Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Scanner Detects Vundo


  • This topic is locked This topic is locked
6 replies to this topic

#1 mcxlviii

mcxlviii

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 19 May 2008 - 08:26 PM

I believe I got infected over at crackspider.com. Avast was able to detect a bunch of stuff and I read on wikipedia that vundo creates randomly generated dlls. Avast detected a bunch of sssqqqqqqqq.dll files and other variations which I deleted because I couldn't quarantine them as they were in use. Here are my logs. Thanks in advance!



Deckard's System Scanner v20071014.68
Run by Drew on 2008-05-19 21:08:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
93: 2008-05-20 01:08:06 UTC - RP532 - Deckard's System Scanner Restore Point
92: 2008-05-19 10:24:19 UTC - RP531 - System Checkpoint
91: 2008-05-18 10:03:58 UTC - RP530 - System Checkpoint
90: 2008-05-17 09:48:19 UTC - RP529 - System Checkpoint
89: 2008-05-16 08:29:43 UTC - RP528 - System Checkpoint


-- First Restore Point --
1: 2008-05-12 23:13:27 UTC - RP440 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Drew.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:33 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Drew\Desktop\dss.exe
C:\DOCUME~1\Drew\Desktop\Drew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {9ddb1f8b-41e7-416b-a8b4-cd7b9e13c402} - {204c31e9-b7dc-4b8a-b614-7e14b8f1bdd9} - C:\WINDOWS\system32\ujovacmm.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\WINDOWS\system32\iifDwULb.dll
O2 - BHO: (no name) - {FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A} - C:\WINDOWS\system32\ssqqqqqq.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [24c8c4ec] rundll32.exe "C:\WINDOWS\system32\hglcsvsl.dll",b
O4 - HKLM\..\Run: [BM27fbf770] Rundll32.exe "C:\WINDOWS\system32\socemnrd.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Creative Element Power Tools Startup.lnk = C:\Program Files\Creative Element Power Tools\Startup.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162861459437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162862206890
O20 - Winlogon Notify: iifDwULb - C:\WINDOWS\SYSTEM32\iifDwULb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10135 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 WIBUKEY (WIBU-KEY Kernel Driver) - c:\windows\system32\drivers\wibukey.sys <Not Verified; WIBU-SYSTEMS AG; WIBU-KEY Software Protection System>
R3 L6DP - c:\windows\system32\drivers\l6dp.sys <Not Verified; Line 6; Line 6 Device Proxy>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 GPWADrv (Service for L6 GuitarPort Driver (WDM)) - c:\windows\system32\drivers\gpwadrv.sys <Not Verified; Line 6; GuitarPort>
S3 MAUSB (Service for M-Audio Fast Track Pro Driver (WDM)) - c:\windows\system32\drivers\mausb.sys <Not Verified; Midiman/M-Audio; M-Audio Delta FW WDM Driver>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 MAudioUSBService (M-Audio USB Installer) - c:\program files\m-audio\fast track pro\mausbinst.exe <Not Verified; M-Audio; M-Audio USB Installer service>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\55C8561424FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\55C8561424FC000
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 13:14:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-18 23:50:09 0 --a------ C:\WINDOWS\system32\hglcsvsl.dll
2008-05-18 23:35:00 0 --a------ C:\WINDOWS\system32\ujovacmm.dll
2008-05-18 16:13:32 0 d-------- C:\WINDOWS\pss
2008-05-18 16:05:57 0 -----n--- C:\WINDOWS\system32\utwoqhio.dll
2008-05-18 16:05:52 0 --a------ C:\WINDOWS\system32\rspixjqe.dll
2008-05-18 16:03:15 0 --a------ C:\WINDOWS\system32\jhvvgmir.dll
2008-05-17 14:44:48 0 -----n--- C:\WINDOWS\system32\nevcwjuf.dll
2008-05-17 14:41:19 0 --a------ C:\WINDOWS\system32\ofokaegs.dll
2008-05-17 14:23:48 0 --a------ C:\WINDOWS\system32\bchglwyu.dll
2008-05-16 04:05:00 0 --a------ C:\WINDOWS\system32\npqajdgj.dll
2008-05-16 04:02:00 0 -----n--- C:\WINDOWS\system32\aoeodupe.dll
2008-05-16 03:56:15 0 --a------ C:\WINDOWS\system32\apcmdqit.dll
2008-05-15 01:24:49 0 dr-h----- C:\Documents and Settings\Drew\Recent
2008-05-14 03:28:57 0 --a------ C:\WINDOWS\system32\lpejajvh.dll
2008-05-14 03:08:45 0 --a------ C:\WINDOWS\system32\epkbcmkn.dll
2008-05-14 02:09:16 60544 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-13 20:09:47 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; REX SDK>
2008-05-13 20:09:47 368640 --a------ C:\WINDOWS\system32\ReWire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-13 20:00:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-05-13 20:00:21 0 d-------- C:\Documents and Settings\Drew\Application Data\Propellerhead Software
2008-05-13 19:58:32 0 d-------- C:\Program Files\Propellerhead
2008-05-13 19:54:04 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-13 19:54:03 0 d-------- C:\Program Files\MagicDisc
2008-05-13 18:20:50 59904 --a------ C:\WINDOWS\system32\nnnnljKe.dll
2008-05-13 07:22:14 0 --a------ C:\WINDOWS\system32\ccirxkoc.dll
2008-05-13 07:16:14 0 --a------ C:\WINDOWS\system32\rlfqghue.dll
2008-05-12 19:13:15 1342760 --ahs---- C:\WINDOWS\system32\qqqqqqss.ini2
2008-05-12 19:13:00 370688 --a------ C:\WINDOWS\system32\ssqqqqqq.dll
2008-05-12 19:08:07 59904 --a------ C:\WINDOWS\system32\cbXopPfe.dll
2008-05-12 19:07:48 59904 --a------ C:\WINDOWS\system32\iifDwULb.dll
2008-05-12 18:34:25 0 d-------- C:\Program Files\MagicISO
2008-05-11 00:53:30 0 d-------- C:\Documents and Settings\Drew\Application Data\Blueberry
2008-05-11 00:50:29 0 d-------- C:\Documents and Settings\Drew\Application Data\LogSys
2008-05-11 00:50:28 0 d-------- C:\Documents and Settings\All Users\Application Data\LogSys
2008-05-11 00:50:17 0 d-------- C:\Program Files\Common Files\Blueberry Software
2008-05-11 00:50:17 0 d-------- C:\Program Files\Blueberry Software
2008-05-11 00:50:04 0 d--h---c- C:\Documents and Settings\All Users\Application Data\{21C1E35C-913A-42D2-91B6-6AE1243D6B65}


