Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Stopping Connections


  • This topic is locked This topic is locked
2 replies to this topic

#1 MrGameShow

MrGameShow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 29 June 2008 - 06:33 PM

Once in a while, the net becomes "inaccessable" with a lot of rundll32's running.. so I thought I'd come to the experts. :thumbsup:

Below is the ComboFix logfile it created today:

ComboFix 08-06-20.4 - Windows Vista 2008-06-29 19:09:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1406 [GMT -4:00]
Running from: C:\Users\Windows Vista\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetProject
C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url
C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url
C:\Users\WINDOW~1\FAVORI~1\Online Security Test.url
C:\Users\Windows Vista\Favorites\Online Security Test.url
C:\Windows\system32\209789
C:\Windows\system32\acbeityv.dll
C:\Windows\system32\adfehbqo.dll
C:\Windows\system32\afwzgi.dll
C:\Windows\System32\ahjrjglp.ini
C:\Windows\System32\albotugp.ini
C:\Windows\system32\amdmibqi.dll
C:\Windows\System32\apkouanx.ini
C:\Windows\system32\aprlgjll.ini
C:\Windows\system32\arlkspsw.dll
C:\Windows\system32\aroelrsl.ini
C:\Windows\system32\askekrrk.dll
C:\Windows\system32\bafbhssf.dll
C:\Windows\system32\bcdkonro.dll
C:\Windows\system32\bgnuwtbi.dll
C:\Windows\system32\bjytqjgg.dll
C:\Windows\system32\bkhfielj.ini
C:\Windows\system32\bppeisjr.dll
C:\Windows\system32\brfawmil.dll
C:\Windows\System32\brlqawfw.ini
C:\Windows\System32\bwhwojcs.ini
C:\Windows\system32\cbtthamb.dll
C:\Windows\system32\cesuanub.dll
C:\Windows\system32\cimptnjs.dll
C:\Windows\System32\cJPWEfhk.ini
C:\Windows\System32\cJPWEfhk.ini2
C:\Windows\system32\crhcyvge.dll
C:\Windows\system32\cvtslcxk.dll
C:\Windows\system32\dceqresv.dll
C:\Windows\system32\ddturo.dll
C:\Windows\System32\DgjQYJlm.ini
C:\Windows\System32\DgjQYJlm.ini2
C:\Windows\system32\dkvpsjoi.dll
C:\Windows\System32\DMoUxyay.ini
C:\Windows\System32\DMoUxyay.ini2
C:\Windows\System32\dnutbbuy.ini
C:\Windows\System32\drtwiqcx.ini
C:\Windows\System32\eeKloUtv.ini
C:\Windows\System32\eeKloUtv.ini2
C:\Windows\System32\egvychrc.ini
C:\Windows\System32\EKjkTvut.ini
C:\Windows\System32\EKjkTvut.ini2
C:\Windows\system32\enywueqe.dll
C:\Windows\system32\esxjxujm.ini
C:\Windows\system32\evumruyi.ini
C:\Windows\system32\exnjaruh.exe
C:\Windows\system32\exuxwuwn.dll
C:\Windows\system32\fcvgqaho.dll
C:\Windows\system32\fhkxblkx.dll
C:\Windows\system32\flhimewf.dll
C:\Windows\system32\fmvsyiki.dll
C:\Windows\system32\fpgurfcs.dll
C:\Windows\system32\fsnbaaoc.exe
C:\Windows\system32\fxxnwmxp.dll
C:\Windows\system32\gcbfjhhk.dll
C:\Windows\system32\gcxaby.dll
C:\Windows\system32\gdnvjueo.dll
C:\Windows\system32\geBRIARl.dll
C:\Windows\system32\gEWOEXrr.dll
C:\Windows\System32\gffLRqru.ini
C:\Windows\System32\gffLRqru.ini2
C:\Windows\System32\gPAdKkkj.ini
C:\Windows\System32\gPAdKkkj.ini2
C:\Windows\System32\gqipyvjm.ini
C:\Windows\system32\gssmqrvu.exe
C:\Windows\system32\gxjtthgq.dll
C:\Windows\system32\hbooihva.dll
C:\Windows\system32\hgGaAtUN.dll
C:\Windows\System32\hgrcyyll.ini
C:\Windows\system32\hheuoogg.exe
C:\Windows\system32\hipvtiws.dll
C:\Windows\system32\hkwybklk.dll
C:\Windows\system32\hqvdiuae.dll
C:\Windows\system32\hrbsmgxb.ini
C:\Windows\system32\hrjgrica.dll
C:\Windows\system32\htcqaohk.ini
C:\Windows\system32\hximijso.dll
C:\Windows\system32\ibjqkhsw.dll
C:\Windows\system32\IhQsvyay.ini
C:\Windows\system32\iiefvkri.dll
C:\Windows\system32\iifcBuVN.dll
C:\Windows\system32\iifebCuv.dll
C:\Windows\System32\IilVDJjl.ini
C:\Windows\System32\IilVDJjl.ini2
C:\Windows\system32\iqcwlwlw.exe
C:\Windows\system32\irhoglhn.dll
C:\Windows\System32\irkvfeii.ini
