Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ladydreamrider Needs Help!


  • This topic is locked This topic is locked
39 replies to this topic

#1 Ladydreamrider

Ladydreamrider

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 23 June 2008 - 06:16 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:58, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virusheat.com/?aff=1012
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: vrmdtneg - {20B685C2-5339-4403-B5F0-65A69338C649} - C:\WINDOWS\vrmdtneg.dll (file missing)
O3 - Toolbar: vrmdtneg - {AE451F7D-4CA1-40D2-B6A1-D2AA62050344} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\CINDY\LOCALS~1\Temp\200852233424_mcinfo.exe /insfin
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\CINDY\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ihmninon] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ihmninon.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129941372\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [dbdscutil] C:\Documents and Settings\All Users\Application Data\Common\ytqzcboj.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [846c0afa] rundll32.exe "C:\WINDOWS\system32\ussyfpeh.dll",b
O4 - HKLM\..\Run: [BM875f3966] Rundll32.exe "C:\WINDOWS\system32\mcewkhca.dll",s
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Administrator.ABBOTT\cftmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1.ABB\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Administrator.ABBOTT\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [5OLfDGnLo9] C:\Documents and Settings\All Users\Application Data\bixsjydi\pcryrevm.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {6a344d34-5231-452a-8a57-d064ac9b7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AB0DCC-EBAB-458A-8CBC-2B628AF4A6D8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD54F3B-958F-435E-AC43-14443AB37850}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: fccBtQIB - fccBtQIB.dll (file missing)
O21 - SSODL: vadokmxt - {90C6BF6E-0690-431F-88F3-777E4AEB7767} - C:\WINDOWS\vadokmxt.dll (file missing)
O21 - SSODL: wdpoefan - {A9DFB1BD-182E-4B13-8B0D-DBD360AD9923} - C:\WINDOWS\wdpoefan.dll (file missing)
O21 - SSODL: RomUnknown - {99063e37-7d3f-4bb6-8432-6cafb33721ef} - C:\WINDOWS\Resources\RomUnknown.dll (file missing)
O21 - SSODL: ComponentComponent - {ba4c9656-f871-4ae6-a112-808d5756b4ca} - C:\WINDOWS\Resources\ComponentComponent.dll (file missing)
O21 - SSODL: RamComponent - {4ba1105b-9ef8-445c-ad7b-4f91d6050206} - C:\WINDOWS\Resources\RamComponent.dll (file missing)
O21 - SSODL: wpvmqosg - {1898A6D2-57B6-497F-AC75-0494AFF514A2} - C:\WINDOWS\wpvmqosg.dll (file missing)
O21 - SSODL: xvorfwbd - {E81F42C3-51C5-4493-BDEE-A2E6DB7748E4} - C:\WINDOWS\xvorfwbd.dll (file missing)
O21 - SSODL: SDRAMSrv - {aca4c090-4459-4c44-9a21-a40a8ca7b1b7} - C:\WINDOWS\Resources\SDRAMSrv.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 9845 bytes
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 23 June 2008 - 08:42 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 23 June 2008 - 10:58 PM

Thank you! I will follow directions very carefully. I know how important that is.
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 24 June 2008 - 07:29 PM

Hi,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 26 June 2008 - 07:42 AM

Renato,
I ran SDfix. I could not boot in regular mode, but when I rebooted in safe mode with networking which is where I've had to do to get on line with this computer, I did get a real IE 7 page.
I have not gotten the Report.txt file. I have gotten a catchme report which I am posting. Apparently SDfix did fix somethings.

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 16:47:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 0

I apologize for not getting back to you sooner. We've been having major electrical storms here, so I'm getting on line as I'm able to.
Thanks.
Verna
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 26 June 2008 - 07:49 AM

Hi,

I need the full log of SDFix, please.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 26 June 2008 - 01:36 PM

I finally got it run. Yea!