-- Find3M Report ---------------------------------------------------------------

2008-05-16 07:45:52 0 d-------- C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2008-05-15 01:25:43 0 d-------- C:\Documents and Settings\Drew\Application Data\IrfanView
2008-05-14 02:05:21 0 d-------- C:\Documents and Settings\Drew\Application Data\Apple Computer
2008-05-13 19:19:42 0 d-------- C:\Documents and Settings\Drew\Application Data\Azureus
2008-05-13 02:36:51 0 d-------- C:\Documents and Settings\Drew\Application Data\Adobe
2008-05-12 19:01:41 0 d-------- C:\Program Files\Azureus
2008-05-12 18:49:25 0 dr------- C:\Program Files\Image-Line
2008-05-12 18:46:36 0 d-------- C:\Program Files\Audacity
2008-05-12 18:46:29 0 d-------- C:\Program Files\GIMP-2.0
2008-05-11 00:50:17 0 d-------- C:\Program Files\Common Files
2008-04-24 23:26:01 0 d-------- C:\Program Files\World of Warcraft
2008-04-08 18:19:41 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-08 18:18:32 0 d-------- C:\Program Files\OpenOffice.org 2.0
2008-04-08 18:15:35 0 d-------- C:\Program Files\Java
2008-04-04 23:54:53 0 d-------- C:\Program Files\ScreenPrint32 v3
2008-04-04 23:54:20 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-03 22:12:00 0 d-------- C:\Program Files\AIM
2008-04-03 00:35:04 0 d-------- C:\Program Files\iTunes
2008-04-03 00:34:43 0 d-------- C:\Program Files\iPod
2008-04-03 00:33:16 0 d-------- C:\Program Files\QuickTime
2008-03-26 18:33:55 0 d-------- C:\Program Files\Safari


