Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple; Smitfraud, Trojan-downloader.win32.


  • This topic is locked This topic is locked
7 replies to this topic

#1 wjniemi

wjniemi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 06 June 2008 - 09:50 AM

Sorry, I posted this in the wrong forum last night. I couldn't keep the browser open and in focus long enough to read the proper procedure. I should have used Firefox.

Here are the logfiles requested. Thanks in advance.... Bill

All hard drives...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 09:24:44
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 833547
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 99388
Number of viruses found: 8
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:58:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\admin\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\admin\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AntiSpywareMaster\asm.111 Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster skipped
C:\Program Files\Windows NT\xabih66225.dll Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010007.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.bu skipped
C:\WINNT\mrofinu572.exe Infected: Trojan-Downloader.Win32.Homles.bu skipped
C:\WINNT\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Homles.bu skipped
C:\WINNT\pfirewall.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\6026c\wsDRV3.exe Infected: Trojan.Win32.Agent.lom skipped
C:\WINNT\system32\awtuRJDT.dll.vir Infected: Trojan-Downloader.Win32.ConHook.aek skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\drivers\mountmgrr.sys Object is locked skipped
C:\WINNT\system32\fIE\solglo66225.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\WINNT\system32\fIE\solglo66225.exe NSIS: infected - 1 skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\sTMP\lutdtx2.exe Infected: Trojan-Downloader.Win32.Small.wfv skipped
C:\WINNT\system32\vntiho01\vntiho011065.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\WINNT\system32\vTLEXRlL.dll Infected: Trojan-Downloader.Win32.ConHook.aek skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\xxyXqrSk.dll Infected: Trojan-Downloader.Win32.ConHook.aek skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Memory only...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 06:47:03
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 833547
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
Total number of scanned objects: 1280
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:00:31

Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\Program Files\Windows NT\xabih66225.dll Infected: not-a-virus:AdWare.Win32.TTC.e skipped
[3764] iexplore.exe => C:\Program Files\Windows NT\xabih66225.dll Infected: not-a-virus:AdWare.Win32.TTC.e skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Run by admin on 2008-06-06 09:29:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-06 14:29:22 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31:12, on 6/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\wdfmgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\admin\Desktop\dss.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3075167C-B1A0-453F-AFEA-1B91EA5B7FFC} - C:\WINNT\system32\qomlkHbX.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {628D3002-6590-4424-AE01-E93B09BF6036} - C:\WINNT\system32\fccyxwvs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {88476531-64AA-4CAB-9F42-361B44C9190E} - C:\Program Files\Windows NT\xabih66225.dll
O2 - BHO: (no name) - {CF662972-1A35-4C42-920D-23555D66512A} - C:\WINNT\system32\rqRLdDUO.dll (file missing)
O2 - BHO: (no name) - {E08DCA46-3CD6-469F-8A3C-68AC95E2AE08} - C:\WINNT\system32\mlJDSmNE.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212677958926
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\Software\..\Telephony: DomainName = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe

--
End of file - 6390 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.scr - AutoCADScript - shell\open\command - C:\WINNT\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mountmgrr - c:\winnt\system32\drivers\mountmgrr.sys

S3 cmuda (C-Media WDM Audio Interface) - c:\winnt\system32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
S3 FreshIO - c:\program files\freshdevices\freshdiagnose\freshio.sys
S3 USB22LDR (M-Audio USB MidiSport 2x2 Loader) - c:\winnt\system32\drivers\usb22ldr.sys <Not Verified; MIDIMAN; Midiman USB MidiSport 2x2 Loader>
S3 usbhub20 (USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\usbhub20.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S3 USBMN2X2 (M-Audio USB MidiSport 2x2) - c:\winnt\system32\drivers\usbmn2x2.sys <Not Verified; Doug Fetter Software Wizardry; Midiman USB MidiSport 2x2 Midi Interface>
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 CyberPowerUPS (UPS Service) - c:\powerpanel\upssrv.exe <Not Verified; Cyber Power Systems, Inc.; PowerPanel>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {5740B2FA-6888-445B-8820-1845CEA717B2}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_0C041019&REV_80\3&61AAA01&0&8E
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_0C041019&REV_80\3&61AAA01&0&8E
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 00:33:05 416 --a------ C:\WINNT\Tasks\ParetoLogic Update Version2.job
2008-06-04 22:26:10 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2008-06-04 18:00:11 438 --a------ C:\WINNT\Tasks\ParetoLogic Registration.job