SDFix: Version 1.197
Run by CINDY on Thu 06/26/2008 at 01:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Administrator.ABBOTT\Desktop\ProcessMonitor\SDFix\backups\cftmon.exe - Deleted
C:\Documents and Settings\CINDY\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk - Deleted
C:\Documents and Settings\CINDY\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk - Deleted
C:\Documents and Settings\Administrator.ABBOTT\Desktop\ProcessMonitor\SDFix\backups\Privacy Protector.url - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\ismtpa15.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\calc.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\explorer32.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\mso13.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\notepad.exe - Deleted
C:\DOCUME~1\CINDY\LOCALS~1\Temp\winlogan.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\widuxngq.sys - Deleted



Folder C:\Documents and Settings\CINDY\Start Menu\Programs\Internet Speed Monitor - Removed
Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed
Folder C:\WINDOWS\PerfInfo - Removed
Folder C:\WINDOWS\system32\717305 - Removed


Removing Temp Files

ADS Check :
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 26 June 2008 - 09:03 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 26 June 2008 - 10:08 PM

Things are starting to work again. When I log in, the computer brings up a normal desktop, then just before the icons load, a blue window comes on. As soon as the icons load, it moves to the white screen "restore my active desktop", but when I try, I get an IE script error message, and do I want to run anyway. I click on yes, and it doesn't work...

Thank you for your very prompt responses. You are great! Here's the new log.

Malwarebytes' Anti-Malware 1.18
Database version: 894

10:52:25 PM 6/26/2008
mbam-log-6-26-2008 (22-52-25).txt

Scan type: Quick Scan
Objects scanned: 55004
Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 37
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 47

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\Common\ytqzcboj.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\ytqzcboj.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\gydobpgj.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyvSjHW.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mvehgdwr.dll (Adware.ClickSpring) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45248edf-7c69-4b92-b33c-5e18a842340e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{45248edf-7c69-4b92-b33c-5e18a842340e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{7c054d23-ff37-467e-8f0f-a82d43c203d2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a00281d9-67be-4881-bb34-2fb7196d4db5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{15fabe1b-ee9a-4652-aaa3-fdcf6635ff79} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d422996-4f55-407c-828e-059d2c312f5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6d1e583a-d2aa-4aca-ace8-451f73c609f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpevflbg.bvst (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplNetProjowser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec8e308b-8233-f295-13e7-ab8f06562eb3} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bfd965d6-d731-a59d-19e7-ab8f065629ee} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e98a6389-d633-f6c7-19e7-ab8f065678e5} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e98c39dd-8731-a19c-17e7-ab8f065629b6} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{da3cec14-03dc-7a02-fd4e-0ca2939e4ce4} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da3cec14-03dc-7a02-fd4e-0ca2939e4ce4} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b9dd37dd-8434-a292-13e7-ab8f065629ee} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e88c31d8-d764-f196-40e7-ab8f065673ef} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ecdd34d8-d360-a794-13e7-ab8f065628b2} (Adware.ClickSpring) -> Quarantined and deleted successfully.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WNetPws (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser HeNetProjeects (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explsbsm.exelper Objects (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\846c0afa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbdscutil (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM875f3966 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyvsjhw -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyvsjhw -> Delete on reboot.

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirusPro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ABBOTT\Application Data\sp1 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cbXOIxuu.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uuxIOXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uuxIOXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gydobpgj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jgpbodyg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkLFvWp.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pWvFLkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pWvFLkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyvSjHW.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\WHjSvyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WHjSvyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Common\ytqzcboj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{81407a33-a0af-469e-b214-06058ebb9e0d}\zip.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2834932306-3377919825-1937302001-500\Dc5.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bvzikfzt.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbxxvuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccBtQIB.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fjoxy.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hggeccb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkklLCuV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jzcibeeb.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrdbiyz.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mvehgdwr.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oaswn.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oprhkgm.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pzu.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\ebms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\emax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wpvmqosg.dll_old (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\dssic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\vqvtx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\CINDY\Local Settings\Temporary Internet Files\Content.IE5\1WV1G2X7\installer_abr[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ABBOTT\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ABBOTT\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\wmvcodec2.03[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ABBOTT\Local Settings\Temporary Internet Files\Content.IE5\U7IXOTQF\LifeTimeMedia_ver1.5078.0[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\OiUninstaller.exe (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\outerinfo.ico (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lkaernws.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jfvryftb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 27 June 2008 - 10:16 PM