C:\Windows\system32\iyurmuve.dll
C:\Windows\system32\jacgbgmu.dll
C:\Windows\system32\jatupfex.ini
C:\Windows\system32\jdoopupp.exe
C:\Windows\system32\jemiieru.dll
C:\Windows\system32\jiuuxhrd.ini
C:\Windows\system32\jkkHaBqr.dll
C:\Windows\system32\jkkKdAPg.dll
C:\Windows\system32\jlsbfjgr.ini
C:\Windows\System32\jSvCLlUt.ini
C:\Windows\System32\jSvCLlUt.ini2
C:\Windows\System32\jvvmvswn.ini
C:\Windows\system32\jwjeipqr.dll
C:\Windows\system32\kdaymwel.ini
C:\Windows\system32\kdhjdqbm.dll
C:\Windows\system32\kgsuygda.dll
C:\Windows\system32\khfEWPJc.dll
C:\Windows\system32\kkrtreib.dll
C:\Windows\System32\KnVxayxx.ini
C:\Windows\System32\KnVxayxx.ini2
C:\Windows\system32\kobefvvb.dll
C:\Windows\system32\kqaauphy.dll
C:\Windows\system32\ldptgdwk.dll
C:\Windows\system32\lewmyadk.dll
C:\Windows\system32\ljhgunmb.dll
C:\Windows\system32\ljJDVliI.dll
C:\Windows\system32\lkyltyme.dll
C:\Windows\system32\llrbjhae.exe
C:\Windows\System32\LlTuxyay.ini
C:\Windows\System32\LlTuxyay.ini2
C:\Windows\system32\lnvepjel.dll
C:\Windows\system32\lqxdqeif.dll
C:\Windows\System32\lRAIRBeg.ini
C:\Windows\System32\lRAIRBeg.ini2
C:\Windows\system32\lswfygtl.dll
C:\Windows\system32\lvhdjqkg.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mibikjki.ini
C:\Windows\system32\miwjlvuq.dll
C:\Windows\system32\mjvypiqg.dll
C:\Windows\system32\mljgGawU.dll
C:\Windows\system32\mlJYQjgD.dll
C:\Windows\system32\mlxourcw.dll
C:\Windows\System32\nalicwit.ini
C:\Windows\system32\ncwfmgsu.dll
C:\Windows\system32\nfbfdqqi.dll
C:\Windows\system32\nfwtftur.dll
C:\Windows\system32\nnnLefFv.dll
C:\Windows\system32\nnnlihFY.dll
C:\Windows\system32\nnqldjdg.dll
C:\Windows\system32\nnrhywct.dll
C:\Windows\system32\npvnkfpv.exe
C:\Windows\system32\NqXFOqss.ini
C:\Windows\System32\NqXFOqss.ini2
C:\Windows\system32\nthnllim.dll
C:\Windows\System32\NVuBcfii.ini
C:\Windows\System32\NVuBcfii.ini2
C:\Windows\system32\nwotckhw.dll
C:\Windows\system32\nywwcsws.dll
C:\Windows\system32\omsynule.dll
C:\Windows\System32\OpAKQYxx.ini
C:\Windows\System32\OpAKQYxx.ini2
C:\Windows\system32\oPijjGwW.dll
C:\Windows\system32\oybbqhtw.exe
C:\Windows\system32\pgaawysy.dll
C:\Windows\system32\piiupoxm.dll
C:\Windows\system32\pjetcblk.dll
C:\Windows\system32\plgjrjha.dll
C:\Windows\system32\qepearob.dll
C:\Windows\system32\qjrmyyao.dll
C:\Windows\system32\qmwiqebr.dll
C:\Windows\system32\qngxvfsc.ini
C:\Windows\System32\qruDKRqr.ini
C:\Windows\System32\qruDKRqr.ini2
C:\Windows\system32\rgihnrte.exe
C:\Windows\system32\rhgvwcgy.dll
C:\Windows\system32\ribmchyw.ini
C:\Windows\system32\ritgrrbb.dll
C:\Windows\system32\rnhjvdqr.dll
C:\Windows\system32\rohubndn.ini
C:\Windows\system32\rpdjsvkf.dll
C:\Windows\System32\rqBaHkkj.ini
C:\Windows\System32\rqBaHkkj.ini2
C:\Windows\system32\rqRKDurq.dll
C:\Windows\system32\rriyrygh.exe
C:\Windows\system32\rrrqdvcy.ini
C:\Windows\System32\rrXEOWEg.ini
C:\Windows\System32\rrXEOWEg.ini2
C:\Windows\system32\scbiauhc.exe
C:\Windows\system32\scjowhwb.dll
C:\Windows\system32\sedauiit.dll
C:\Windows\system32\sfrkapyt.dll
C:\Windows\System32\sjntpmic.ini
C:\Windows\system32\sqeydlct.dll
C:\Windows\system32\ssqOFXqN.dll
C:\Windows\system32\ssqOIXOH.dll
C:\Windows\system32\svpugpyo.dll
C:\Windows\System32\tcwyhrnn.ini
C:\Windows\system32\tiwcilan.dll
C:\Windows\system32\tjtvxtsg.ini
C:\Windows\system32\tmyajwmp.dll
C:\Windows\system32\tprglkwv.dll
C:\Windows\system32\ttlrrmac.dll
C:\Windows\system32\tUlLCvSj.dll
C:\Windows\system32\tuvTkjKE.dll
C:\Windows\system32\tvfekrmw.ini
C:\Windows\system32\uaxmidem.dll
C:\Windows\system32\ubgvcjsg.ini
C:\Windows\system32\uhbxxhov.ini
C:\Windows\system32\ujcoxxhp.ini
C:\Windows\system32\upaupz.dll
C:\Windows\system32\urqRLffg.dll
C:\Windows\system32\uvvcyitw.dll
C:\Windows\System32\UwaGgjlm.ini