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
05/12/2008 07:07 PM 59904 --a------ C:\WINDOWS\system32\iifDwULb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A}]
05/12/2008 07:13 PM 370688 --------- C:\WINDOWS\system32\ssqqqqqq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 11:44 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 11:41 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 11:45 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/08/2006 08:48 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 05:08 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/25/2006 01:30 AM C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [08/03/2006 08:51 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 06:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 06:50 PM]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [08/22/2006 05:32 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" []
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [05/15/2003 08:36 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/02/2008 12:15 AM]
"BM27fbf770"="C:\WINDOWS\system32\socemnrd.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [09/10/2003 04:24 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/16/2006 11:29 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [01/23/2008 11:35 PM]

C:\Documents and Settings\Drew\Start Menu\Programs\Startup\
Creative Element Power Tools Startup.lnk - C:\Program Files\Creative Element Power Tools\Startup.exe [3/26/2007 9:26:04 PM]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/13/2008 7:54:03 PM]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/1/2006 7:09:36 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/4/2005 12:07:32 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\WINDOWS\system32\iifDwULb.dll [05/12/2008 07:07 PM 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifDwULb]
iifDwULb.dll 05/12/2008 07:07 PM 59904 C:\WINDOWS\system32\iifDwULb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqqqqqq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be1368e-ca31-11dc-b553-0018f37d7263}]
AutoRun\command- G:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503a356f-6df5-11db-b51a-806d6172696f}]
PlayWithMediaDirect\Command- "C:\Program Files\Dell\MediaDirect\MDirect.exe" AUTOPLAY MOVIE "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c64ac2-7278-11db-b521-0018f37d7263}]
AutoRun\command- E:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-05-19 21:16:17 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:24 AM

Posted 20 May 2008 - 12:15 AM

Hello mcxlviii,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mcxlviii

mcxlviii
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 20 May 2008 - 08:27 AM

Here they are. Thank you very much!
BTW, I'm still getting Vundo virus notifications from Avast