Nice work.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 28 June 2008 - 08:16 AM

ComboFix 08-06-20.4 - CINDY 2008-06-28 8:56:50.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.795 [GMT -4:00]
Running from: C:\Documents and Settings\CINDY\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\CINDY\Application Data\ASKS~1
C:\Documents and Settings\CINDY\Application Data\ASKS~1\?asks\
C:\Documents and Settings\CINDY\Application Data\ASKS~1\wuauboot.exe
C:\Documents and Settings\CINDY\Application Data\SKS~1
C:\Documents and Settings\CINDY\Application Data\SKS~1\??sks\
C:\Documents and Settings\CINDY\Application Data\SKS~1\iexplore.exe
C:\Documents and Settings\CINDY\Application Data\SSEMBL~1
C:\Documents and Settings\Owner\My Documents\My Documents\MCROSO~1.NET
C:\Documents and Settings\Owner\My Documents\My Documents\MCROSO~1.NET\j?vaw.exe
C:\Documents and Settings\Owner\My Documents\My Documents\PPPATC~1
C:\Documents and Settings\Owner\My Documents\My Documents\SMANTE~1
C:\Documents and Settings\Owner\My Documents\My Documents\SMANTE~1\S?mantec\
C:\Documents and Settings\Owner\My Documents\My Documents\SMANTE~1\wuaclt.exe
C:\Documents and Settings\Owner\My Documents\My Documents\WNSXS~1
C:\Documents and Settings\Owner\My Documents\My Documents\WNSXS~1\dvdplay.exe
C:\Documents and Settings\Owner\My Documents\My Documents\WNSXS~1\t?skmgr.exe
C:\Documents and Settings\Owner\My Documents\My Documents\WNSXS~1\W?nSxS\
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\crosof~1.net\??crosoft.NET\
C:\Program Files\Common Files\crosof~1.net\regsvr32.exe
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\d?xplore.exe
C:\Program Files\fnts~1
C:\Program Files\fnts~1\F?nts\
C:\Program Files\fnts~1\wuaclt.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\m?config.exe
C:\Program Files\racle~1
C:\Program Files\racle~1\?racle\
C:\Program Files\racle~1\mmc.exe
C:\Program Files\racle~1\spoolsv.exe
C:\Program Files\smbols~1
C:\Program Files\smbols~1\?asks\
C:\Program Files\smbols~1\tracert.exe
C:\WINDOWS\BM875f3966.xml
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\??crosoft.NET\
C:\WINDOWS\crosof~1.net\nslookup.exe
C:\WINDOWS\crosof~1\??crosoft\
C:\WINDOWS\crosof~1\svchost.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\sks~1
C:\WINDOWS\system32\bfeayfin.dll
C:\WINDOWS\system32\bfmtsblc.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\?dobe\
C:\WINDOWS\system32\dobe~1\cruu.exe
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ecurit~1\n?pdb.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\dvdplay.exe
C:\WINDOWS\system32\fnts~1\F?nts\
C:\WINDOWS\system32\gydobpgj.dll
C:\WINDOWS\system32\hdwnsmwe.ini
C:\WINDOWS\system32\hepfyssu.ini
C:\WINDOWS\system32\jfvryftb.dll
C:\WINDOWS\system32\jtymxjcy.ini
C:\WINDOWS\system32\lkaernws.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mpydokrb.ini
C:\WINDOWS\system32\qoguyreo.ini
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smante~1\S?mantec\
C:\WINDOWS\system32\smante~1\services.exe
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stem32~1\w?crtupd.exe
C:\WINDOWS\system32\suoxmspi.ini
C:\WINDOWS\system32\swnreakl.ini
C:\WINDOWS\system32\tbnu.dll
C:\WINDOWS\system32\vudbcbso.ini
C:\WINDOWS\system32\vudbcbso.ini2
C:\WINDOWS\system32\vudbcbso.tmp
C:\WINDOWS\system32\WHjSvyxx.ini
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\ping.exe
C:\WINDOWS\system32\wnsxs~1\W?nSxS\
C:\WINDOWS\system32\xxyvSjHW.dll
C:\WINDOWS\system32\ydlbbcvw.dll
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\system32\ystem3~1\??ool32.exe
C:\WINDOWS\ymante~1
C:\WINDOWS\ymante~1\d?xplore.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-26 22:39 . 2008-06-26 22:39 <DIR> d-------- C:\Documents and Settings\CINDY\Application Data\Malwarebytes
2008-06-26 22:38 . 2008-06-26 22:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 22:38 . 2008-06-26 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 22:38 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 22:38 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 14:15 . 2008-06-26 14:15 671,232 --a------ C:\WINDOWS\system32\SET13.tmp
2008-06-26 14:14 . 2008-06-26 14:14 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-26 13:35 . 2008-06-26 14:15 <DIR> d-------- C:\SDFix
2008-06-25 17:04 . 2008-04-23 00:16 1,159,680 --a------ C:\WINDOWS\system32\SETF.tmp
2008-06-25 17:04 . 2008-04-23 00:16 826,368 --a------ C:\WINDOWS\system32\SETD.tmp
2008-06-25 17:04 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-25 17:04 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 17:04 . 2008-04-23 00:16 105,984 --a------ C:\WINDOWS\system32\SET10.tmp
2008-06-25 16:40 . 2008-06-25 16:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-22 20:05 . 2008-06-22 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 16:15 . 2008-06-23 11:09 4,744 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-22 14:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-22 14:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-22 14:34 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-22 14:34 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-22 14:34 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-22 14:34 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-22 14:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-22 14:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-22 14:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-22 13:54 . 2008-06-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 21:54 . 2008-06-22 13:26 258,048 --------- C:\WINDOWS\xvorfwbd.dll_old