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 06:30:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-06 06:30:50 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-06-06 06:30:44 0 d-------- C:\WINNT\LastGood
2008-06-05 18:11:30 0 d-------- C:\Program Files\Trend Micro
2008-06-05 17:58:24 2400 --a------ C:\WINNT\system32\tmp.reg
2008-06-05 11:05:48 0 d-------- C:\WINNT\Prefetch
2008-06-05 10:53:52 0 d-------- C:\WINNT\system32\scripting
2008-06-05 10:53:50 0 d-------- C:\WINNT\l2schemas
2008-06-05 10:53:49 0 d-------- C:\WINNT\system32\en
2008-06-05 10:43:50 0 d-------- C:\WINNT\network diagnostic
2008-06-05 09:48:39 0 d-------- C:\Documents and Settings\admin\.housecall6.6
2008-06-05 09:48:20 0 d-------- C:\WINNT\Sun
2008-06-05 09:48:20 0 d-------- C:\Documents and Settings\admin\Application Data\Sun
2008-06-05 09:43:59 0 d-------- C:\Program Files\Java
2008-06-05 09:43:38 0 d-------- C:\Program Files\Common Files\Java
2008-06-05 06:15:44 347 --ahs---- C:\WINNT\system32\svwxyccf.ini2
2008-06-04 19:33:53 347 --ahs---- C:\WINNT\system32\OUDdLRqr.ini2
2008-06-04 17:38:54 347 --ahs---- C:\WINNT\system32\ENmSDJlm.ini2
2008-06-04 17:30:06 0 d-------- C:\VundoFix Backups
2008-06-04 14:51:28 0 d-------- C:\Documents and Settings\administrator\Application Data\Macromedia
2008-06-04 14:51:27 0 d-------- C:\Documents and Settings\administrator\Application Data\Adobe
2008-06-04 13:35:57 0 d-------- C:\Program Files\AntiSpywareMaster
2008-06-04 13:34:41 52736 --a------ C:\WINNT\system32\vTLEXRlL.dll
2008-06-04 13:34:38 4925 --ahs---- C:\WINNT\system32\XbHklmoq.ini2
2008-06-04 13:32:43 41984 --a------ C:\WINNT\mrofinu572.exe
2008-06-04 13:27:43 52736 --a------ C:\WINNT\system32\xxyXqrSk.dll
2008-06-04 13:26:48 41984 --a------ C:\WINNT\mrofinu1000106.exe
2008-06-04 13:26:24 86144 --a------ C:\WINNT\system32\drivers\mountmgrr.sys
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\Vco1
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\sTMP
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\fIE
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\Dev3
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\a053
2008-06-04 13:26:21 0 d-------- C:\WINNT\system32\6026c
2008-06-04 13:26:03 0 d-------- C:\WINNT\system32\vntiho01
2008-06-04 13:26:01 0 d-------- C:\Temp
2008-06-01 19:02:19 0 d-------- C:\WINNT\.jagex_cache_32
2008-05-28 11:47:52 0 d-------- C:\vssp6
2008-05-28 11:31:08 0 d-------- C:\Program Files\FTP Explorer
2008-05-28 11:24:39 0 d-------- C:\Program Files\Web Publish
2008-05-25 17:12:02 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-22 13:40:43 0 d-------- C:\Documents and Settings\admin\Application Data\Apple Computer
2008-05-15 11:50:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-12 16:43:00 0 d-------- C:\Program Files\Apple Software Update
2008-05-12 16:43:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-11 18:47:12 0 d-------- C:\Program Files\QuickTime
2008-05-11 18:47:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer


-- Find3M Report ---------------------------------------------------------------

2008-06-05 10:54:43 0 d-------- C:\Program Files\Messenger
2008-06-05 10:53:48 0 d-------- C:\Program Files\Movie Maker
2008-06-05 10:48:33 0 d-------- C:\Program Files\Windows NT
2008-06-05 09:43:38 0 d-a------ C:\Program Files\Common Files
2008-05-31 16:59:53 664 --a------ C:\WINNT\system32\d3d9caps.dat
2008-05-25 17:11:51 0 d-------- C:\Program Files\Common Files\Real
2008-05-15 11:50:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-15 11:48:00 0 d-------- C:\Documents and Settings\admin\Application Data\AdobeUM
2008-04-30 20:17:11 0 d-------- C:\Documents and Settings\admin\Application Data\Publish Providers
2008-04-30 20:16:19 0 d-------- C:\Documents and Settings\admin\Application Data\Sony
2008-04-30 19:16:58 0 d-------- C:\Program Files\Vstplugins
2008-04-30 19:16:15 0 d-------- C:\Program Files\Sony
2008-04-30 18:55:53 0 d-------- C:\Program Files\MSBuild
2008-04-30 18:50:40 0 d-------- C:\Program Files\Reference Assemblies
2008-04-30 18:41:46 0 d-------- C:\Documents and Settings\admin\Application Data\Sony Setup
2008-04-30 18:41:24 0 d-------- C:\Program Files\Sony Setup
2008-04-29 16:12:26 36864 --a------ C:\WINNT\system32\BGData.bin
2008-04-25 18:44:32 0 d-------- C:\Program Files\FreshDevices
2008-04-22 08:37:09 0 d-------- C:\Documents and Settings\admin\Application Data\Real
2008-04-18 08:37:59 0 d-------- C:\Program Files\FLV Player
2008-04-16 10:27:36 0 d-------- C:\Program Files\ahead
2008-04-16 08:46:47 0 d-------- C:\Program Files\EASEUS
2008-04-16 08:46:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-16 07:24:47 0 d-------- C:\Program Files\ParetoLogic
2008-04-16 07:24:47 0 d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-15 12:44:58 0 --a------ C:\AUTOEXEC.BAT
2008-04-13 16:33:32 1868 --a------ C:\WINNT\mozver.dat
2008-04-10 20:43:40 0 d-------- C:\Documents and Settings\admin\Application Data\Adobe
2008-04-10 20:37:54 0 --a------ C:\WINNT\nsreg.dat
2008-04-10 20:37:49 0 d-------- C:\Documents and Settings\admin\Application Data\Mozilla
2008-03-28 10:17:28 6631958 --a------ C:\EDRSetup.exe <Not Verified; InstallShield Software Corporation; InstallShield ®>
2008-03-09 12:42:05 8 --a------ C:\WINNT\d392.sys
2008-03-09 12:08:27 262144 --a------ C:\WINNT\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 12:08:27 86016 --a------ C:\WINNT\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3075167C-B1A0-453F-AFEA-1B91EA5B7FFC}]
C:\WINNT\system32\qomlkHbX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{628D3002-6590-4424-AE01-E93B09BF6036}]
C:\WINNT\system32\fccyxwvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88476531-64AA-4CAB-9F42-361B44C9190E}]
02/27/2008 20:54 217088 --a------ C:\Program Files\Windows NT\xabih66225.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF662972-1A35-4C42-920D-23555D66512A}]
C:\WINNT\system32\rqRLdDUO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E08DCA46-3CD6-469F-8A3C-68AC95E2AE08}]
C:\WINNT\system32\mlJDSmNE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [04/13/2008 19:12 C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [08/08/2005 15:51]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [10/24/2007 14:28]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [08/06/2001 15:03]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 23:37]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/25/2008 17:11]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [04/13/2008 19:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINNT\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\fccyxwvs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{280d51c6-7a90-11db-b991-000ae6ad1ba1}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8742 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-06 09:34:06 ------------

Hijack This log from last night.... don't know if you want it or not, please disregard if irrelevant

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:34, on 6/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3075167C-B1A0-453F-AFEA-1B91EA5B7FFC} - C:\WINNT\system32\qomlkHbX.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {628D3002-6590-4424-AE01-E93B09BF6036} - C:\WINNT\system32\fccyxwvs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {88476531-64AA-4CAB-9F42-361B44C9190E} - C:\Program Files\Windows NT\xabih66225.dll
O2 - BHO: (no name) - {CF662972-1A35-4C42-920D-23555D66512A} - C:\WINNT\system32\rqRLdDUO.dll (file missing)
O2 - BHO: (no name) - {E08DCA46-3CD6-469F-8A3C-68AC95E2AE08} - C:\WINNT\system32\mlJDSmNE.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212677958926
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\Software\..\Telephony: DomainName = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe

--
End of file - 6193 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:47 AM

Posted 07 June 2008 - 05:41 AM

Hello Wjniemi and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 wjniemi

wjniemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 07 June 2008 - 07:33 AM

Hello, Thunder,

Thank you for your help and fast response! :thumbsup:

Here are the MBAM and ComboFix logs. The process described above ran without any unexpected behavior.