ComboFix 08-05-15.3 - Drew 2008-05-20 8:20:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.481 [GMT -4:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\asmqkptk.ini
C:\WINDOWS\system32\dkaqtjwp.ini
C:\WINDOWS\system32\epudoeoa.ini
C:\WINDOWS\system32\fujwcven.ini
C:\WINDOWS\system32\lsvsclgh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oihqowtu.ini
C:\WINDOWS\system32\qqqqqqss.ini
C:\WINDOWS\system32\qqqqqqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 23:51 . 2008-05-19 23:54 <DIR> d-------- C:\VundoFix Backups
2008-05-19 21:07 . 2008-05-19 21:07 <DIR> d-------- C:\Deckard
2008-05-14 02:09 . 2008-05-14 02:09 60,544 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-13 20:09 . 2008-05-13 20:09 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-05-13 20:09 . 2008-05-13 20:09 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-05-13 20:00 . 2008-05-13 20:53 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Propellerhead Software
2008-05-13 20:00 . 2008-05-13 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-05-13 19:58 . 2008-05-13 19:58 <DIR> d-------- C:\Program Files\Propellerhead
2008-05-13 19:54 . 2008-05-13 19:54 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-13 19:54 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-13 19:27 . 2008-05-20 08:26 31 --a------ C:\WINDOWS\system32\bbcap.err
2008-05-13 18:20 . 2008-05-13 18:20 59,904 --a------ C:\WINDOWS\system32\nnnnljKe.dll
2008-05-13 07:16 . 2008-05-19 21:01 109,807 --a------ C:\WINDOWS\BM27fbf770.xml
2008-05-12 19:08 . 2008-05-12 19:08 59,904 --a------ C:\WINDOWS\system32\cbXopPfe.dll
2008-05-12 19:07 . 2008-05-12 19:07 59,904 --a------ C:\WINDOWS\system32\iifDwULb.dll
2008-05-12 18:34 . 2008-05-13 18:21 <DIR> d-------- C:\Program Files\MagicISO
2008-05-11 00:53 . 2008-05-11 02:36 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Blueberry
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Program Files\Common Files\Blueberry Software
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Program Files\Blueberry Software
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\LogSys
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogSys
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{21C1E35C-913A-42D2-91B6-6AE1243D6B65}
2008-05-11 00:50 . 2008-05-11 00:50 30,720 --a------ C:\WINDOWS\system32\bbcap.dll
2008-05-11 00:50 . 2008-05-11 00:50 4,608 --a------ C:\WINDOWS\system32\bbchlp.dll
2008-05-11 00:50 . 2008-05-11 00:50 4,096 --a------ C:\WINDOWS\system32\drivers\bbcap.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 03:57 --------- d-----w C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2008-05-20 03:55 --------- d-----w C:\Program Files\PowerISO
2008-05-15 13:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-15 13:11 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-15 13:11 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-15 13:11 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 05:25 --------- d-----w C:\Documents and Settings\Drew\Application Data\IrfanView
2008-05-14 06:05 --------- d-----w C:\Documents and Settings\Drew\Application Data\Apple Computer
2008-05-13 23:26 --------- d-----w C:\Program Files\Unlocker
2008-05-13 23:19 --------- d-----w C:\Documents and Settings\Drew\Application Data\Azureus
2008-05-12 23:01 --------- d-----w C:\Program Files\Azureus
2008-05-12 22:49 --------- d-----r C:\Program Files\Image-Line
2008-05-12 22:46 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-12 22:46 --------- d-----w C:\Program Files\Audacity
2008-05-05 23:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 03:26 --------- d-----w C:\Program Files\World of Warcraft
2008-04-08 22:19 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-08 22:18 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2008-04-08 22:15 --------- d-----w C:\Program Files\Java
2008-04-06 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 03:54 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-05 03:54 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-05 03:54 --------- d-----w C:\Program Files\ScreenPrint32 v3
2008-04-04 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-04 02:12 --------- d-----w C:\Program Files\AIM
2008-04-04 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-03 04:35 --------- d-----w C:\Program Files\iTunes
2008-04-03 04:34 --------- d-----w C:\Program Files\iPod
2008-04-03 04:33 --------- d-----w C:\Program Files\QuickTime
2008-03-26 22:33 --------- d-----w C:\Program Files\Safari
2007-07-09 00:45 92,064 ----a-w C:\Documents and Settings\Drew\mqdmmdm.sys
2007-07-09 00:45 9,232 ----a-w C:\Documents and Settings\Drew\mqdmmdfl.sys
2007-07-09 00:45 79,328 ----a-w C:\Documents and Settings\Drew\mqdmserd.sys
2007-07-09 00:45 66,656 ----a-w C:\Documents and Settings\Drew\mqdmbus.sys
2007-07-09 00:45 6,208 ----a-w C:\Documents and Settings\Drew\mqdmcmnt.sys
2007-07-09 00:45 5,936 ----a-w C:\Documents and Settings\Drew\mqdmwhnt.sys
2007-07-09 00:45 4,048 ----a-w C:\Documents and Settings\Drew\mqdmcr.sys
2007-07-09 00:45 25,600 ----a-w C:\Documents and Settings\Drew\usbsermptxp.sys
2007-07-09 00:45 22,768 ----a-w C:\Documents and Settings\Drew\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
2008-05-12 19:07 59904 --a------ C:\WINDOWS\system32\iifDwULb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A}]
C:\WINDOWS\system32\ssqqqqqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 04:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 23:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-23 23:35 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 11:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 11:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 11:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 17:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 20:51 1032192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 17:32 184320]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05 200704]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 20:36 446464]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]
"BM27fbf770"="C:\WINDOWS\system32\socemnrd.dll" [ ]

C:\Documents and Settings\Drew\Start Menu\Programs\Startup\
Creative Element Power Tools Startup.lnk - C:\Program Files\Creative Element Power Tools\Startup.exe [2007-03-26 21:26:04 225280]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-13 19:54:03 546816]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-01 19:09:36 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-04 00:07:32 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\WINDOWS\system32\iifDwULb.dll [2008-05-12 19:07 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifDwULb]
iifDwULb.dll 2008-05-12 19:07 59904 C:\WINDOWS\system32\iifDwULb.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.1.0.6729-to-2.1.1.6739-enUS-downloader.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 MAudioUSBService;M-Audio USB Installer;C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe [2005-12-02 10:20]
R3 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2008-05-11 00:50]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2002-07-15 23:39]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys [2004-10-25 17:09]
S3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausb.sys [2005-12-13 11:39]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be1368e-ca31-11dc-b553-0018f37d7263}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c64ac2-7278-11db-b521-0018f37d7263}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 17:14:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 08:27:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iifDwULb.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-20 8:34:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 12:33:57