2008-06-18 21:54 . 2008-06-22 13:26 188,416 --------- C:\WINDOWS\vrmdtneg.dll_old
2008-06-18 21:39 . 2008-06-23 11:06 2,283 --a------ C:\WINDOWS\wininit.ini
2008-06-18 21:12 . 2008-06-18 21:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 21:12 . 2008-06-18 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:06 . 2008-06-18 21:06 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\Allume Systems
2008-06-18 20:49 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\WINDOWS
2008-06-18 20:49 . 2005-10-21 20:37 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\You've Got Pictures Screensaver
2008-06-18 20:49 . 2005-10-21 20:38 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\SampleView
2008-06-18 20:48 . 2008-06-25 16:52 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Common
2008-06-22 18:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 21:57 --------- d-----w C:\Program Files\Ahead
2008-05-04 21:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 21:52 --------- d-----w C:\Program Files\HOTALBUMMyBOX
2008-05-04 21:46 --------- d-----w C:\Program Files\Britannica 2006
2008-05-04 21:45 --------- d-----w C:\Program Files\BigFix
2008-05-04 21:09 --------- d-----w C:\Program Files\Web Publish
2008-05-04 12:21 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-04 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-04 12:13 --------- d-----w C:\Program Files\HP
2008-05-03 03:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 03:37 --------- d-----w C:\Program Files\Zune
2008-05-03 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-03 03:32 --------- d-----w C:\Program Files\iWin.com
2008-05-02 22:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-19 15:12 192,512 ----a-w C:\WINDOWS\fgbyzsdk.dll
2008-04-19 15:11 6,656 ----a-w C:\WINDOWS\estrictions.dll
2008-02-06 02:32 2,114 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-11-06 00:40 482 ----a-w C:\Documents and Settings\CINDY\Application Data\wklnhst.dat
2007-03-16 17:30 284 ----a-w C:\Documents and Settings\CINDY\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 15:09 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 14:49 307200]
"Cpue"="C:\WINDOWS\system32\SMANTE~1\services.exe" [ ]
"Ysemp"="C:\Program Files\?ppPatch\m?config.exe" [ ]
"Gux"="C:\WINDOWS\system32\?ecurity\n?pdb.exe" [ ]
"Zdwyuq"="C:\Documents and Settings\Owner\My Documents\My Documents\W?nSxS\t?skmgr.exe" [ ]
"Vvgp"="C:\WINDOWS\system32\?ystem32\??ool32.exe" [ ]
"Ztm"="C:\WINDOWS\system32\??stem32\w?crtupd.exe" [ ]
"Mqe"="C:\Program Files\Common Files\M?crosoft.NET\d?xplore.exe" [ ]
"Tdxca"="C:\Documents and Settings\Owner\My Documents\My Documents\M?crosoft.NET\j?vaw.exe" [ ]
"Acj"="C:\WINDOWS\?ymantec\d?xplore.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 09:23 132624]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-03-15 13:04 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 02:42 212992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 13:32 114688]
"ledpointer"="CNYHKey.exe" [2004-03-02 23:24 5576704 C:\WINDOWS\CNYHKey.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-05-10 19:02 7086080]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 13:32 94208]
"HPHUPD05"="C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 09:03 49152]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 08:55 483328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 13:29 77824]
"HostManager"="C:\Program Files\Common Files\AOL\1129941372\EE\AOLHostManager.exe" [2004-11-03 17:03 125528]
"CHotkey"="mHotkey.exe" [2004-09-21 14:10 550400 C:\WINDOWS\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-12-26 17:57:25 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 12:40:44 282624]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2005-10-21 20:33:57 729088]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-03-15 07:41:41 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 17:51 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomUnknown"= {99063e37-7d3f-4bb6-8432-6cafb33721ef} - C:\WINDOWS\Resources\RomUnknown.dll [ ]
"ComponentComponent"= {ba4c9656-f871-4ae6-a112-808d5756b4ca} - C:\WINDOWS\Resources\ComponentComponent.dll [ ]
"RamComponent"= {4ba1105b-9ef8-445c-ad7b-4f91d6050206} - C:\WINDOWS\Resources\RamComponent.dll [ ]
"SDRAMSrv"= {aca4c090-4459-4c44-9a21-a40a8ca7b1b7} - C:\WINDOWS\Resources\SDRAMSrv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccBtQIB]
fccBtQIB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1129941372\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2004-10-29 06:07]
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2008-01-01 19:03]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2004-11-03 10:28]
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe [2004-12-14 05:49]
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 10:42]
R2 ZipMagic Task Manager;ZipMagic Task Manager;C:\PROGRA~1\Allume\ZipMagic\MXTask.exe [2005-05-09 14:27]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
S3 jatmlano;jatmlano;C:\DOCUME~1\CINDY\LOCALS~1\Temp\jatmlano.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f1c61b5-4474-11da-a9dd-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 09:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\112994~1\EE\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-28 9:08:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 13:08:33