C:\Windows\System32\UwaGgjlm.ini2
C:\Windows\system32\uyrvaxge.dll
C:\Windows\system32\uyykswjy.dll
C:\Windows\system32\vbdmfmwu.dll
C:\Windows\system32\veqrmwxb.dll
C:\Windows\System32\vFfeLnnn.ini
C:\Windows\System32\vFfeLnnn.ini2
C:\Windows\system32\vgmcjixj.dll
C:\Windows\system32\vjrvtolx.dll
C:\Windows\system32\vlhxgsic.exe
C:\Windows\system32\vlkfxfxe.dll
C:\Windows\system32\vohxxbhu.dll
C:\Windows\System32\vuCbefii.ini
C:\Windows\System32\vuCbefii.ini2
C:\Windows\system32\vuualyoi.exe
C:\Windows\system32\vwmukjkx.dll
C:\Windows\system32\wbedysrh.dll
C:\Windows\system32\wbpwdjdq.dll
C:\Windows\system32\wbsepnlx.dll
C:\Windows\system32\wbwaparu.dll
C:\Windows\system32\wbxmtprq.dll
C:\Windows\system32\wcomrhjf.dll
C:\Windows\system32\wdmclysw.ini
C:\Windows\system32\wfwaqlrb.dll
C:\Windows\system32\whsytabm.dll
C:\Windows\system32\wjmbywdl.dll
C:\Windows\system32\wmrkefvt.dll
C:\Windows\system32\wswjxrin.exe
C:\Windows\system32\wsylcmdw.dll
C:\Windows\system32\wtdseiyu.dll
C:\Windows\system32\wtnbkamf.dll
C:\Windows\System32\WwGjjiPo.ini
C:\Windows\System32\WwGjjiPo.ini2
C:\Windows\system32\wyhcmbir.dll
C:\Windows\system32\xcqiwtrd.dll
C:\Windows\system32\xhstjxma.dll
C:\Windows\System32\xkjkumwv.ini
C:\Windows\system32\xksqhfyl.dll
C:\Windows\system32\xnauokpa.dll
C:\Windows\system32\xpnaosgg.dll
C:\Windows\system32\xpollfyq.ini
C:\Windows\system32\xqbfolrh.ini
C:\Windows\system32\xxyaxVnK.dll
C:\Windows\system32\xxYQKApO.dll
C:\Windows\system32\yaidabbk.ini
C:\Windows\system32\yayxUoMD.dll
C:\Windows\system32\yayxuTlL.dll
C:\Windows\system32\ycvdqrrr.dll
C:\Windows\System32\YFhilnnn.ini
C:\Windows\System32\YFhilnnn.ini2
C:\Windows\system32\yibiqnyn.dll
C:\Windows\system32\ykxtvspw.dll
C:\Windows\system32\yljrwuau.ini
C:\Windows\system32\yubbtund.dll
C:\Windows\system32\ywbsdbeh.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 23:17 --------- d-----w C:\Users\Windows Vista\AppData\Roaming\AVG7
2008-06-28 13:15 --------- d-----w C:\Program Files\NoAdware5.0
2008-06-03 14:19 --------- d-----w C:\Users\Windows Vista\AppData\Roaming\Apple Computer
2008-06-02 20:20 24,576 ----a-w C:\Windows\System32\VundoFixSVC.exe
2008-05-27 01:07 102,464 ----a-w C:\Windows\System32\pndpqapu.dll
2008-05-26 19:29 102,464 ----a-w C:\Windows\System32\expjydrn.dll
2008-05-24 09:39 102,464 ----a-w C:\Windows\System32\xybgnfpy.dll
2008-05-23 15:55 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-23 04:33 102,464 ----a-w C:\Windows\System32\wngetasn.dll
2008-05-22 16:55 102,464 ----a-w C:\Windows\System32\mgqjynug.dll
2008-05-20 21:28 277,504 ----a-w C:\Windows\System32\vtUolKee.dll
2008-05-20 00:41 100,928 ----a-w C:\Windows\System32\pwjjcjmk.dll
2008-05-19 21:55 --------- d-----w C:\Users\Windows Vista\AppData\Roaming\EA
2008-05-19 21:55 --------- d-----w C:\ProgramData\EA
2008-05-10 21:34 102,464 ----a-w C:\Windows\System32\ucqgunib.dll
2008-05-08 17:39 --------- d-----w C:\Program Files\WhatsRunning
2008-05-08 16:02 --------- d-----w C:\Program Files\Steam
2008-05-04 16:31 108,096 ----a-w C:\Windows\System32\oavtmhla.dll
2008-04-29 22:55 229,888 ----a-w C:\Windows\System32\msshsq.dll
2008-04-22 20:02 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-04-22 20:02 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-04-22 20:02 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-04-22 20:02 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-04-22 20:02 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-04-22 20:02 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-04-22 20:02 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-04-22 20:02 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-04-22 20:02 2,923,520 ----a-w C:\Windows\explorer.exe