Pre-Run: 49,167,405,056 bytes free
Post-Run: 49,092,395,008 bytes free

213 --- E O F --- 2007-09-29 19:13:58




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:48 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Drew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\WINDOWS\system32\iifDwULb.dll
O2 - BHO: (no name) - {FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A} - C:\WINDOWS\system32\ssqqqqqq.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BM27fbf770] Rundll32.exe "C:\WINDOWS\system32\socemnrd.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Creative Element Power Tools Startup.lnk = C:\Program Files\Creative Element Power Tools\Startup.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162861459437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162862206890
O20 - Winlogon Notify: iifDwULb - C:\WINDOWS\SYSTEM32\iifDwULb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9762 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:24 AM

Posted 20 May 2008 - 03:18 PM

Hello,

Yes, we still have some work to do here. Avast! will be quiet soon enough. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\WINDOWS\system32\iifDwULb.dll
O2 - BHO: (no name) - {FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A} - C:\WINDOWS\system32\ssqqqqqq.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [BM27fbf770] Rundll32.exe "C:\WINDOWS\system32\socemnrd.dll",s
O20 - Winlogon Notify: iifDwULb - C:\WINDOWS\SYSTEM32\iifDwULb.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\nnnnljKe.dll
C:\WINDOWS\BM27fbf770.xml
C:\WINDOWS\system32\cbXopPfe.dll
C:\WINDOWS\system32\iifDwULb.dll
C:\WINDOWS\system32\ssqqqqqq.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDF3A7F2-EE46-4FF7-AD27-B5A40A91556A}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifDwULb]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Let me know if it's better. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 mcxlviii

mcxlviii
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 20 May 2008 - 09:04 PM

No problems so far. Avast is quiet, no unseen programs trying to access the internet every half hour :thumbsup: Here are my logs

