Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe Closes Every Few Seconds


  • This topic is locked This topic is locked
2 replies to this topic

#1 wllazer17

wllazer17

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 16 May 2008 - 11:46 AM

I think I may have some malware... possibly virtumonde

Every few seconds explorer.exe closes and reopens and recloses many times. Eventually it stays off and I have no taskbar or desktop icons.

Here is my logfile... thanks for any help

Deckard's System Scanner v20071014.68
Run by Zach on 2008-05-16 12:52:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-05-16 16:52:36 UTC - RP246 - Deckard's System Scanner Restore Point
3: 2008-05-16 11:26:43 UTC - RP245 - System Checkpoint
2: 2008-05-16 11:08:37 UTC - RP244 - Last known good configuration
1: 2008-05-16 11:08:27 UTC - RP243 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Zach.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:58 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zach\Desktop\dss.exe
C:\DOCUME~1\Zach\Desktop\Zach.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F62A3C0-CFA1-42B7-A152-3A54AB61AA7B} - C:\WINDOWS\system32\jkKcCrQK.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {36D9CB8D-B8CA-4A85-A879-06A71109F11E} - C:\WINDOWS\system32\jkkKeddE.dll
O2 - BHO: (no name) - {3A782226-7D94-48B0-A69B-EA83FA14A5E6} - C:\WINDOWS\system32\opnnkiGW.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {861E0DAB-CF4E-42D2-8845-37A888E373E8} - C:\WINDOWS\system32\fccaBUoo.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "C:\Program Files\Mediafour\XPlay 3\XPlay.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: allSnap.lnk = C:\Program Files\allSnap\allSnap.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203744587989
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203744580909
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkKeddE - C:\WINDOWS\SYSTEM32\jkkKeddE.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 12059 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 MDFSYSNT (MacDrive file system driver) - c:\windows\system32\drivers\mdfsysnt.sys <Not Verified; Mediafour Corporation; Mediafour MacDrive>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 catchme - c:\docume~1\zach\locals~1\temp\catchme.sys (file missing)

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 M4iPodWPDService - "c:\program files\common files\mediafour\ipod\m4ipodwpdservice.exe" <Not Verified; Mediafour Corporation; Mediafour XPlay>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_FF101179&REV_00\4&1D3F0FBB&0&33F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_FF101179&REV_00\4&1D3F0FBB&0&33F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter


-- Scheduled Tasks -------------------------------------------------------------

2008-05-13 07:07:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 11:54:17 0 d-------- C:\WINDOWS\ERUNT
2008-05-16 11:19:43 5293 --ahs---- C:\WINDOWS\system32\KQrCcKkj.ini2
2008-05-16 11:19:28 370688 --a------ C:\WINDOWS\system32\jkKcCrQK.dll
2008-05-16 10:49:06 0 d-------- C:\WINDOWS\CSC
2008-05-16 07:08:16 2801 --ahs---- C:\WINDOWS\system32\ooUBaccf.ini2
2008-05-16 07:08:13 370688 --a------ C:\WINDOWS\system32\fccaBUoo.dll
2008-05-16 00:54:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\foobar2000
2008-05-16 00:52:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 00:52:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-16 00:52:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-16 00:52:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 00:52:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 00:52:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 00:52:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 00:52:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 00:52:00 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-16 00:52:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 00:52:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 00:52:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 00:52:00 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 00:52:00 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 00:52:00 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 00:52:00 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 00:52:00 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-16 00:14:53 0 d-------- C:\Documents and Settings\Zach\Application Data\Malwarebytes
2008-05-16 00:14:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 00:14:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 23:59:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 23:57:23 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-05-15 23:23:57 59392 -----n--- C:\WINDOWS\system32\jkkKeddE.dll
2008-05-14 22:41:49 29696 --a------ C:\WINDOWS\mickey32.dll <Not Verified; MacSourcery; Mickey DLL>
2008-05-14 22:41:49 232784 --a------ C:\WINDOWS\Matrix Code.scr <Not Verified; MacSourcery; CineMac for Director>
2008-05-14 22:41:49 2285222 --a------ C:\WINDOWS\Matrix Code.exe <Not Verified; Macromedia, Inc.; Macromedia Director>
2008-05-14 22:39:44 0 d-------- C:\Program Files\KellySoftware
2008-05-14 20:42:58 0 d-------- C:\Documents and Settings\Zach\Application Data\Nero
2008-05-14 20:38:37 0 d-------- C:\Program Files\Nero
2008-05-14 20:38:37 0 d-------- C:\Program Files\Common Files\Nero
2008-05-14 20:38:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-14 04:08:45 0 --a------ C:\2008-05-14 at 04
2008-05-13 23:08:12 0 d-------- C:\Program Files\USPS
2008-05-13 22:47:52 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-13 22:36:37 0 d-------- C:\Program Files\Bonjour
2008-05-13 22:20:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-11 20:46:40 0 d-------- C:\Documents and Settings\Zach\Application Data\Talkback
2008-05-08 10:11:42 0 --a------ C:\2008-05-08 at 10
2008-05-03 15:09:20 69632 --a------ C:\WINDOWS\RAUNINST.EXE
2008-05-03 15:09:07 0 d-------- C:\WESTWOOD
2008-05-03 15:08:45 0 d-------- C:\Documents and Settings\Zach\WINDOWS
2008-05-03 13:06:43 0 d--h----- C:\WINDOWS\PIF
2008-04-30 21:54:34 0 d-------- C:\Documents and Settings\Zach\Application Data\.purple
2008-04-30 21:54:11 0 d-------- C:\Program Files\Aspell
2008-04-30 21:53:39 0 d-------- C:\Program Files\Pidgin
2008-04-30 21:53:22 0 d-------- C:\Program Files\Common Files\GTK
2008-04-26 00:35:52 0 d-------- C:\Program Files\zbattle.net
2008-04-21 20:14:41 0 d-------- C:\Documents and Settings\Zach\Application Data\TVU Networks
2008-04-21 20:14:30 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-04-21 20:14:25 0 d-------- C:\Documents and Settings\Zach\LocalLow
2008-04-21 20:14:19 0 d-------- C:\Program Files\TVUPlayer
2008-04-19 17:05:46 0 --a------ C:\2008-04-19 at 05
2008-04-18 23:50:19 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-18 15:51:20 0 d-------- C:\Documents and Settings\Zach\Application Data\Intel
2008-04-18 15:51:20 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-04-18 15:51:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-04-18 15:51:19 0 d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-04-18 15:50:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-04-18 15:19:32 0 d-------- C:\Program Files\Jets N Guns
2008-04-18 15:19:22 0 d-------- C:\Program Files\ReflexiveArcade
2008-04-17 18:18:28 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 18:24:38 0 d-------- C:\Program Files\802.11 Wireless LAN


