Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
11 replies to this topic

#1 Ross99515

Ross99515

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 04 August 2008 - 02:16 PM

Spybot search and destroy keeps finding Virtumonde. I am getting browser redirects, popups and ads for Anti spyware. I have been dealing with problem for several weeks now and would greatly appreciate any assistance. I am using Windows XP Professional. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:20 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
O2 - BHO: (no name) - {046EE7AA-52D9-467C-AEEF-65CA8D842FA6} - C:\WINDOWS\system32\byXQKaYp.dll (file missing)
O2 - BHO: (no name) - {2D275275-3CB3-4F26-8A96-855423BB52D1} - C:\WINDOWS\system32\rqRKBQkL.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {3F57148E-29EC-4C9B-A139-FAC2364FCBEC} - C:\WINDOWS\system32\nnnliHXQ.dll (file missing)
O2 - BHO: (no name) - {4940F193-26BD-4317-A0C2-D9B53547EB92} - C:\WINDOWS\system32\ssqOGwVM.dll (file missing)
O2 - BHO: (no name) - {4B006C6B-E763-4480-BB7B-037550DADE1B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AE8D5CD1-58FD-4A37-8F67-7C54FB60DA9A} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C28461C1-9D08-4281-B8C4-1309EEFC34E5} - C:\WINDOWS\system32\ssqPhHwx.dll (file missing)
O2 - BHO: (no name) - {C6A855D8-6D4D-4A77-98E1-1A31F15CB10D} - C:\WINDOWS\system32\wvUlijKd.dll (file missing)
O2 - BHO: (no name) - {D28906E9-07E6-43B0-B16E-71A3E0E2D944} - C:\WINDOWS\system32\pmnnNddd.dll (file missing)
O2 - BHO: (no name) - {E9B1688D-E011-4315-AEEE-D5D94CA233A4} - C:\WINDOWS\system32\vtUmNHXr.dll (file missing)
O2 - BHO: (no name) - {EF4CC146-43C9-4741-8D21-EB5035A4EBEC} - C:\WINDOWS\system32\geBqPIab.dll (file missing)
O2 - BHO: {679b4c58-89c2-570b-4014-452d9d2255af} - {fa5522d9-d254-4104-b075-2c9885c4b976} - C:\WINDOWS\system32\bprjyp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...298/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: hdxfju.dll,yfbkbj.dll,xvpovz.dll,hcfhop.dll,bprjyp.dll,avgrsstx.dll
O20 - Winlogon Notify: geBqPIab - geBqPIab.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8041 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 04 August 2008 - 03:28 PM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 05 August 2008 - 07:25 AM

Hello Ross99515.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.


Multiple Antiviruses
I see that you are running two antivirus programs, AVG8 and Symantec AntiVirus. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall one of them using Add/Remove Programs.


Download and Run ComboFix
Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Click HERE for instructions on running ComboFix. It is important that you install the Recovery Console per the instructions given in the link above.
  • Close any open windows.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on combofix.exe and follow the prompts.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Do not mouseclick combofix's window while it is running. That may cause it to stall.


Run Deckard's System Scanner
If you have not already used DSS or you have lost your copy, please download Deckard's System Scanner (DSS) and save to your Desktop.

You must be logged onto an account with administrator privileges. If you are using Windows Vista, right click dss.exe and select Run as Administrator.
  • Double click DSS.exe to run the program.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so. If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

When DSS is run will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
This program will only scan your computer and create a log. It does not alter your computer.
------------
Please post back with the ComboFix log and the DSS log. Also comment on how your computer is running.

With Regards,
The Panda

#4 Ross99515

Ross99515
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 05 August 2008 - 09:16 PM

Thanks for you help. The computer is running much better but I am still getting strange websites popping up (RipeTV.com, various search type sites, etc..) There is definately a noticeable differance in speed. Attached are the requested logs:

