Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumone And Trojan.gen Files


  • This topic is locked This topic is locked
16 replies to this topic

#1 blunt1655

blunt1655

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 12 June 2008 - 02:55 PM

Hi,

I was just wondering if someone could help me out. I have virtumonde and a trojan.gen on my computer and my spysweeper/windows defender/threatfire will not get rid of them. Spysweeper is the only program to recognize that they are even there and once I restart my computer, virtumonde and trojan.gen are back. Here is my dss/hjt log. Also, when I ran dss the first time I did have both the main.txt and extra.txt files; however I had to restart my computer and now I only get the main.txt file to appear.

Deckard's System Scanner v20071014.68
Run by Joe on 2008-06-12 15:43:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:22 PM, on 6/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Joe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Joe.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6750
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6750
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Joe\lsass.exe
O4 - HKCU\..\Run: [cmds] "rundll32.exe" C:\Users\Joe\AppData\Local\Temp\pmnnLCuS.dll,c
O4 - HKCU\..\Run: [1ab9af0a] "rundll32.exe" "C:\Users\Joe\AppData\Local\Temp\nritegci.dll",b
O4 - HKCU\..\Run: [BM198a9c96] "Rundll32.exe" "C:\Users\Joe\AppData\Local\Temp\youtmtxa.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\444.470.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9841 bytes

-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2008-06-12 15:07:21 0 d-------- C:\Program Files\Trend Micro
2008-06-12 14:43:33 0 d-------- C:\Program Files\Enigma Software Group
2008-06-11 22:17:02 0 d-a------ C:\Users\All Users\TEMP
2008-06-11 22:16:44 0 d-------- C:\Users\All Users\PC Tools
2008-06-11 22:16:44 0 d-------- C:\Program Files\ThreatFire
2008-06-09 12:54:26 0 d-------- C:\Program Files\MicroMashMBE
2008-06-07 19:13:18 0 d-------- C:\Users\All Users\Webroot
2008-06-07 19:13:18 0 d-------- C:\Program Files\Webroot
2008-06-07 19:05:59 164 --a------ C:\install.dat
2008-06-05 10:05:24 67802 --a------ C:\Users\All Users\?
2008-06-04 21:07:31 489 --a------ C:\Users\Joe\749.bat
2008-06-04 16:32:48 0 d--hs---- C:\Windows\Sm9l
2008-06-04 16:32:25 86144 --a------ C:\Windows\system32\drivers\srvv.sys
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\Vco1
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\sTMP
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\fIE
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\Dev3
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\a053
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\6026c
2008-06-04 16:32:22 489 --a------ C:\Users\Joe\172.bat
2008-06-04 16:32:10 0 d-------- C:\Windows\system32\vntiho05
2008-06-04 16:04:48 0 d-------- C:\Program Files\LimeWire
2008-05-27 19:45:37 0 d-------- C:\Program Files\Apple Software Update
2008-05-22 08:11:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-21 22:21:25 141 --a------ C:\term.bat
2008-05-21 22:21:24 0 d-------- C:\Windows\system32\566828
2008-05-19 09:17:29 0 -rahs---- C:\MSDOS.SYS
2008-05-19 09:17:29 0 -rahs---- C:\IO.SYS


-- Find3M Report ---------------------------------------------------------------

2008-06-12 15:37:52 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2008-06-12 15:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\Spare Backup
2008-06-12 11:32:58 0 d-------- C:\Program Files\Windows Mail
2008-06-07 19:13:18 0 d-------- C:\Users\Joe\AppData\Roaming\Webroot
2008-05-28 09:19:19 8300 --a------ C:\Users\Joe\AppData\Roaming\wklnhst.dat
2008-05-08 21:59:02 0 d-------- C:\Users\Joe\AppData\Roaming\Apple Computer
2008-05-08 21:58:55 0 d-------- C:\Program Files\iTunes
2008-05-08 21:58:45 0 d-------- C:\Program Files\iPod
2008-05-08 21:58:20 0 d-------- C:\Program Files\Bonjour
2008-05-08 21:58:09 0 d-------- C:\Program Files\QuickTime
2008-05-08 21:56:57 0 d-------- C:\Program Files\Common Files
2008-05-08 21:56:57 0 d-------- C:\Program Files\Common Files\Apple
2008-05-08 21:38:23 0 d-------- C:\Program Files\iPodAid iPod to Computer Transfer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/20/2007 01:56 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/12/2007 08:36 PM]
"SigmatelSysTrayApp"="sttray.exe" [01/30/2007 01:36 AM C:\Windows\sttray.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/26/2007 05:38 AM]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Gateway\traybar.exe" [06/29/2007 08:12 PM]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [09/13/2007 08:22 PM]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [03/16/2008 03:59 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 08:35 AM]
"Aim6"="" []
"LSA Shellu"="C:\Users\Joe\lsass.exe" []
"cmds"="rundll32.exe" [11/02/2006 05:45 AM C:\Windows\System32\rundll32.exe]
"1ab9af0a"="rundll32.exe" [11/02/2006 05:45 AM C:\Windows\System32\rundll32.exe]
"BM198a9c96"="Rundll32.exe" [11/02/2006 05:45 AM C:\Windows\System32\rundll32.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [5/27/2008 7:23:48 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [11/20/2007 1:27:29 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-12 15:44:07 ------------