-- Find3M Report ---------------------------------------------------------------

2008-05-16 00:45:05 0 d-------- C:\Documents and Settings\Zach\Application Data\uTorrent
2008-05-15 23:21:25 0 d-------- C:\Documents and Settings\Zach\Application Data\Adobe
2008-05-15 23:04:38 0 d-------- C:\Documents and Settings\Zach\Application Data\foobar2000
2008-05-15 22:46:43 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-15 21:12:38 16978 --a------ C:\logfile
2008-05-14 22:43:44 0 d-------- C:\Program Files\FlashGet
2008-05-14 21:00:38 0 d-------- C:\Program Files\Steam
2008-05-14 20:38:37 0 d-------- C:\Program Files\Common Files
2008-05-13 22:36:32 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-10 19:38:04 0 d-------- C:\Program Files\Screenshot Pilot
2008-05-08 16:07:15 0 d-------- C:\Program Files\Brownie
2008-05-08 16:07:11 34 --a------ C:\WINDOWS\system32\BD2070N.DAT
2008-05-08 16:07:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 21:59:07 0 d-------- C:\Program Files\AIM6
2008-04-30 21:55:09 0 d-------- C:\Documents and Settings\Zach\Application Data\gtk-2.0
2008-04-28 23:29:35 744 --a------ C:\Documents and Settings\Zach\Application Data\AtomicAlarmClock.ini
2008-04-26 00:12:05 0 d-------- C:\Documents and Settings\Zach\Application Data\mIRC
2008-04-26 00:11:49 0 d-------- C:\Program Files\mIRC
2008-04-26 00:00:24 0 d-------- C:\Program Files\foobar2000
2008-04-20 13:30:51 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-18 23:50:49 0 d-------- C:\Documents and Settings\Zach\Application Data\Mozilla
2008-04-16 01:17:07 0 d-------- C:\Program Files\Paragon
2008-04-14 22:34:48 0 d-------- C:\Documents and Settings\Zach\Application Data\Last Minute Bidder
2008-04-14 09:26:41 0 d-------- C:\Program Files\BayGenie
2008-04-12 14:16:45 0 d-------- C:\Program Files\Mediafour
2008-04-12 14:16:45 0 d-------- C:\Program Files\Common Files\Mediafour
2008-04-12 13:38:24 0 d-------- C:\Program Files\allSnap
2008-04-11 17:54:20 0 d-------- C:\Program Files\SopCast
2008-04-11 09:06:40 1208 --a------ C:\Documents and Settings\Zach\Application Data\alarms.ini
2008-04-07 09:43:12 0 d-------- C:\Program Files\iTunes
2008-04-07 09:42:44 0 d-------- C:\Program Files\iPod
2008-04-07 09:40:39 0 d-------- C:\Program Files\QuickTime
2008-04-05 23:25:15 0 d-------- C:\Program Files\JAM Software
2008-04-05 21:57:11 0 d-------- C:\Documents and Settings\Zach\Application Data\FileZilla
2008-04-03 18:33:18 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-02 15:05:36 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-02 15:05:24 0 d-------- C:\Program Files\TechSmith
2008-03-30 20:49:34 0 d-------- C:\Documents and Settings\Zach\Application Data\GeoVid
2008-03-30 20:48:38 0 d-------- C:\Program Files\GeoVid
2008-03-30 20:13:58 0 d-------- C:\Program Files\Common Files\GeoVid
2008-03-29 21:29:23 0 d-------- C:\Program Files\Network Stumbler
2008-03-29 20:30:01 0 d-------- C:\Program Files\WMPKeys
2008-03-29 18:33:12 0 d-------- C:\Program Files\Ipod Video Converter
2008-03-29 17:47:00 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-29 16:52:37 0 d-------- C:\Documents and Settings\Zach\Application Data\Jasc
2008-03-29 16:51:42 0 d-------- C:\Program Files\Jasc Software Inc
2008-03-29 14:22:43 0 d-------- C:\Program Files\Red Kawa
2008-03-28 19:31:36 0 d-------- C:\Program Files\PeerGuardian2
2008-03-28 19:22:27 0 d-------- C:\Program Files\Soulseek
2008-03-25 09:32:27 0 d-------- C:\Documents and Settings\Zach\Application Data\VMware
2008-03-20 01:01:04 0 d-------- C:\Program Files\Soulseek-Test
2008-03-19 20:08:06 0 d-------- C:\Program Files\BestGameEver
2008-03-19 04:01:02 0 d-------- C:\Program Files\MSXML 6.0
2008-03-18 00:53:39 0 d-------- C:\Program Files\Autodesk Impression
2008-03-18 00:53:38 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-18 00:51:45 0 d-------- C:\Documents and Settings\Zach\Application Data\Autodesk
2008-03-17 18:39:45 0 d-------- C:\Program Files\AutoCAD 2008
2008-03-17 18:31:17 0 d-------- C:\Program Files\Autodesk
2008-03-17 17:03:05 0 d-------- C:\Documents and Settings\Zach\Application Data\Thunderbird