Thanks,
Bill

Malwarebytes' Anti-Malware 1.15
Database version: 837

6:56:33 AM 6/7/2008
mbam-log-6-7-2008 (06-56-33).txt

Scan type: Quick Scan
Objects scanned: 43598
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{88476531-64aa-4cab-9f42-361b44c9190e} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88476531-64aa-4cab-9f42-361b44c9190e} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiSpywareMaster (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\WINNT\system32\drivers\mountmgrr.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Windows NT\xabih66225.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINNT\system32\awtuRJDT.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\vTLEXRlL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xxyXqrSk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\mrofinu1000106.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINNT\mrofinu572.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINNT\mrofinu572.exe.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster\asm.111 (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINNT\system32\MDM.EXE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINNT\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.

ComboFix 08-06-06.6 - admin 2008-06-07 7:17:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1202 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bill\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINNT\system32\ENmSDJlm.ini
C:\WINNT\system32\ENmSDJlm.ini2
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\OUDdLRqr.ini
C:\WINNT\system32\OUDdLRqr.ini2
C:\WINNT\system32\svwxyccf.ini
C:\WINNT\system32\svwxyccf.ini2
C:\WINNT\system32\XbHklmoq.ini
C:\WINNT\system32\XbHklmoq.ini2
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 06:46 . 2008-06-07 06:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 06:46 . 2008-06-07 06:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 06:46 . 2008-06-07 06:46 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-06-07 06:46 . 2008-06-05 16:04 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-07 06:46 . 2008-06-05 16:04 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-06 09:28 . 2008-06-06 09:28 <DIR> d-------- C:\Deckard
2008-06-06 06:30 . 2008-06-06 06:30 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-06-06 06:30 . 2008-06-06 06:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 18:11 . 2008-06-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 17:58 . 2008-06-05 17:58 2,400 --a------ C:\WINNT\system32\tmp.reg
2008-06-05 11:07 . 2008-04-13 19:12 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\system32\scripting
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\system32\en
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\l2schemas
2008-06-05 10:20 . 2004-08-04 07:00 381,425 -----c--- C:\WINNT\system32\dllcache\copycd.wmv
2008-06-05 10:20 . 2004-07-17 22:55 129,045 --------- C:\WINNT\system32\drivers\cxthsfs2.cty
2008-06-05 10:20 . 2004-08-04 07:00 9,585 -----c--- C:\WINNT\system32\dllcache\controls.css
2008-06-05 10:20 . 2004-08-04 07:00 8,298 -----c--- C:\WINNT\system32\dllcache\contents.htm
2008-06-05 10:20 . 2004-08-04 07:00 6,878 -----c--- C:\WINNT\system32\dllcache\controls.js
2008-06-05 10:20 . 2004-08-04 07:00 999 -----c--- C:\WINNT\system32\dllcache\bktrh.gif
2008-06-05 10:20 . 2004-08-04 07:00 773 -----c--- C:\WINNT\system32\dllcache\cnth.gif
2008-06-05 10:20 . 2004-08-04 07:00 773 -----c--- C:\WINNT\system32\dllcache\cnt.gif
2008-06-05 10:20 . 2004-08-04 07:00 772 -----c--- C:\WINNT\system32\dllcache\cntd.gif
2008-06-05 10:20 . 2004-08-04 07:00 760 -----c--- C:\WINNT\system32\dllcache\cloapph.gif
2008-06-05 10:20 . 2004-08-04 07:00 717 -----c--- C:\WINNT\system32\dllcache\cloapp.gif
2008-06-05 09:59 . 2007-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-06-05 09:59 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-06-05 09:59 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-06-05 09:59 . 2007-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-06-05 09:49 . 2008-06-05 09:48 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-06-05 09:48 . 2008-06-05 09:48 <DIR> d-------- C:\WINNT\Sun
2008-06-05 09:48 . 2008-06-05 09:50 <DIR> d-------- C:\Documents and Settings\admin\.housecall6.6
2008-06-05 09:44 . 2008-03-25 02:37 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-06-05 09:43 . 2008-06-05 09:44 <DIR> d-------- C:\Program Files\Java
2008-06-05 09:43 . 2008-06-05 09:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 17:30 . 2008-06-04 17:30 <DIR> d-------- C:\VundoFix Backups
2008-06-04 13:26 . 2008-06-04 13:26 <DIR> d-------- C:\WINNT\system32\vntiho01
2008-06-04 13:26 . 2008-06-04 13:26 <DIR> d-------- C:\WINNT\system32\Vco1
2008-06-04 13:26 . 2008-06-04 13:26 <DIR> d-------- C:\WINNT\system32\sTMP
2008-06-04 13:26 . 2008-06-04 13:26 <DIR> d-------- C:\WINNT\system32\fIE
2008-06-04 13:26 . 2008-06-04 15:30 <DIR> d-------- C:\WINNT\system32\Dev3
2008-06-04 13:26 . 2008-06-04 13:27 <DIR> d-------- C:\WINNT\system32\a053
2008-06-04 13:26 . 2008-06-04 13:26 <DIR> d-------- C:\WINNT\system32\6026c
2008-06-04 13:26 . 2008-06-07 07:17 <DIR> d-------- C:\Temp
2008-06-01 19:02 . 2008-06-02 10:48 <DIR> d-------- C:\WINNT\.jagex_cache_32
2008-05-28 11:47 . 2008-05-28 11:48 <DIR> d-------- C:\vssp6
2008-05-28 11:31 . 2008-05-28 11:31 <DIR> d-------- C:\Program Files\FTP Explorer
2008-05-28 11:25 . 2008-05-28 12:57 185 --a------ C:\WINNT\mdm.ini
2008-05-28 11:24 . 2008-05-28 11:24 <DIR> d-------- C:\Program Files\Web Publish
2008-05-25 17:12 . 2008-05-25 17:12 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-22 13:40 . 2008-05-22 13:40 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Apple Computer
2008-05-20 16:02 . 2008-05-20 16:02 32,768 --a------ C:\WINNT\system32\vntiho01\vntiho011065.exe
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-11 18:47 . 2008-05-11 18:48 <DIR> d-------- C:\Program Files\QuickTime
2008-05-11 18:47 . 2008-05-11 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-11 18:47 . 2008-05-29 14:05 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-05-11 18:47 . 2008-05-11 18:48 1,409 --a------ C:\WINNT\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-05-15 16:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 16:48 --------- d-----w C:\Documents and Settings\admin\Application Data\AdobeUM
2008-05-14 01:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 01:17 --------- d-----w C:\Documents and Settings\admin\Application Data\Publish Providers
2008-05-01 01:16 --------- d-----w C:\Documents and Settings\admin\Application Data\Sony
2008-05-01 00:16 --------- d-----w C:\Program Files\Vstplugins
2008-05-01 00:16 --------- d-----w C:\Program Files\Sony
2008-05-01 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-30 23:55 --------- d-----w C:\Program Files\MSBuild
2008-04-30 23:50 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-30 23:41 --------- d-----w C:\Program Files\Sony Setup
2008-04-30 23:41 --------- d-----w C:\Documents and Settings\admin\Application Data\Sony Setup
2008-04-25 23:44 --------- d-----w C:\Program Files\FreshDevices
2008-04-18 13:37 --------- d-----w C:\Program Files\FLV Player