Pre-Run: 219,932,168,192 bytes free
Post-Run: 219,430,842,368 bytes free

289 --- E O F --- 2008-06-27 11:19:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:48 AM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\112994~1\EE\AOLHOS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\112994~1\EE\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://popads123.com/venora/we-content.php...596&rnd=939
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129941372\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\SMANTE~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Ysemp] "C:\Program Files\?ppPatch\m?config.exe"
O4 - HKCU\..\Run: [Gux] C:\WINDOWS\system32\?ecurity\n?pdb.exe
O4 - HKCU\..\Run: [Zdwyuq] "C:\Documents and Settings\Owner\My Documents\My Documents\W?nSxS\t?skmgr.exe"
O4 - HKCU\..\Run: [Vvgp] C:\WINDOWS\system32\?ystem32\??ool32.exe
O4 - HKCU\..\Run: [Ztm] C:\WINDOWS\system32\??stem32\w?crtupd.exe
O4 - HKCU\..\Run: [Mqe] "C:\Program Files\Common Files\M?crosoft.NET\d?xplore.exe"
O4 - HKCU\..\Run: [Tdxca] "C:\Documents and Settings\Owner\My Documents\My Documents\M?crosoft.NET\j?vaw.exe"
O4 - HKCU\..\Run: [Acj] C:\WINDOWS\?ymantec\d?xplore.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {6a344d34-5231-452a-8a57-d064ac9b7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AB0DCC-EBAB-458A-8CBC-2B628AF4A6D8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD54F3B-958F-435E-AC43-14443AB37850}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: fccBtQIB - fccBtQIB.dll (file missing)
O21 - SSODL: RomUnknown - {99063e37-7d3f-4bb6-8432-6cafb33721ef} - C:\WINDOWS\Resources\RomUnknown.dll (file missing)
O21 - SSODL: ComponentComponent - {ba4c9656-f871-4ae6-a112-808d5756b4ca} - C:\WINDOWS\Resources\ComponentComponent.dll (file missing)
O21 - SSODL: RamComponent - {4ba1105b-9ef8-445c-ad7b-4f91d6050206} - C:\WINDOWS\Resources\RamComponent.dll (file missing)
O21 - SSODL: SDRAMSrv - {aca4c090-4459-4c44-9a21-a40a8ca7b1b7} - C:\WINDOWS\Resources\SDRAMSrv.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 8540 bytes
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 29 June 2008 - 12:47 PM

