Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader Infection


  • This topic is locked This topic is locked
35 replies to this topic

#1 Dr. G.

Dr. G.

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 14 June 2008 - 09:40 PM

Computer was infected with trojan, downloader is the only name the norton scan showed. I thought i had removed it but a scan a few days ago showed the infection again. can you review the enclosed dss scan and let me know if it looks clean. the Kaspersky scan said no problems found.

Deckard's System Scanner v20071014.68
Run by Carol on 2008-06-14 19:40:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-15 02:40:35 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-06-14 20:58:24 UTC - RP2 - Installed Java™ 6 Update 6
1: 2008-06-14 19:58:34 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Carol .exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:42 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Carol \Local Settings\Temporary Internet Files\Content.IE5\EIGYDYOE\dss[1].exe
C:\WINDOWS\system32\snditzap.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Carol .exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124329727031
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O21 - SSODL: Ntedget - {9C542C17-5D9E-482D-864F-FCCE180E6C63} - C:\WINDOWS\system32\audevuni.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: scitegic_apache_5_0_0 (scitegic_apache_1) - Apache Software Foundation - C:\Program Files\SciTegic\apps\scitegic\core\packages_win32\apache\apache2\bin\apache.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 8042 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ATNT40K (ActiveTouch NT Appsharing Driver) - c:\windows\system32\drivers\atnt40k.sys

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 scitegic_apache_1 (scitegic_apache_5_0_0) - "c:\program files\scitegic\apps\scitegic\core\packages_win32\apache\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-12 19:30:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-19 20:00:00 634 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Carol .job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 10:51:50 0 d-------- C:\WINDOWS\LastGood
2008-06-13 00:27:40 0 d-------- C:\Program Files\Panda Security
2008-06-12 23:53:16 0 d-------- C:\Program Files\Trend Micro
2008-06-12 19:29:50 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 15:57:56 0 d-------- C:\Documents and Settings\Joey\Application Data\PC Tools
2008-06-05 10:26:19 0 d-------- C:\Documents and Settings\Joey\.housecall6.6
2008-06-05 00:46:22 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-03 20:04:00 0 d-------- C:\Program Files\Polar
2008-06-02 11:03:27 172032 --a------ C:\WINDOWS\system32\crtupcat.dll
2008-05-22 17:52:18 0 d-------- C:\Documents and Settings\Joey\Application Data\Sony
2008-05-22 17:33:04 0 d-------- C:\Documents and Settings\Joey\Application Data\Publish Providers
2008-05-22 17:33:04 0 d-------- C:\Documents and Settings\Joey\Application Data\NetMedia Providers
2008-05-22 17:29:09 0 d-------- C:\Program Files\Vstplugins
2008-05-22 17:28:40 0 d-------- C:\Program Files\Sony
2008-05-15 16:13:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-06-14 17:49:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-14 14:00:12 0 d-------- C:\Program Files\Java
2008-06-12 23:35:03 0 d-------- C:\Documents and Settings\Carol \Application Data\Apple Computer
2008-06-12 23:33:48 0 d-------- C:\Program Files\QuickTime
2008-06-06 10:53:21 0 d-------- C:\Program Files\Spyware Doctor
2008-06-03 19:54:40 0 d-------- C:\Program Files\GoZone
2008-05-31 19:22:46 0 d-------- C:\Program Files\Symantec
2008-05-15 16:14:31 0 d-------- C:\Program Files\Lavasoft
2008-05-15 16:14:30 0 d-------- C:\Documents and Settings\Carol \Application Data\Lavasoft
2008-05-15 16:13:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 16:41:08 0 d-------- C:\Program Files\iTunes
2008-05-12 16:40:48 0 d-------- C:\Program Files\iPod
2008-05-12 16:39:05 0 d-------- C:\Program Files\Bonjour
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files\Apple


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 08:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
01/31/2008 01:24 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 08:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/31/2008 02:15 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 09:53 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

C:\Documents and Settings\Carol \Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]
GoZone iSync.lnk - C:\Program Files\GoZone\GoZone_iSync.exe [7/25/2007 7:08:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Ntedget"= {9C542C17-5D9E-482D-864F-FCCE180E6C63} - C:\WINDOWS\system32\audevuni.dll [06/05/2008 03:59 PM 868352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-06-14 19:46:16 ------------

BC AdBot (Login to Remove)

 


m

#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 15 June 2008 - 08:39 AM

Hello Dr. G. :) Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you and will need some time to look over your log.