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 14 June 2008 - 11:16 PM

Hello blunt1655,


I did have both the main.txt and extra.txt files; however I had to restart my computer and now I only get the main.txt file to appear.



extra.txt only appears on the first run of DSS.
If you do a search for extra.txt you will find it. It will probably be at C:\Deckard\Extra.txt
When you find it, please post it.


Please tell me what antivirus program you are running on this computer.

If you are not running an antivirus program, then download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

Edited by SifuMike, 15 June 2008 - 12:07 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 11:46 AM

Thanks for the response Mike. I use windows defender and spysweeper. Below is the extra.txt file from DSS.


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T5450 @ 1.66GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 3061.81 MiB / 1127.91 MiB
Pagefile Memory (total/avail): 6311.35 MiB / 4634.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.48 MiB

C: is Fixed (NTFS) - 221.8 GiB total, 165 GiB free.
D: is Fixed (NTFS) - 11.08 GiB total, 3.89 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500BEVS-22UST0 - 232.88 GiB - 2 partitions
\PARTITION0 - Installable File System - 11.08 GiB - D:
\PARTITION1 (bootable) - Installable File System - 221.8 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: ThreatFire v3.5.0.21 (PC Tools)
AV: Spy Sweeper with AntiVirus v5.5.7.124 (Webroot Software Inc)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: ThreatFire v3.5.0.21 (PC Tools)
AS: Spy Sweeper v5.5.7.124 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Joe\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOE-LAPTOP
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Joe
LOCALAPPDATA=C:\Users\Joe\AppData\Local
LOGONSERVER=\\JOE-LAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Joe\AppData\Local\Temp
TMP=C:\Users\Joe\AppData\Local\Temp
USERDOMAIN=Joe-laptop
USERNAME=Joe
USERPROFILE=C:\Users\Joe
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Joe


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Blasterball 3\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Chuzzle Deluxe\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Diner Dash\Uninstall.exe"
--> "C:\Program Files\Gateway Games\FATE\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Penguins!\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Polar Bowler\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Polar Golfer\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Tradewinds\Uninstall.exe"
--> "C:\Program Files\Gateway Games\Virtual Villagers - A New Home\Uninstall.exe"
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Agere Systems HDA Modem --> agrsmdel
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BigFix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Camera Assistant Software for Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39098402-3F7A-4257-A4AE-FC1181D1B40B}\setup.exe" -l0x9
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Gateway Connect --> MsiExec.exe /I{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}
Gateway Games --> "C:\Program Files\Gateway Games\Uninstall.exe"
Gateway Recovery Center Installer --> MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
iPodAid iPod to Computer Transfer 6 --> "C:\Program Files\iPodAid iPod to Computer Transfer\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LabelPrint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe" -uninstall
LimeWire 4.18.1 --> "C:\Program Files\LimeWire\uninstall.exe"
Marvell® Wireless Card Software Package --> MsiExec.exe /X{FE5BB5C7-BD6E-4F90-82FD-6DB7B3781BE9}
Microsoft Money Essentials --> "C:\Program Files\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office PowerPoint Viewer 2007 (English) --> MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Power2Go 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek USB 2.0 Card Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spare Backup --> MsiExec.exe /X{A57C6094-FC5A-4DEC-B1E0-1B2F48EEE8F4}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThreatFire 3.5 --> "C:\Program Files\ThreatFire\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type9538 / Error
Event Submitted/Written: 06/12/2008 03:04:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module nritegci.dll, version 0.0.0.0, time stamp 0x4847fdbe, exception code 0xc0000005, fault offset 0x00010d6b,
process id 0xa90, application start time 0xexplorer.exe0.

Event Record #/Type9504 / Error
Event Submitted/Written: 06/12/2008 00:01:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application Explorer.EXE, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module nritegci.dll, version 0.0.0.0, time stamp 0x4847fdbe, exception code 0xc0000005, fault offset 0x00010d6b,
process id 0xebc, application start time 0xExplorer.EXE0.