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#13 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 29 June 2008 - 07:41 PM

I had to run this in safe mode. It wouldn't start in regular mode. I did wait for it.

HJT ran in regular mode.

ComboFix 08-06-20.4 - CINDY 2008-06-29 20:24:07.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.781 [GMT -4:00]
Running from: C:\Documents and Settings\CINDY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CINDY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-28 18:50 . 2008-06-28 18:52 <DIR> d-------- C:\Documents and Settings\CINDY\Application Data\mIRC
2008-06-26 22:39 . 2008-06-26 22:39 <DIR> d-------- C:\Documents and Settings\CINDY\Application Data\Malwarebytes
2008-06-26 22:38 . 2008-06-26 22:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 22:38 . 2008-06-26 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 22:38 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 22:38 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 14:15 . 2008-06-26 14:15 671,232 --a------ C:\WINDOWS\system32\SET13.tmp
2008-06-26 14:14 . 2008-06-26 14:14 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-26 13:35 . 2008-06-26 14:15 <DIR> d-------- C:\SDFix
2008-06-25 17:04 . 2008-04-23 00:16 1,159,680 --a------ C:\WINDOWS\system32\SETF.tmp
2008-06-25 17:04 . 2008-04-23 00:16 826,368 --a------ C:\WINDOWS\system32\SETD.tmp
2008-06-25 17:04 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-25 17:04 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 17:04 . 2008-04-23 00:16 105,984 --a------ C:\WINDOWS\system32\SET10.tmp
2008-06-25 16:40 . 2008-06-25 16:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-22 20:05 . 2008-06-22 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 16:15 . 2008-06-23 11:09 4,744 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-22 14:34 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-22 14:34 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-22 14:34 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-22 14:34 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-22 14:34 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-22 14:34 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-22 14:34 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-22 14:34 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-22 14:34 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-22 13:54 . 2008-06-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 21:54 . 2008-06-22 13:26 258,048 --------- C:\WINDOWS\xvorfwbd.dll_old
2008-06-18 21:54 . 2008-06-22 13:26 188,416 --------- C:\WINDOWS\vrmdtneg.dll_old
2008-06-18 21:39 . 2008-06-23 11:06 2,283 --a------ C:\WINDOWS\wininit.ini
2008-06-18 21:12 . 2008-06-18 21:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 21:12 . 2008-06-18 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:06 . 2008-06-18 21:06 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\Allume Systems
2008-06-18 20:49 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\WINDOWS
2008-06-18 20:49 . 2005-10-21 20:37 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\You've Got Pictures Screensaver
2008-06-18 20:49 . 2005-10-21 20:38 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT\Application Data\SampleView
2008-06-18 20:48 . 2008-06-25 16:52 <DIR> d-------- C:\Documents and Settings\Administrator.ABBOTT
2008-05-04 17:46 . 2008-05-04 17:46 <DIR> d--h----- C:\Documents and Settings\CINDY\InstallAnywhere
2008-05-02 18:18 . 2008-05-02 18:18 1,482,407 --ahs---- C:\WINDOWS\system32\jtymxjcy.tmp
2008-05-02 18:01 . 2008-05-02 18:02 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 16:51 . 2008-05-02 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Common
2008-06-22 18:49 --------- d-----w C:\Program Files\VCW VicMan's Photo Editor
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 21:57 --------- d-----w C:\Program Files\Ahead
2008-05-04 21:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 21:52 --------- d-----w C:\Program Files\HOTALBUMMyBOX
2008-05-04 21:46 --------- d-----w C:\Program Files\Britannica 2006
2008-05-04 21:45 --------- d-----w C:\Program Files\BigFix
2008-05-04 21:09 --------- d-----w C:\Program Files\Web Publish
2008-05-04 12:21 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-04 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-04 12:13 --------- d-----w C:\Program Files\HP