2008-04-16 15:27 --------- d-----w C:\Program Files\ahead
2008-04-16 13:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 13:46 --------- d-----w C:\Program Files\EASEUS
2008-04-16 12:24 --------- d-----w C:\Program Files\ParetoLogic
2008-04-16 12:24 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-04-16 12:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-04-16 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-14 00:13 40,840 ----a-w C:\WINNT\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINNT\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINNT\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINNT\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINNT\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINNT\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINNT\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINNT\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINNT\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINNT\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINNT\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINNT\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINNT\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINNT\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINNT\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINNT\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINNT\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINNT\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINNT\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINNT\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINNT\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINNT\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINNT\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINNT\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINNT\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINNT\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINNT\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINNT\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINNT\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINNT\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINNT\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINNT\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINNT\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINNT\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINNT\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINNT\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINNT\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINNT\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINNT\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINNT\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINNT\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINNT\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINNT\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINNT\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINNT\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINNT\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINNT\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINNT\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINNT\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINNT\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINNT\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINNT\system32\drivers\ndisuio.sys
2008-04-13 18:54 22,016 ----a-w C:\WINNT\system32\drivers\msircomm.sys
2008-04-13 18:54 11,264 ----a-w C:\WINNT\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINNT\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINNT\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINNT\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINNT\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINNT\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINNT\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINNT\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINNT\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINNT\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\WINNT\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINNT\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINNT\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINNT\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINNT\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINNT\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINNT\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINNT\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ----a-w C:\WINNT\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINNT\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,504 ----a-w C:\WINNT\system32\drivers\mstee.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3075167C-B1A0-453F-AFEA-1B91EA5B7FFC}]
C:\WINNT\system32\qomlkHbX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{628D3002-6590-4424-AE01-E93B09BF6036}]
C:\WINNT\system32\fccyxwvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF662972-1A35-4C42-920D-23555D66512A}]
C:\WINNT\system32\rqRLdDUO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E08DCA46-3CD6-469F-8A3C-68AC95E2AE08}]
C:\WINNT\system32\mlJDSmNE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2008-04-13 19:12 143360 C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [2005-08-08 15:51 684032]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28 1428064]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-08-06 15:03 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 17:11 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 19:12 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 07:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"midi"= usbmn2x2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Vegas Pro 8.0\\VegSrv80.exe"=
"C:\\Program Files\\FTP Explorer\\ftpx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 FPAV_RTP;FPAV_RTP;C:\WINNT\system32\drivers\FStopW.sys [2007-10-22 09:48]
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe" [2007-10-24 14:28]
S1 mountmgrr;mountmgrr;C:\WINNT\system32\drivers\mountmgrr.sys []
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S3 SiS630;SiS630;C:\WINNT\system32\DRIVERS\sis630p.sys [2001-08-30 04:59]
S3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [2001-08-17 12:51]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINNT\system32\drivers\usb22ldr.sys [2006-06-12 04:25]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 12:05]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINNT\system32\drivers\usbmn2x2.sys [2006-06-12 04:25]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [2002-07-30 16:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{280d51c6-7a90-11db-b991-000ae6ad1ba1}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 03:26:10 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-04 23:00:11 C:\WINNT\Tasks\ParetoLogic Registration.job"
- C:\WINNT\system32\rundll32.exe@
"2008-06-06 05:33:05 C:\WINNT\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 07:22:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-07 7:25:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 12:25:52