2008-04-22 20:01 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-04-22 20:01 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-04-22 20:01 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-04-22 20:01 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-04-22 20:00 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-22 20:00 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-22 19:59 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-04-22 19:59 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-04-22 19:59 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-04-22 19:59 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-04-22 19:59 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-04-22 19:59 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-04-22 19:59 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-04-22 19:59 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-04-22 19:59 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-04-22 19:58 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-22 19:58 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-04-22 19:58 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-22 19:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-22 19:58 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-04-22 19:58 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-04-22 19:58 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-04-22 19:57 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-04-12 15:37 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-04-12 15:35 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-12 15:35 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-12 15:33 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-12 15:33 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-12 15:31 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-12 15:31 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-12 15:31 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-12 15:31 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-12 15:29 99,840 ----a-w C:\Windows\System32\poqexec.exe
2008-04-08 01:53 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-08 01:52 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-08 01:52 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-08 01:52 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-08 01:52 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-08 01:51 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-04-08 01:51 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-04-08 01:51 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-04-08 01:50 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-04-08 01:50 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-04-08 01:49 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-04-08 01:44 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-04-08 01:43 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-09-07 00:57 174 --sha-w C:\Program Files\desktop.ini
2007-09-07 00:23 81,920 ----a-w C:\Users\Windows Vista\AppData\Roaming\ezpinst.exe
2007-09-07 00:23 47,360 ----a-w C:\Users\Windows Vista\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 03:23 221568]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"WindowsLivePhone"="C:\Program Files\Windows Live\Messenger\Device Manager\msgrdvmn.exe" [2007-03-29 12:21 722320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="C:\Windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-05-06 17:32 499712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 14:19 579584]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 05:34 868352]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"LifeChat"="C:\Program