Event Record #/Type9495 / Error
Event Submitted/Written: 06/12/2008 11:47:06 AM
Event ID/Source: 5007 / WerSvc
Event Description:
The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Event Record #/Type9493 / Success
Event Submitted/Written: 06/12/2008 11:47:03 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type9492 / Success
Event Submitted/Written: 06/12/2008 11:47:02 AM
Event ID/Source: 5615 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type40199 / Warning
Event Submitted/Written: 06/12/2008 03:26:50 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Joe-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Joe-laptop27 can't undo changes that you allow.

For more information please see the following:
%Joe-laptop275

Scan ID: {9F3F84CA-090D-4912-A05C-75F11011935D}

User: Joe-laptop\Joe

Name: %Joe-laptop271

ID: %Joe-laptop272

Severity ID: %Joe-laptop273

Category ID: %Joe-laptop274

Path Found: %Joe-laptop276

Alert Type: %Joe-laptop278

Detection Type: 1.1.1505.02

Event Record #/Type40198 / Warning
Event Submitted/Written: 06/12/2008 03:26:50 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Joe-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Joe-laptop27 can't undo changes that you allow.

For more information please see the following:
%Joe-laptop275

Scan ID: {A2B6E000-04A0-4EAD-8BFE-D661EA61AF75}

User: Joe-laptop\Joe

Name: %Joe-laptop271

ID: %Joe-laptop272

Severity ID: %Joe-laptop273

Category ID: %Joe-laptop274

Path Found: %Joe-laptop276

Alert Type: %Joe-laptop278

Detection Type: 1.1.1505.02

Event Record #/Type40197 / Warning
Event Submitted/Written: 06/12/2008 03:26:49 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Joe-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Joe-laptop27 can't undo changes that you allow.

For more information please see the following:
%Joe-laptop275

Scan ID: {BFE03826-40C5-4C76-A929-3DDB1962BC43}

User: Joe-laptop\Joe

Name: %Joe-laptop271

ID: %Joe-laptop272

Severity ID: %Joe-laptop273

Category ID: %Joe-laptop274

Path Found: %Joe-laptop276

Alert Type: %Joe-laptop278

Detection Type: 1.1.1505.02

Event Record #/Type40196 / Warning
Event Submitted/Written: 06/12/2008 03:26:49 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Joe-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Joe-laptop27 can't undo changes that you allow.

For more information please see the following:
%Joe-laptop275

Scan ID: {9777C70F-233F-4ADA-8E40-A71937A8B060}

User: Joe-laptop\Joe

Name: %Joe-laptop271

ID: %Joe-laptop272

Severity ID: %Joe-laptop273

Category ID: %Joe-laptop274

Path Found: %Joe-laptop276

Alert Type: %Joe-laptop278

Detection Type: 1.1.1505.02

Event Record #/Type40195 / Warning
Event Submitted/Written: 06/12/2008 03:26:47 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Joe-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Joe-laptop27 can't undo changes that you allow.

For more information please see the following:
%Joe-laptop275

Scan ID: {36CF68DB-E4E1-4113-8C56-04B310041AE7}

User: Joe-laptop\Joe

Name: %Joe-laptop271

ID: %Joe-laptop272

Severity ID: %Joe-laptop273

Category ID: %Joe-laptop274

Path Found: %Joe-laptop276

Alert Type: %Joe-laptop278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-06-12 15:29:36 ------------

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 15 June 2008 - 12:05 PM

Hi blunt1655,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 03:46 PM

Mike,

Here is the report from the mbam.

Malwarebytes' Anti-Malware 1.17
Database version: 857

4:37:46 PM 6/15/2008
mbam-log-6-15-2008 (16-37-46).txt

Scan type: Quick Scan
Objects scanned: 35945
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 17
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplNetProjowser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ab9af0a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM198a9c96 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\566828 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\drivers\srvv.sys (Rootkit.Agent) -> Delete on reboot.
C:\Windows\System32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Users\Joe\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Joe\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Joe\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 15 June 2008 - 03:55 PM

Hi blunt1655,

Please post a fresh DSS Main.txt log and we will if we have to remove anything else. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 04:47 PM

Mike,

Here is the new DSS main.txt you asked for.