2008-05-03 03:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 03:37 --------- d-----w C:\Program Files\Zune
2008-05-03 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-03 03:32 --------- d-----w C:\Program Files\iWin.com
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-19 15:12 192,512 ----a-w C:\WINDOWS\fgbyzsdk.dll
2008-04-19 15:11 6,656 ----a-w C:\WINDOWS\estrictions.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 03:22 44,440 ----a-w C:\WINDOWS\system32\MtpAccess.dll
2008-03-03 03:22 102,400 ----a-w C:\WINDOWS\system32\ProgHelp.dll
2008-02-06 02:32 2,114 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-11-06 00:40 482 ----a-w C:\Documents and Settings\CINDY\Application Data\wklnhst.dat
2007-03-16 17:30 284 ----a-w C:\Documents and Settings\CINDY\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-28_ 9.08.08.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 13:02:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 00:11:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 15:09 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 14:49 307200]
"Cpue"="C:\WINDOWS\system32\SMANTE~1\services.exe" [ ]
"Ysemp"="C:\Program Files\?ppPatch\m?config.exe" [ ]
"Gux"="C:\WINDOWS\system32\?ecurity\n?pdb.exe" [ ]
"Zdwyuq"="C:\Documents and Settings\Owner\My Documents\My Documents\W?nSxS\t?skmgr.exe" [ ]
"Vvgp"="C:\WINDOWS\system32\?ystem32\??ool32.exe" [ ]
"Ztm"="C:\WINDOWS\system32\??stem32\w?crtupd.exe" [ ]
"Mqe"="C:\Program Files\Common Files\M?crosoft.NET\d?xplore.exe" [ ]
"Tdxca"="C:\Documents and Settings\Owner\My Documents\My Documents\M?crosoft.NET\j?vaw.exe" [ ]
"Acj"="C:\WINDOWS\?ymantec\d?xplore.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 09:23 132624]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-03-15 13:04 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 02:42 212992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 13:32 114688]
"ledpointer"="CNYHKey.exe" [2004-03-02 23:24 5576704 C:\WINDOWS\CNYHKey.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-05-10 19:02 7086080]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 13:32 94208]
"HPHUPD05"="C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 09:03 49152]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 08:55 483328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 13:29 77824]
"HostManager"="C:\Program Files\Common Files\AOL\1129941372\EE\AOLHostManager.exe" [2004-11-03 17:03 125528]
"CHotkey"="mHotkey.exe" [2004-09-21 14:10 550400 C:\WINDOWS\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-12-26 17:57:25 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 12:40:44 282624]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2005-10-21 20:33:57 729088]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-03-15 07:41:41 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 17:51 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomUnknown"= {99063e37-7d3f-4bb6-8432-6cafb33721ef} - C:\WINDOWS\Resources\RomUnknown.dll [ ]
"ComponentComponent"= {ba4c9656-f871-4ae6-a112-808d5756b4ca} - C:\WINDOWS\Resources\ComponentComponent.dll [ ]
"RamComponent"= {4ba1105b-9ef8-445c-ad7b-4f91d6050206} - C:\WINDOWS\Resources\RamComponent.dll [ ]
"SDRAMSrv"= {aca4c090-4459-4c44-9a21-a40a8ca7b1b7} - C:\WINDOWS\Resources\SDRAMSrv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccBtQIB]
fccBtQIB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1129941372\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2004-10-29 06:07]
R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2008-01-01 19:03]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2004-11-03 10:28]
S2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe [2004-12-14 05:49]
S2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 10:42]
S2 ZipMagic Task Manager;ZipMagic Task Manager;C:\PROGRA~1\Allume\ZipMagic\MXTask.exe [2005-05-09 14:27]
S2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
S3 jatmlano;jatmlano;C:\DOCUME~1\CINDY\LOCALS~1\Temp\jatmlano.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f1c61b5-4474-11da-a9dd-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 20:26:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-29 20:26:51
ComboFix-quarantined-files.txt 2008-06-30 00:26:43
ComboFix2.txt 2008-06-28 13:08:40

