 23:04 <DIR> d-------- C:\Program Files\Java
2008-05-12 23:01 . 2008-05-12 23:01 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 17:27 --------- d-----w C:\Program Files\Lavasoft
2008-05-17 17:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:02 --------- d-----w C:\Program Files\McAfee
2008-05-14 14:00 --------- d-----w C:\Program Files\Apollo iPod Video Converter
2008-05-13 03:25 --------- d-----w C:\Program Files\ImageSplitter
2008-05-13 03:23 --------- d-----w C:\Program Files\Quicken
2007-07-03 17:48 2,917 ----a-w C:\Documents and Settings\Ed\Application Data\SAS7_000.DAT
2007-01-10 15:29 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-18 13:48 2 --shatr C:\WINDOWS\winstart.bat
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-03 22:56 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 17:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB884020$\tcpip.sys
2004-08-13 18:50 359040 4092c56967175f009dc8458dc434358e C:\WINDOWS\$NtUninstallKB889527$\tcpip.sys
2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-28 23:45 360576 e7dfcffa380749b8626ad71e8f367dcb C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot_2008-05-17_15.11.17.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-22 17:56:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-22 13:58:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-17 14:13:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-22 13:58:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-22 17:56:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_778.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-09-11 13:23 144448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 19:01 40960 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-18 10:50 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-16 23:15:18 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Temporary\\utorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 10:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 10:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 10:47]
S2 0206891211464732mcinstcleanup;McAfee Application Installer Cleanup (0206891211464732);C:\WINDOWS\TEMP\020689~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe [2002-05-03 12:36]

*Newly Created Service* - 0206891211464732MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 20:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-15 05:16:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-08-01 05:00:42 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 13:57:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-22 14:02:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 18:02:39
ComboFix2.txt 2008-05-21 15:15:21
ComboFix3.txt 2008-05-20 14:48:04
ComboFix4.txt 2008-05-19 13:19:47
ComboFix5.txt 2008-05-19 12:48:54

Pre-Run: 60,899,823,616 bytes free
Post-Run: 60,887,347,200 bytes free

196

#14 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 23 May 2008 - 09:32 AM

Hi,

Using Windows Explorer, delete the following files/folders in red (Do not be concerned if they do not exist)

C:\WINDOWS\system32\6c207de4 <--this folder

Next,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#15 Kougarz

Kougarz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Apex, NC
  • Local time:12:06 PM

Posted 23 May 2008 - 12:54 PM

Virus scan completed, report below:

------------------------- Kaspersky Log -------------------------------------

Friday, May 23, 2008 1:40:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/05/2008
Kaspersky Anti-Virus database records: 798905


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 130657
Number of viruses found 15
Number of infected objects 50
Number of suspicious objects 0
Duration of the scan process 01:54:26

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\Ed\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF8C09.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF8C17.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\anulehtj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bgwykuay.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bqpauxju.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jfemoqde.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lnqcyklb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tbw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\louumpjx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lraxcpaf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qsvqwmwa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqNHaWM.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.sta skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xrwbeqbg.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ymnoxycg.dll.vir Infected: Trojan.Win32.Monder.jn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP354\A0034997.exe/data0000.cab/file.exe Infected: Trojan.Win32.Pakes.cwe skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP354\A0034997.exe/data0000.cab Infected: Trojan.Win32.Pakes.cwe skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP354\A0034997.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP358\A0035440.dll Infected: Trojan.Win32.Monder.eb skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP358\A0035505.dll Infected: Trojan.Win32.Monder.eb skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP358\A0035509.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP358\A0035521.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP358\A0035522.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP361\A0035735.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP362\A0035833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP369\A0036359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sbz skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036709.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036710.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036714.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036716.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036717.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036719.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036720.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sta skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP379\A0036721.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP381\A0036791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbv skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP381\A0036792.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbw skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP381\A0036794.dll Infected: Trojan.Win32.Monder.jn skipped
C:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP381\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_qEKxrOdgnNkueWc Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_778.dat Object is locked skipped
C:\WINDOWS\Temp\sqlite_C0VhOVuXq3fdSbZ Object is locked skipped
C:\WINDOWS\Temp\sqlite_wQOUgwpACM38fyK Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Archive\Security.rar/LC4/pwdump3e.zip/LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3e.zip/PwDump3e.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3e.zip/pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3e.zip Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3v2.zip/LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3v2.zip/PwDump3.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3v2.zip/pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/LC4/pwdump3v2.zip Infected: not-a-virus:PSWTool.Win32.PWDump.3 skipped
D:\Archive\Security.rar/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Security.rar/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Security.rar/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Security.rar/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Security.rar RAR: infected - 12 skipped
D:\Archive\Utilities\RevelationV2.zip.baq/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Utilities\RevelationV2.zip.baq/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Utilities\RevelationV2.zip.baq/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
D:\Archive\Utilities\RevelationV2.zip.baq ZIP: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1FC2137D-171F-4DD4-945B-171B5DA2302F}\RP381\change.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users