2008-03-14 15:15:40 376088 --a------ C:\vxworkskillerGSv7-v3.bin
2008-03-12 13:23:56 0 --a------ C:\2008-03-12 at 01
2008-03-04 16:05:58 14848 --a------ C:\WINDOWS\system32\s24NCfg.dll <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2008-03-04 14:40:12 212992 --a------ C:\WINDOWS\system32\NetProvCredMan.dll <Not Verified; Intel Corporation; NetProvCredMan Dynamic Link Library>
2008-03-01 14:24:13 0 --a------ C:\2008-03-01 at 01
2008-02-27 21:42:32 2036 --a------ C:\WINDOWS\mozver.dat
2008-02-24 05:36:45 33087 --a------ C:\WINDOWS\scunin.dat
2008-02-24 05:36:43 967 --a------ C:\WINDOWS\ScUnin.pif
2008-02-24 05:36:43 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-02-23 01:15:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-23 00:56:43 0 -rahs---- C:\MSDOS.SYS
2008-02-23 00:56:43 0 -rahs---- C:\IO.SYS
2008-02-23 00:56:43 0 --a------ C:\CONFIG.SYS
2008-02-23 00:56:43 0 --a------ C:\AUTOEXEC.BAT
2008-02-23 00:40:49 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-22 19:31:28 62 --ahs---- C:\Documents and Settings\Zach\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F62A3C0-CFA1-42B7-A152-3A54AB61AA7B}]
05/16/2008 11:19 AM 370688 --a------ C:\WINDOWS\system32\jkKcCrQK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36D9CB8D-B8CA-4A85-A879-06A71109F11E}]
05/15/2008 11:23 PM 59392 --------- C:\WINDOWS\system32\jkkKeddE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A782226-7D94-48B0-A69B-EA83FA14A5E6}]
C:\WINDOWS\system32\opnnkiGW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861E0DAB-CF4E-42D2-8845-37A888E373E8}]
05/16/2008 07:08 AM 370688 --a------ C:\WINDOWS\system32\fccaBUoo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05/29/2007 05:33 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [10/07/2007 09:48 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 03:17 AM C:\WINDOWS\KHALMNPR.Exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/13/2007 10:47 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/13/2007 10:47 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [01/13/2007 10:46 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [10/14/2004 10:11 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [08/06/2004 09:27 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [02/24/2008 04:15 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/27/2008 09:41 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [10/08/2007 10:26 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="C:\Program Files\Mediafour\XPlay 3\XPlay.exe" [03/06/2008 09:36 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [03/04/2008 02:46 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [03/04/2008 02:41 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 09:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

C:\Documents and Settings\Zach\Start Menu\Programs\Startup\
allSnap.lnk - C:\Program Files\allSnap\allSnap.exe [4/12/2008 1:38:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/24/2008 4:53:16 AM]
VPN Client.lnk - C:\WINDOWS\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2/23/2008 2:13:48 AM]
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [4/12/2005 10:03:26 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{36D9CB8D-B8CA-4A85-A879-06A71109F11E}"= C:\WINDOWS\system32\jkkKeddE.dll [05/15/2008 11:23 PM 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKeddE]
jkkKeddE.dll 05/15/2008 11:23 PM 59392 C:\WINDOWS\system32\jkkKeddE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkKcCrQK

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zach^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Zach\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe




-- End of Deckard's System Scanner: finished at 2008-05-16 12:57:39 ------------

Edited by wllazer17, 16 May 2008 - 11:58 AM.


BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 PM

Posted 10 June 2008 - 09:01 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:40 PM

Posted 15 June 2008 - 02:32 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users