Please advice me of any programs you have already used to try and fix the problems which you have encountered. I would also ask that you refrain from running any tools other than those we will ask you to while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Since all of our helpers are volunteers and we are really busy I may be a little slow getting back to you, but don't despair as I won't forget. :thumbsup:


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Dr. G.

Dr. G.
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 June 2008 - 06:08 PM

i used Ad-aware and spybot
i used norton security center
i scanned with PC tools spyware Dr but didn't fix anything with it and i disabled it after the scan
i just use it as a secondary scan when issues seem to arise

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 16 June 2008 - 03:54 PM

Hello again Dr. G.,


There are a few things which need to be taken care of with respect to what is showing up in the DSS log


1) Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology.



2)You also have a program present that is a known Adware program and should be deleted. It is Need2Find which I will include in an uninstall fix listed below.



3)Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".






4) Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



5) Please right click in an open space on your Desktop..Then go to Properties>>Customize Desktop>>Web. If warnhp is present in the dialogue box, delete it.



6)

a) Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


b Go to Start > Control Panel > Add or Remove Programs.

Remove the following program(s), if they are present.

  • Need2Find
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer


c) Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).



O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O21 - SSODL: Ntedget - {9C542C17-5D9E-482D-864F-FCCE180E6C63} - C:\WINDOWS\system32\audevuni.dll
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html


Then close all windows except HijackThis and click Fix Checked.


d) Use Windows Explorer to find and delete these files:

C:\WINDOWS\system32\audevuni.dll
C:\WINDOWS\warnhp.html
C:\WINDOWS\system32\crtupcat.dll


As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Restart your computer




Finally, please post a new DSS log along with the log from MBAM, and a description of any remaining problems.



Thanks,



thewall




Reason for edit: Highlight bad files which are listed for deletion

Edited by thewall, 16 June 2008 - 08:21 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:51 PM

Posted 21 June 2008 - 06:36 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:51 PM

Posted 21 June 2008 - 07:44 PM

I have reopened this topic at the request of Dr.G,thanks.

Edited by boopme, 21 June 2008 - 07:46 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dr. G.

Dr. G.
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 21 June 2008 - 10:07 PM

enclosed are the mbam and dss log. need2find was not listed in the add/removes program list. attempts to remove audevuni.dll failed - access denied (i am sys admin on computer) so i renamed the file audevuni.dll_old. warnhp.html was not present.

Malwarebytes' Anti-Malware 1.18
Database version: 875

11:43:58 AM 6/21/2008
mbam-log-6-21-2008 (11-43-58).txt

Scan type: Quick Scan
Objects scanned: 46517
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DSS LOG:
Deckard's System Scanner v20071014.68
Run by Carol Gorst on 2008-06-21 12:06:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Carol Gorst.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:19 PM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GoZone\GoZone_iSync.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carol Gorst\Desktop\cleaningcomputer\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CAROLG~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe (User 'Default user')
O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124329727031
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: scitegic_apache_5_0_0 (scitegic_apache_1) - Apache Software Foundation - C:\Program Files\SciTegic\apps\scitegic\core\packages_win32\apache\apache2\bin\apache.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8079 bytes