Deckard's System Scanner v20071014.68
Run by Joe on 2008-06-15 17:46:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:18 PM, on 6/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Joe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Joe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6750
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=M-6750
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] ?
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Joe\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: ThreatFire - Unknown owner - C:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7743 bytes

-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-15 16:32:18 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-15 16:32:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 15:07:21 0 d-------- C:\Program Files\Trend Micro
2008-06-12 14:43:33 0 d-------- C:\Program Files\Enigma Software Group
2008-06-11 22:17:02 0 d-a------ C:\Users\All Users\TEMP
2008-06-11 22:16:44 0 d-------- C:\Users\All Users\PC Tools
2008-06-11 22:16:44 0 d-------- C:\Program Files\ThreatFire
2008-06-09 12:54:26 0 d-------- C:\Program Files\MicroMashMBE
2008-06-07 19:13:18 0 d-------- C:\Users\All Users\Webroot
2008-06-07 19:13:18 0 d-------- C:\Program Files\Webroot
2008-06-07 19:05:59 164 --a------ C:\install.dat
2008-06-05 10:05:24 67802 --a------ C:\Users\All Users\?
2008-06-04 21:07:31 489 --a------ C:\Users\Joe\749.bat
2008-06-04 16:32:48 0 d--hs---- C:\Windows\Sm9l
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\Vco1
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\sTMP
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\fIE
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\Dev3
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\a053
2008-06-04 16:32:24 0 d-------- C:\Windows\system32\6026c
2008-06-04 16:32:22 489 --a------ C:\Users\Joe\172.bat
2008-06-04 16:32:10 0 d-------- C:\Windows\system32\vntiho05
2008-06-04 16:04:48 0 d-------- C:\Program Files\LimeWire
2008-05-27 19:45:37 0 d-------- C:\Program Files\Apple Software Update
2008-05-22 08:11:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-21 22:21:25 141 --a------ C:\term.bat
2008-05-19 09:17:29 0 -rahs---- C:\MSDOS.SYS
2008-05-19 09:17:29 0 -rahs---- C:\IO.SYS


-- Find3M Report ---------------------------------------------------------------

2008-06-15 16:40:55 0 d-------- C:\Users\Joe\AppData\Roaming\Spare Backup
2008-06-15 16:39:52 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2008-06-15 16:32:21 0 d-------- C:\Users\Joe\AppData\Roaming\Malwarebytes
2008-06-13 17:40:07 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2008-06-13 17:15:57 8444 --a------ C:\Users\Joe\AppData\Roaming\wklnhst.dat
2008-06-12 11:32:58 0 d-------- C:\Program Files\Windows Mail
2008-06-07 19:13:18 0 d-------- C:\Users\Joe\AppData\Roaming\Webroot
2008-05-08 21:59:02 0 d-------- C:\Users\Joe\AppData\Roaming\Apple Computer
2008-05-08 21:58:55 0 d-------- C:\Program Files\iTunes
2008-05-08 21:58:45 0 d-------- C:\Program Files\iPod
2008-05-08 21:58:20 0 d-------- C:\Program Files\Bonjour
2008-05-08 21:58:09 0 d-------- C:\Program Files\QuickTime
2008-05-08 21:56:57 0 d-------- C:\Program Files\Common Files
2008-05-08 21:56:57 0 d-------- C:\Program Files\Common Files\Apple
2008-05-08 21:38:23 0 d-------- C:\Program Files\iPodAid iPod to Computer Transfer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/20/2007 01:56 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/12/2007 08:36 PM]
"SigmatelSysTrayApp"="sttray.exe" [01/30/2007 01:36 AM C:\Windows\sttray.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/26/2007 05:38 AM]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Gateway\traybar.exe" [06/29/2007 08:12 PM]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [09/13/2007 08:22 PM]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [03/16/2008 03:59 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [06/10/2008 07:02 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 08:35 AM]
"Aim6"="?" []
"LSA Shellu"="C:\Users\Joe\lsass.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [5/27/2008 7:23:48 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [11/20/2007 1:27:29 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-15 17:46:47 ------------

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 15 June 2008 - 05:09 PM

Hi blunt1655,

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
You can upload the new scan log to me here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 05:29 PM

Mike,

I submitted that scan log to you through the link you posted.

Joe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 15 June 2008 - 06:37 PM

Hi Joe,

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Aim6 -> [?]
YN -> LSA Shellu -> %UserProfile%\lsass.exe [C:\Users\Joe\lsass.exe]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> 6026c -> %SystemRoot%\System32\6026c
NY -> a053 -> %SystemRoot%\System32\a053
NY -> Dev3 -> %SystemRoot%\System32\Dev3
NY -> fIE -> %SystemRoot%\System32\fIE
NY -> sTMP -> %SystemRoot%\System32\sTMP
NY -> Vco1 -> %SystemRoot%\System32\Vco1
NY -> vntiho05 -> %SystemRoot%\System32\vntiho05
[Files/Folders - Modified Within 30 days]
NY -> 6026c -> %SystemRoot%\System32\6026c
NY -> a053 -> %SystemRoot%\System32\a053
NY -> Dev3 -> %SystemRoot%\System32\Dev3
NY -> fIE -> %SystemRoot%\System32\fIE
NY -> sTMP -> %SystemRoot%\System32\sTMP
NY -> Vco1 -> %SystemRoot%\System32\Vco1
NY -> vntiho05 -> %SystemRoot%\System32\vntiho05
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time.
When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix.
If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time.
Post that information back here.