Pre-Run: 220,500,525,056 bytes free
Post-Run: 220,476,747,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

206 --- E O F --- 2008-06-27 11:19:23


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:18 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\112994~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\112994~1\EE\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://popads123.com/venora/we-content.php...596&rnd=939
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129941372\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\SMANTE~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Ysemp] "C:\Program Files\?ppPatch\m?config.exe"
O4 - HKCU\..\Run: [Gux] C:\WINDOWS\system32\?ecurity\n?pdb.exe
O4 - HKCU\..\Run: [Zdwyuq] "C:\Documents and Settings\Owner\My Documents\My Documents\W?nSxS\t?skmgr.exe"
O4 - HKCU\..\Run: [Vvgp] C:\WINDOWS\system32\?ystem32\??ool32.exe
O4 - HKCU\..\Run: [Ztm] C:\WINDOWS\system32\??stem32\w?crtupd.exe
O4 - HKCU\..\Run: [Mqe] "C:\Program Files\Common Files\M?crosoft.NET\d?xplore.exe"
O4 - HKCU\..\Run: [Tdxca] "C:\Documents and Settings\Owner\My Documents\My Documents\M?crosoft.NET\j?vaw.exe"
O4 - HKCU\..\Run: [Acj] C:\WINDOWS\?ymantec\d?xplore.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {6a344d34-5231-452a-8a57-d064ac9b7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AB0DCC-EBAB-458A-8CBC-2B628AF4A6D8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD54F3B-958F-435E-AC43-14443AB37850}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06EE8983-4008-4E98-B25A-C7DE52F78F78}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: fccBtQIB - fccBtQIB.dll (file missing)
O21 - SSODL: RomUnknown - {99063e37-7d3f-4bb6-8432-6cafb33721ef} - C:\WINDOWS\Resources\RomUnknown.dll (file missing)
O21 - SSODL: ComponentComponent - {ba4c9656-f871-4ae6-a112-808d5756b4ca} - C:\WINDOWS\Resources\ComponentComponent.dll (file missing)
O21 - SSODL: RamComponent - {4ba1105b-9ef8-445c-ad7b-4f91d6050206} - C:\WINDOWS\Resources\RamComponent.dll (file missing)
O21 - SSODL: SDRAMSrv - {aca4c090-4459-4c44-9a21-a40a8ca7b1b7} - C:\WINDOWS\Resources\SDRAMSrv.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 8318 bytes
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#14 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 30 June 2008 - 07:35 PM

Hi,

You are infected by the XCP Rootkit, you need follow some steps to remove it, you'll found all necessary information here:

http://www.bleepingcomputer.com/forums/t/34904/how-to-remove-the-sony-drm-rootkit/

After follow this instructions post a new ComboFix log here.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#15 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:48 AM

Posted 02 July 2008 - 07:14 AM

I've tried following these instructions:
Click on the Start button.


Click on the Run option.


In the Open: field type cmd /k sc delete $sys$aries and press the OK button. [Here it says specified service does not exist as an installed service ]

Reboot your computer


Delete C:\%WinDir%\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)

when I search for the file above I find nothing. When i go into explore and look I find a folder $sysfilesystem$ side the folder is a lock icon with $sys$DRMServer another icon with $sys$parking another icon with crater another icon with Dgbhelp.dll
another with lim another with unicows.dll
(I hope I got my bbcode right ..grin)

Edited by Orange Blossom, 05 July 2008 - 11:34 PM.
Fix bb code tags. ~ OB

Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users