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 11:27:06 0 d-------- C:\Documents and Settings\Carol Gorst\Application Data\Malwarebytes
2008-06-21 11:27:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 11:27:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 11:06:39 0 dr-h----- C:\Documents and Settings\Joey\Recent
2008-06-13 00:27:40 0 d-------- C:\Program Files\Panda Security
2008-06-12 23:53:16 0 d-------- C:\Program Files\Trend Micro
2008-06-12 19:29:50 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 16:15:36 1249280 --a------ C:\WINDOWS\system32\urlixhex.dll
2008-06-05 15:57:56 0 d-------- C:\Documents and Settings\Joey\Application Data\PC Tools
2008-06-05 10:26:19 0 d-------- C:\Documents and Settings\Joey\.housecall6.6
2008-06-05 00:46:22 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-03 20:04:00 0 d-------- C:\Program Files\Polar
2008-06-02 12:46:45 62727 --a------ C:\WINDOWS\system32\tcpacsys.dll
2008-05-22 17:52:18 0 d-------- C:\Documents and Settings\Joey\Application Data\Sony
2008-05-22 17:33:04 0 d-------- C:\Documents and Settings\Joey\Application Data\Publish Providers
2008-05-22 17:33:04 0 d-------- C:\Documents and Settings\Joey\Application Data\NetMedia Providers
2008-05-22 17:29:09 0 d-------- C:\Program Files\Vstplugins
2008-05-22 17:28:40 0 d-------- C:\Program Files\Sony


-- Find3M Report ---------------------------------------------------------------

2008-06-21 12:06:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-21 11:20:57 0 d-------- C:\Program Files\MySpace
2008-06-14 14:00:12 0 d-------- C:\Program Files\Java
2008-06-12 23:35:03 0 d-------- C:\Documents and Settings\Carol Gorst\Application Data\Apple Computer
2008-06-12 23:33:48 0 d-------- C:\Program Files\QuickTime
2008-06-06 10:53:21 0 d-------- C:\Program Files\Spyware Doctor
2008-06-03 19:54:40 0 d-------- C:\Program Files\GoZone
2008-05-31 19:22:46 0 d-------- C:\Program Files\Symantec
2008-05-15 16:14:31 0 d-------- C:\Program Files\Lavasoft
2008-05-15 16:14:30 0 d-------- C:\Documents and Settings\Carol Gorst\Application Data\Lavasoft
2008-05-15 16:13:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 16:41:08 0 d-------- C:\Program Files\iTunes
2008-05-12 16:40:48 0 d-------- C:\Program Files\iPod
2008-05-12 16:39:05 0 d-------- C:\Program Files\Bonjour
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files\Apple


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 08:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
01/31/2008 01:24 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 08:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/31/2008 02:15 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 09:53 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 06:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\Carol Gorst\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]
GoZone iSync.lnk - C:\Program Files\GoZone\GoZone_iSync.exe [7/25/2007 7:08:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-06-21 12:07:05 ------------

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 22 June 2008 - 06:28 AM

so i renamed the file audevuni.dll_old



Question: After performing this did you attempt to delete the file?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Dr. G.

Dr. G.
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 23 June 2008 - 04:55 PM

No I didn't. I will try the next time i have a chance to log in. It might be a few days.
How do the scan results look? thanks

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 23 June 2008 - 06:40 PM

We got a few things with MBAM and that's good. I haven't had the time to look it over throughly, but at first glance it seemed better. I will get back just as soon as time allows. We are really swamped here so it slows things down somewhat.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 26 June 2008 - 05:16 PM

HI Dr. G.


Your logs are looking pretty clean but there are a couple of files I would like to have Jotti take a look at.




Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\urlixhex.dll
Click Submit.
Please post the results of this scan to this thread.

Do the same for C:\WINDOWS\system32\tcpacsys.dll


Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
>Files listed above<
Click Send.
Please post the results of this scan to this thread.




When you post the logs from the Jotti/Virustotal please add a new log from DSS also.




Thanks,




thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Dr. G.