Files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 15:31 259440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:26 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-09-06 07:41 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-839854123-3015095205-859979520-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B4AF263E-5DD5-4C06-8690-4B6163BCC9BE}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{176DE272-2CA2-42A0-BFF9-6D723FFC4F2D}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{480DEC87-AD56-4B7B-9435-D25C766E85AF}C:\\program files\\bittornado\\btdownloadgui.exe"= UDP:C:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"UDP Query User{8BEE311A-4850-4708-83D2-12D6B371701B}C:\\program files\\bittornado\\btdownloadgui.exe"= TCP:C:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"TCP Query User{B020CFBE-1218-4676-9926-C71E40C54E84}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2F9F3368-4B62-40C9-96C8-36B19E352268}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{7F24D5C6-B0A6-4E39-9039-FF7EC1B8D9AB}"= UDP:C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"{5487C5D8-C0B1-4AD2-A848-145A817F7C8A}"= TCP:C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe:Hellgate: London
"{6F296744-E7A4-46FC-8DAB-01816682FDA9}"= UDP:E:\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{0D2BFC3B-C219-419B-803E-E6D8BA4399D7}"= TCP:E:\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{E3CA9B45-6F51-4EA9-9CD5-5F998818D3E6}"= UDP:3724:Blizzard Downloader: 3724
"fcd51995-61c7-4935-af47-4588f089a4a1"= Protocol=1|ICMP4=8:*:persona testing
"{80C3DC55-1BA4-4C94-9E0A-8D0D9D9BDCD9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{A23ACBE8-77B9-4B91-A757-75E955171D01}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{90CE1E1B-42D8-4B38-A783-C0E903ECBECB}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= UDP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"UDP Query User{5C6DB70C-3AF8-40FF-A6D1-4AB1563C5644}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= TCP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"{5B8357A1-2535-4875-BF88-EEA723C8CE05}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{581847C5-D3BE-4B39-B0A8-E2E1CE93514D}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{EDAABD6F-CCF8-4A82-A931-EF06EF76595D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-28 23:13]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-28 09:25]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\Windows\system32\DRIVERS\w200bus.sys [2006-11-07 04:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 19:16:33
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Program Files\RAXCO\PerfectDisk\PDAgent.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\RAXCO\PerfectDisk\PDEngine.exe
C:\Windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-06-29 19:21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 23:21:42

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

449 --- E O F --- 2008-05-23 15:55:46

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:28 AM

Posted 21 July 2008 - 10:25 AM

Hello, MrGameShow.
ComboFix should NEVER be run without supervision!! Improper use of that tool can prevent your system from ever starting again!!

:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create a Deckard's System Scanner (DSS) Log
Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.

Primary Mirror
Secondary Mirror

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <-- Will be maximized
    • extra.txt <-- Will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.
Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:28 AM

Posted 25 July 2008 - 09:40 AM

Hello, MrGameShow.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users