Run the F-Secure Online Scanner
  • Note: This Scanner is for Internet Explorer Only!
    • Click on Online Services and then Online Scanner
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.



    Run a new OTScanIt scan with the following options

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
    • Under Additional Scans click the checkboxes in front of the following items to select them:

      [list]

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Post the following back here:The F-Secure Online Scanner report

The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder.
In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )

The new OTScanIt scan log.
You can upload the new scan log to me here
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Edited by SifuMike, 15 June 2008 - 06:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 07:04 PM

Mike,

Here is the file I received after I ran the fix. I had to physically shutdown my computer because it was not shutting down when prompted from OTscan. I am still waiting for the F-secure online report and still waiting to run the new OTscan.

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LSA Shellu deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
[Files/Folders - Created Within 30 days]
C:\Windows\System32\6026c folder moved successfully.
C:\Windows\System32\a053 folder moved successfully.
C:\Windows\System32\Dev3 folder moved successfully.
C:\Windows\System32\fIE folder moved successfully.
C:\Windows\System32\sTMP folder moved successfully.
C:\Windows\System32\Vco1 folder moved successfully.
C:\Windows\System32\vntiho05 folder moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\Windows\System32\6026c not found!
File C:\Windows\System32\a053 not found!
File C:\Windows\System32\Dev3 not found!
File C:\Windows\System32\fIE not found!
File C:\Windows\System32\sTMP not found!
File C:\Windows\System32\Vco1 not found!
File C:\Windows\System32\vntiho05 not found!
[Empty Temp Folders]
File delete failed. C:\Users\Joe\AppData\Local\Temp\hsperfdata_Joe\3632 scheduled to be deleted on reboot.
File delete failed. C:\Users\Joe\AppData\Local\Temp\~DFA4F.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Joe\AppData\Local\Temp\~DFB960.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.

#12 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 08:06 PM

Mike,

Here is the F-Secure online scan report. upload the OTscanIT log as soon as it is done running.

Scanning Report
Sunday, June 15, 2008 19:58:50 - 21:04:17

Computer name: JOE-LAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 7 malware found
Tracking Cookie (spyware)

* System

Trojan.Win32.Mondera.gen (virus)

* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\BNUVHSBG.DLL (Submitted)
* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\IXITXXXE.DLL (Renamed & Submitted)
* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\RKEDDIEB.DLL (Renamed & Submitted)
* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\VYKJSAEW.DLL (Renamed & Submitted)
* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\XUTLAVOG.DLL (Submitted)

Vundo.gen38 (virus)

* C:\DECKARD\SYSTEM SCANNER\20080612153600\BACKUP\USERS\JOE\APPDATA\LOCAL\TEMP\RFWUELYX.INI (Submitted)

Statistics
Scanned:

* Files: 32205
* System: 3681
* Not scanned: 27

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 4
* Submitted: 6

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\JOE\APPDATA\LOCAL\TEMP\HSPERFDATA_JOE\3828
* C:\USERS\JOE\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{F80C5643-F546-4D4D-B719-B58FF103A0C7}
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\DBDAM
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\DBDAO
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\DBEAM
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\DBEAO
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\DBM
* C:\USERS\JOE\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\B3ACB82BB02E\HP
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\706B4EED179849C2388D4EED8D888CB6_4FC6267C-3C4A-4892-BF87-37D06DAAC3D5
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\706B4EED179849C2388D4EED8D888CB6_4FC6267C-3C4A-4892-BF87-37D06DAAC3D5
* C:\BOOT\BCD

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-06-15
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-06-15

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 15 June 2008 - 09:06 PM

Hi Joe,

That log looks fine. :thumbsup:

If there aren't any other issues then go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues.

If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 15 June 2008 - 09:14 PM

Mike,

Thanks a lot. It seems better already. No annoying pop-ups yet. I will let you know how things turn out in a couple days. Thank you again.

Joe

#15 blunt1655

blunt1655
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 June 2008 - 08:55 PM

Mike,

Everything seems to be working fine. I have not had any problems at all recently. I really appreciate all your help.

Joe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users