Pre-Run: 10,152,050,688 bytes free
Post-Run: 10,127,872,000 bytes free

280

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:47 AM

Posted 07 June 2008 - 12:18 PM

Well done, Bill :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Folder::
C:\VundoFix Backups
C:\WINNT\system32\vntiho01
C:\WINNT\system32\Vco1
C:\WINNT\system32\sTMP
C:\WINNT\system32\fIE
C:\WINNT\system32\Dev3
C:\WINNT\system32\a053
C:\WINNT\system32\6026c
Driver::
mountmgrr
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3075167C-B1A0-453F-AFEA-1B91EA5B7FFC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{628D3002-6590-4424-AE01-E93B09BF6036}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF662972-1A35-4C42-920D-23555D66512A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E08DCA46-3CD6-469F-8A3C-68AC95E2AE08}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 07 June 2008 - 12:18 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 wjniemi

wjniemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 07 June 2008 - 03:38 PM

Hello, again, Thunder.

First, in answer to your question, the system seems to be functioning normally at this point. Thanks, I was getting worried there for a while... :thumbsup: I was using Firefox this morning and no more IE windows spontaneously appeared in the other monitor. That's a relief. Also no warning popup from Firefox telling me that I was being redirected to a bogus PayPal site. That made me nervous, previously.

I followed the instructions given and here are the Combofix and HJT logs that generated. I'll await further instructions. Thanks &