ComboFix 08-05-15.3 - Drew 2008-05-20 21:42:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -4:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Drew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM27fbf770.xml
C:\WINDOWS\system32\cbXopPfe.dll
C:\WINDOWS\system32\iifDwULb.dll
C:\WINDOWS\system32\nnnnljKe.dll
C:\WINDOWS\system32\ssqqqqqq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\PWRISOSH.DLL.bad
C:\WINDOWS\BM27fbf770.xml
C:\WINDOWS\system32\cbXopPfe.dll
C:\WINDOWS\system32\iifDwULb.dll
C:\WINDOWS\system32\nnnnljKe.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-19 21:07 . 2008-05-19 21:07 <DIR> d-------- C:\Deckard
2008-05-14 02:09 . 2008-05-14 02:09 60,544 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-13 20:09 . 2008-05-13 20:09 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-05-13 20:09 . 2008-05-13 20:09 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-05-13 20:00 . 2008-05-13 20:53 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Propellerhead Software
2008-05-13 20:00 . 2008-05-13 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-05-13 19:58 . 2008-05-13 19:58 <DIR> d-------- C:\Program Files\Propellerhead
2008-05-13 19:54 . 2008-05-13 19:54 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-13 19:54 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-13 19:27 . 2008-05-20 21:49 31 --a------ C:\WINDOWS\system32\bbcap.err
2008-05-12 18:34 . 2008-05-13 18:21 <DIR> d-------- C:\Program Files\MagicISO
2008-05-11 00:53 . 2008-05-11 02:36 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\Blueberry
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Program Files\Common Files\Blueberry Software
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Program Files\Blueberry Software
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Documents and Settings\Drew\Application Data\LogSys
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogSys
2008-05-11 00:50 . 2008-05-11 00:50 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{21C1E35C-913A-42D2-91B6-6AE1243D6B65}
2008-05-11 00:50 . 2008-05-11 00:50 30,720 --a------ C:\WINDOWS\system32\bbcap.dll
2008-05-11 00:50 . 2008-05-11 00:50 4,608 --a------ C:\WINDOWS\system32\bbchlp.dll
2008-05-11 00:50 . 2008-05-11 00:50 4,096 --a------ C:\WINDOWS\system32\drivers\bbcap.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 01:40 --------- d-----w C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2008-05-20 03:55 --------- d-----w C:\Program Files\PowerISO
2008-05-15 13:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-15 13:11 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-15 13:11 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-15 05:25 --------- d-----w C:\Documents and Settings\Drew\Application Data\IrfanView
2008-05-14 06:05 --------- d-----w C:\Documents and Settings\Drew\Application Data\Apple Computer
2008-05-13 23:26 --------- d-----w C:\Program Files\Unlocker
2008-05-13 23:19 --------- d-----w C:\Documents and Settings\Drew\Application Data\Azureus
2008-05-12 23:01 --------- d-----w C:\Program Files\Azureus
2008-05-12 22:49 --------- d-----r C:\Program Files\Image-Line
2008-05-12 22:46 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-12 22:46 --------- d-----w C:\Program Files\Audacity
2008-05-05 23:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 03:26 --------- d-----w C:\Program Files\World of Warcraft
2008-04-08 22:19 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-08 22:18 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2008-04-08 22:15 --------- d-----w C:\Program Files\Java
2008-04-06 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 03:54 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-05 03:54 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-05 03:54 --------- d-----w C:\Program Files\ScreenPrint32 v3
2008-04-04 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-04 02:12 --------- d-----w C:\Program Files\AIM
2008-04-04 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-03 04:35 --------- d-----w C:\Program Files\iTunes
2008-04-03 04:34 --------- d-----w C:\Program Files\iPod
2008-04-03 04:33 --------- d-----w C:\Program Files\QuickTime
2008-03-26 22:33 --------- d-----w C:\Program Files\Safari
2007-07-09 00:45 92,064 ----a-w C:\Documents and Settings\Drew\mqdmmdm.sys
2007-07-09 00:45 9,232 ----a-w C:\Documents and Settings\Drew\mqdmmdfl.sys
2007-07-09 00:45 79,328 ----a-w C:\Documents and Settings\Drew\mqdmserd.sys
2007-07-09 00:45 66,656 ----a-w C:\Documents and Settings\Drew\mqdmbus.sys
2007-07-09 00:45 6,208 ----a-w C:\Documents and Settings\Drew\mqdmcmnt.sys
2007-07-09 00:45 5,936 ----a-w C:\Documents and Settings\Drew\mqdmwhnt.sys
2007-07-09 00:45 4,048 ----a-w C:\Documents and Settings\Drew\mqdmcr.sys
2007-07-09 00:45 25,600 ----a-w C:\Documents and Settings\Drew\usbsermptxp.sys
2007-07-09 00:45 22,768 ----a-w C:\Documents and Settings\Drew\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_ 8.33.22.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 12:26:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 01:49:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-20 04:34:46 61,590 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-21 01:45:21 61,590 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-20 04:34:46 400,090 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-21 01:45:21 400,090 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-21 01:49:49 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2a0.dat
+ 2008-05-21 01:49:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 04:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 23:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-23 23:35 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 11:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 11:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 11:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 20:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 17:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 20:51 1032192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 17:32 184320]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05 200704]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 20:36 446464]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]

C:\Documents and Settings\Drew\Start Menu\Programs\Startup\
Creative Element Power Tools Startup.lnk - C:\Program Files\Creative Element Power Tools\Startup.exe [2007-03-26 21:26:04 225280]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-13 19:54:03 546816]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-01 19:09:36 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-04 00:07:32 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.1.0.6729-to-2.1.1.6739-enUS-downloader.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 MAudioUSBService;M-Audio USB Installer;C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe [2005-12-02 10:20]
R3 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2008-05-11 00:50]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2002-07-15 23:39]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys [2004-10-25 17:09]
S3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausb.sys [2005-12-13 11:39]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be1368e-ca31-11dc-b553-0018f37d7263}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c64ac2-7278-11db-b521-0018f37d7263}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 17:14:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 21:50:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-05-20 21:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 01:55:41
ComboFix2.txt 2008-05-20 12:34:12

Pre-Run: 48,945,430,528 bytes free
Post-Run: 48,933,445,632 bytes free

207 --- E O F --- 2007-09-29 19:13:58




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:29 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Creative Element Power Tools Startup.lnk = C:\Program Files\Creative Element Power Tools\Startup.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162861459437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162862206890
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9325 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:24 AM

Posted 20 May 2008 - 11:09 PM

Hello,

Those look really good! :thumbsup:

Let's go ahead and get Java updated....you're out by a couple of versions, and I want to be sure all the old ones are deleted too. :)

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:24 AM

Posted 04 June 2008 - 01:36 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users