Dr. G.
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 28 June 2008 - 05:27 PM

Jotti results:
C:\WINDOWS\system32\urlixhex.dll
& C:\WINDOWS\system32\tcpacsys.dll
Both returned:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


A search of windows folder revealed no file found for urlixhex.dll
A 64kb file was found for tcpacsys.dll


DSS Log
Deckard's System Scanner v20071014.68
Run by Carol on 2008-06-28 15:38:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Carol .exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:24 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carol \Desktop\cleaningcomputer\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CAROLG~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe (User 'Default user')
O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124329727031
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O21 - SSODL: Minutbat - {477A435F-F497-4D97-94C7-75922537CE81} - C:\WINDOWS\system32\mp4unmak.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: scitegic_apache_5_0_0 (scitegic_apache_1) - Apache Software Foundation - C:\Program Files\SciTegic\apps\scitegic\core\packages_win32\apache\apache2\bin\apache.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8102 bytes

-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-21 12:58:45 197632 --a------ C:\WINDOWS\system32\vipexbio.dll
2008-06-21 11:27:06 0 d-------- C:\Documents and Settings\Carol \Application Data\Malwarebytes
2008-06-21 11:27:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 11:27:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 11:06:39 0 dr-h----- C:\Documents and Settings\Joey\Recent
2008-06-13 00:27:40 0 d-------- C:\Program Files\Panda Security
2008-06-12 23:53:16 0 d-------- C:\Program Files\Trend Micro
2008-06-12 19:29:50 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 15:57:56 0 d-------- C:\Documents and Settings\Joey\Application Data\PC Tools
2008-06-05 10:26:19 0 d-------- C:\Documents and Settings\Joey\.housecall6.6
2008-06-05 00:46:22 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-03 20:04:00 0 d-------- C:\Program Files\Polar


-- Find3M Report ---------------------------------------------------------------

2008-06-28 15:22:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-21 20:38:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 20:38:47 0 d-------- C:\Program Files\IKEA HomePlanner
2008-06-21 11:20:57 0 d-------- C:\Program Files\MySpace
2008-06-14 14:00:12 0 d-------- C:\Program Files\Java
2008-06-12 23:35:03 0 d-------- C:\Documents and Settings\Carol \Application Data\Apple Computer
2008-06-12 23:33:48 0 d-------- C:\Program Files\QuickTime
2008-06-06 10:53:21 0 d-------- C:\Program Files\Spyware Doctor
2008-06-03 19:54:40 0 d-------- C:\Program Files\GoZone
2008-05-31 19:22:46 0 d-------- C:\Program Files\Symantec
2008-05-22 17:29:09 0 d-------- C:\Program Files\Vstplugins
2008-05-22 17:28:40 0 d-------- C:\Program Files\Sony
2008-05-15 16:14:31 0 d-------- C:\Program Files\Lavasoft
2008-05-15 16:14:30 0 d-------- C:\Documents and Settings\Carol \Application Data\Lavasoft
2008-05-12 16:41:08 0 d-------- C:\Program Files\iTunes
2008-05-12 16:40:48 0 d-------- C:\Program Files\iPod
2008-05-12 16:39:05 0 d-------- C:\Program Files\Bonjour
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files
2008-05-12 16:36:34 0 d-------- C:\Program Files\Common Files\Apple


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 08:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
01/31/2008 01:24 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 08:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/31/2008 02:15 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 09:53 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 06:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\Carol \Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]
GoZone iSync.lnk - C:\Program Files\GoZone\GoZone_iSync.exe [7/25/2007 7:08:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Minutbat"= {477A435F-F497-4D97-94C7-75922537CE81} - C:\WINDOWS\system32\mp4unmak.dll [04/16/2007 08:52 AM 851968]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-06-28 15:39:09 ------------

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 30 June 2008 - 06:42 PM

Dr. G,

We believe there may be some Malware trying to hide from us on your system. I would like you to follow the instructions below and run ComboFix to see if it flushes something out.


Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Edited by thewall, 30 June 2008 - 06:43 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:51 PM

Posted 07 July 2008 - 06:10 AM

I need to know whether you still require assistance. If not I will have to ask for this topic to be closed.




thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Dr. G.

Dr. G.
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 07 July 2008 - 01:31 PM

hi
i haven't had a chance to run the scans. also, i have a program from spectorsoft installed on the computer to monitor usage when i'm out of town. if you think that is what might be indicated by the prior scan results i wanted to spare you going through more logs etc. if you think i should still run the combo-log i will.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users