Best Regards,
Bill

ComboFix 08-06-06.6 - admin 2008-06-07 15:22:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1155 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 06:46 . 2008-06-07 06:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 06:46 . 2008-06-07 06:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 06:46 . 2008-06-07 06:46 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-06-07 06:46 . 2008-06-05 16:04 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-07 06:46 . 2008-06-05 16:04 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-06 09:28 . 2008-06-06 09:28 <DIR> d-------- C:\Deckard
2008-06-06 06:30 . 2008-06-06 06:30 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-06-06 06:30 . 2008-06-06 06:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 18:11 . 2008-06-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 17:58 . 2008-06-05 17:58 2,400 --a------ C:\WINNT\system32\tmp.reg
2008-06-05 11:07 . 2008-04-13 19:12 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\system32\scripting
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\system32\en
2008-06-05 10:53 . 2008-06-05 10:53 <DIR> d-------- C:\WINNT\l2schemas
2008-06-05 10:20 . 2004-08-04 07:00 381,425 -----c--- C:\WINNT\system32\dllcache\copycd.wmv
2008-06-05 10:20 . 2004-07-17 22:55 129,045 --------- C:\WINNT\system32\drivers\cxthsfs2.cty
2008-06-05 10:20 . 2004-08-04 07:00 9,585 -----c--- C:\WINNT\system32\dllcache\controls.css
2008-06-05 10:20 . 2004-08-04 07:00 8,298 -----c--- C:\WINNT\system32\dllcache\contents.htm
2008-06-05 10:20 . 2004-08-04 07:00 6,878 -----c--- C:\WINNT\system32\dllcache\controls.js
2008-06-05 10:20 . 2004-08-04 07:00 999 -----c--- C:\WINNT\system32\dllcache\bktrh.gif
2008-06-05 10:20 . 2004-08-04 07:00 773 -----c--- C:\WINNT\system32\dllcache\cnth.gif
2008-06-05 10:20 . 2004-08-04 07:00 773 -----c--- C:\WINNT\system32\dllcache\cnt.gif
2008-06-05 10:20 . 2004-08-04 07:00 772 -----c--- C:\WINNT\system32\dllcache\cntd.gif
2008-06-05 10:20 . 2004-08-04 07:00 760 -----c--- C:\WINNT\system32\dllcache\cloapph.gif
2008-06-05 10:20 . 2004-08-04 07:00 717 -----c--- C:\WINNT\system32\dllcache\cloapp.gif
2008-06-05 09:59 . 2007-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-06-05 09:59 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-06-05 09:59 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-06-05 09:59 . 2007-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-06-05 09:49 . 2008-06-05 09:48 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-06-05 09:48 . 2008-06-05 09:48 <DIR> d-------- C:\WINNT\Sun
2008-06-05 09:48 . 2008-06-05 09:50 <DIR> d-------- C:\Documents and Settings\admin\.housecall6.6
2008-06-05 09:44 . 2008-03-25 02:37 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-06-05 09:43 . 2008-06-05 09:44 <DIR> d-------- C:\Program Files\Java
2008-06-05 09:43 . 2008-06-05 09:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 13:26 . 2008-06-07 07:17 <DIR> d-------- C:\Temp
2008-06-01 19:02 . 2008-06-02 10:48 <DIR> d-------- C:\WINNT\.jagex_cache_32
2008-05-28 11:47 . 2008-05-28 11:48 <DIR> d-------- C:\vssp6
2008-05-28 11:31 . 2008-05-28 11:31 <DIR> d-------- C:\Program Files\FTP Explorer
2008-05-28 11:25 . 2008-05-28 12:57 185 --a------ C:\WINNT\mdm.ini
2008-05-28 11:24 . 2008-05-28 11:24 <DIR> d-------- C:\Program Files\Web Publish
2008-05-25 17:12 . 2008-05-25 17:12 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-22 13:40 . 2008-05-22 13:40 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Apple Computer
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-11 18:47 . 2008-05-11 18:48 <DIR> d-------- C:\Program Files\QuickTime
2008-05-11 18:47 . 2008-05-11 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-11 18:47 . 2008-05-29 14:05 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-05-11 18:47 . 2008-05-11 18:48 1,409 --a------ C:\WINNT\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 22:11 --------- d-----w C:\Program Files\Common Files\Real
2008-05-15 16:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 16:48 --------- d-----w C:\Documents and Settings\admin\Application Data\AdobeUM
2008-05-14 01:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 01:17 --------- d-----w C:\Documents and Settings\admin\Application Data\Publish Providers
2008-05-01 01:16 --------- d-----w C:\Documents and Settings\admin\Application Data\Sony
2008-05-01 00:16 --------- d-----w C:\Program Files\Vstplugins
2008-05-01 00:16 --------- d-----w C:\Program Files\Sony
2008-05-01 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-04-30 23:55 --------- d-----w C:\Program Files\MSBuild
2008-04-30 23:50 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-30 23:41 --------- d-----w C:\Program Files\Sony Setup
2008-04-30 23:41 --------- d-----w C:\Documents and Settings\admin\Application Data\Sony Setup
2008-04-29 21:12 36,864 ----a-w C:\WINNT\system32\BGData.bin
2008-04-25 23:44 --------- d-----w C:\Program Files\FreshDevices
2008-04-18 13:37 --------- d-----w C:\Program Files\FLV Player
2008-04-16 15:27 --------- d-----w C:\Program Files\ahead
2008-04-16 13:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 13:46 --------- d-----w C:\Program Files\EASEUS
2008-04-16 12:24 --------- d-----w C:\Program Files\ParetoLogic
2008-04-16 12:24 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-04-16 12:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-04-16 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-14 10:42 985,088 ----a-w C:\WINNT\system32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINNT\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINNT\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINNT\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINNT\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINNT\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINNT\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINNT\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINNT\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINNT\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINNT\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINNT\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINNT\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINNT\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINNT\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINNT\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINNT\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINNT\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINNT\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINNT\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINNT\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINNT\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINNT\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINNT\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINNT\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINNT\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINNT\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINNT\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINNT\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINNT\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINNT\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINNT\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINNT\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINNT\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINNT\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINNT\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINNT\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINNT\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINNT\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINNT\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINNT\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINNT\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINNT\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINNT\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINNT\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINNT\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINNT\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINNT\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINNT\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINNT\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINNT\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINNT\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINNT\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINNT\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINNT\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINNT\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINNT\system32\drivers\ndisuio.sys
2008-04-13 18:54 22,016 ----a-w C:\WINNT\system32\drivers\msircomm.sys
2008-04-13 18:54 11,264 ----a-w C:\WINNT\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINNT\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINNT\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINNT\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINNT\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINNT\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINNT\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINNT\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINNT\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINNT\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\WINNT\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINNT\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINNT\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINNT\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINNT\system32\watchdog.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_ 7.25.41.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 12:22:03 2,048 --s-a-w C:\WINNT\bootstat.dat
+ 2008-06-07 20:11:31 2,048 --s-a-w C:\WINNT\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2008-04-13 19:12 143360 C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [2005-08-08 15:51 684032]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28 1428064]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-08-06 15:03 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 17:11 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 19:12 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 07:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"midi"= usbmn2x2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Vegas Pro 8.0\\VegSrv80.exe"=
"C:\\Program Files\\FTP Explorer\\ftpx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 FPAV_RTP;FPAV_RTP;C:\WINNT\system32\drivers\FStopW.sys [2007-10-22 09:48]
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe" [2007-10-24 14:28]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S3 SiS630;SiS630;C:\WINNT\system32\DRIVERS\sis630p.sys [2001-08-30 04:59]
S3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [2001-08-17 12:51]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINNT\system32\drivers\usb22ldr.sys [2006-06-12 04:25]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 12:05]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINNT\system32\drivers\usbmn2x2.sys [2006-06-12 04:25]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [2002-07-30 16:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{280d51c6-7a90-11db-b991-000ae6ad1ba1}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 03:26:10 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-04 23:00:11 C:\WINNT\Tasks\ParetoLogic Registration.job"
- C:\WINNT\system32\rundll32.exe@
"2008-06-06 05:33:05 C:\WINNT\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 15:23:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 15:24:33
ComboFix-quarantined-files.txt 2008-06-07 20:24:06
ComboFix2.txt 2008-06-07 20:15:53
ComboFix3.txt 2008-06-07 12:25:56

Pre-Run: 10,070,044,672 bytes free
Post-Run: 10,056,597,504 bytes free

244

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31, on 2008-06-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212677958926
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\Software\..\Telephony: DomainName = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: Domain = euphonic.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{27E37917-90D5-4AD5-97B0-DDD7CB523C96}: NameServer = 192.168.0.101,204.127.203.135
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe

--
End of file - 5797 bytes

Thanks again....

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:47 AM

Posted 08 June 2008 - 04:59 AM

Looking good, Bill :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 wjniemi

wjniemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 08 June 2008 - 07:25 AM

Hi, Thunder...

Your help is greatly appreciated and I will demonstrate my appreciation by clicking on the DONATE button. This site provides an immense public service and deserves support.

I will also link you on my two websites... they are not computer-related, but links are links, I guess! Even people who are interested in politics and music get computer problems.

:thumbsup: <== musician

:) <== political junkie

Again, thanks, and I will read your hints and even more importantly, I will have my grandsons read them as well. They are like eager lizards when they come to visit, with all the "fast internet" time they want. Lot's o' clikkin' goin' on. "Yes, children, there WAS a time when every home didn't have a PC network...", I cadge.

Cheers & Thanks,

Bill

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:47 AM

Posted 08 June 2008 - 04:00 PM

Glad we could help, Bill :thumbsup:

And thanks for the favors in return. :)

Here's some more reading material for your grandsons :
Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users