ComboFix 08-08-04.09 - tbuser 2008-08-05 16:44:18.1 - NTFSx86
Running from: C:\Documents and Settings\tbuser\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\tbuser\Application Data\AXPDefender
C:\Documents and Settings\tbuser\Application Data\macromedia\Flash Player\#SharedObjects\CTU9F5TH\interclick.com
C:\Documents and Settings\tbuser\Application Data\macromedia\Flash Player\#SharedObjects\CTU9F5TH\interclick.com\ud.sol
C:\Documents and Settings\tbuser\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\tbuser\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\AXPDefender
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awoasdwo.ini
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\SYSTEM32\buasuavx.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\SYSTEM32\ctbgpcel.ini
C:\WINDOWS\system32\dbtory.dll
C:\WINDOWS\SYSTEM32\dddNnnmp.ini
C:\WINDOWS\SYSTEM32\dddNnnmp.ini2
C:\WINDOWS\SYSTEM32\dKjilUvw.ini
C:\WINDOWS\SYSTEM32\dKjilUvw.ini2
C:\WINDOWS\system32\dolasalq.ini
C:\WINDOWS\system32\dqorgvdg.ini
C:\WINDOWS\system32\dudjbqlq.ini
C:\WINDOWS\SYSTEM32\ebxyiyqv.ini
C:\WINDOWS\system32\eyqfhsjy.ini
C:\WINDOWS\SYSTEM32\fkinvcxj.ini
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\ghurwgqj.dll
C:\WINDOWS\system32\grrinbwi.ini
C:\WINDOWS\system32\idktqwam.ini
C:\WINDOWS\SYSTEM32\isdqsxmx.ini
C:\WINDOWS\system32\kwjdyiic.ini
C:\WINDOWS\SYSTEM32\LkQBKRqr.ini
C:\WINDOWS\SYSTEM32\LkQBKRqr.ini2
C:\WINDOWS\SYSTEM32\lpmohike.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\MVwGOqss.ini
C:\WINDOWS\SYSTEM32\MVwGOqss.ini2
C:\WINDOWS\SYSTEM32\nebchuje.ini
C:\WINDOWS\SYSTEM32\nqttCfhk.ini
C:\WINDOWS\SYSTEM32\nqttCfhk.ini2
C:\WINDOWS\system32\ovgclmih.ini
C:\WINDOWS\system32\oxsbwvia.ini
C:\WINDOWS\system32\pmavarwi.ini
C:\WINDOWS\SYSTEM32\pYaKQXyb.ini
C:\WINDOWS\SYSTEM32\pYaKQXyb.ini2
C:\WINDOWS\system32\qnegxkww.ini
C:\WINDOWS\SYSTEM32\QXHilnnn.ini
C:\WINDOWS\SYSTEM32\QXHilnnn.ini2
C:\WINDOWS\SYSTEM32\rXHNmUtv.ini
C:\WINDOWS\SYSTEM32\rXHNmUtv.ini2
C:\WINDOWS\SYSTEM32\tkfesins.ini
C:\WINDOWS\system32\uwhearqj.ini
C:\WINDOWS\SYSTEM32\woxgfpup.ini
C:\WINDOWS\SYSTEM32\xocgbugi.ini
C:\WINDOWS\system32\xwHhPqss.ini
C:\WINDOWS\SYSTEM32\xwHhPqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-04 11:26 . 2008-08-04 11:26 <DIR> d-------- C:\Deckard
2008-08-04 10:10 . 2008-08-04 10:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 18:37 . 2008-08-03 21:32 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-03 18:07 . 2008-08-03 18:07 98,688 --a------ C:\WINDOWS\SYSTEM32\jxcvnikf.dll
2008-08-03 18:04 . 2008-08-03 18:04 130,432 --a------ C:\WINDOWS\SYSTEM32\wdvfcsyy.dll
2008-08-03 18:04 . 2008-08-03 18:04 130,432 --a------ C:\WINDOWS\SYSTEM32\bprjyp.dll
2008-08-03 17:39 . 2008-08-03 17:39 <DIR> d-------- C:\Program Files\AVG
2008-08-03 17:39 . 2008-08-05 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 16:50 . 2008-08-03 16:50 130,432 --a------ C:\WINDOWS\SYSTEM32\lhtpcclq.dll
2008-08-03 16:50 . 2008-08-03 16:50 130,432 --a------ C:\WINDOWS\SYSTEM32\hcfhop.dll
2008-08-03 15:01 . 2008-08-03 15:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 13:47 . 2008-08-03 13:46 130,432 --a------ C:\WINDOWS\SYSTEM32\xvpovz.dll
2008-08-03 13:46 . 2008-08-03 13:46 130,432 --a------ C:\WINDOWS\SYSTEM32\afrqfvre.dll
2008-08-02 13:21 . 2008-08-02 13:21 130,432 --a------ C:\WINDOWS\SYSTEM32\yfbkbj.dll
2008-08-02 13:21 . 2008-08-02 13:21 130,432 --a------ C:\WINDOWS\SYSTEM32\kkglaeqy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 04:58 --------- d-----w C:\Program Files\Shopper Routing Database
2008-07-28 03:32 --------- d-----w C:\Program Files\TBMS For Windows
2008-07-01 07:18 --------- d-----w C:\Program Files\Enigma Software Group
2008-05-30 01:43 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE
2008-05-30 01:43 327,680 ------w C:\WINDOWS\Setup1.exe
2008-05-30 01:43 151,622 ------w C:\WINDOWS\modcas.dll
2008-05-30 01:43 101,888 ------w C:\WINDOWS\odestkit.dll
2008-05-30 01:43 1,626 ----a-w C:\WINDOWS\SETUP.LST.tmp
2008-05-30 01:43 1,386,496 ------w C:\WINDOWS\msvbvm60.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa5522d9-d254-4104-b075-2c9885c4b976}]
2008-08-03 18:04 130432 --a------ C:\WINDOWS\system32\bprjyp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 09:49 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 12:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\afJ36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bfI37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\chL47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hlP61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mqT60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nrV73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vaD37.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\tbuser\LOCALS~1\Temp\stdcons.exe/r [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c92436d]
--a------ 2008-08-03 18:07 98688 C:\WINDOWS\SYSTEM32\jxcvnikf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 12:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-04-08 13:52 48752 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 17:59 487424 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 07:18 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 09:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 03:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-14 20:08 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-06-22 10:10 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2005-04-17 10:30 85184 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 20:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys [2003-10-27 17:42]
S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-08-05 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 15:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{046EE7AA-52D9-467C-AEEF-65CA8D842FA6} - C:\WINDOWS\system32\byXQKaYp.dll
BHO-{2D275275-3CB3-4F26-8A96-855423BB52D1} - C:\WINDOWS\system32\rqRKBQkL.dll
BHO-{3F57148E-29EC-4C9B-A139-FAC2364FCBEC} - C:\WINDOWS\system32\nnnliHXQ.dll
BHO-{4940F193-26BD-4317-A0C2-D9B53547EB92} - C:\WINDOWS\system32\ssqOGwVM.dll
BHO-{C28461C1-9D08-4281-B8C4-1309EEFC34E5} - C:\WINDOWS\system32\ssqPhHwx.dll
BHO-{C6A855D8-6D4D-4A77-98E1-1A31F15CB10D} - C:\WINDOWS\system32\wvUlijKd.dll
BHO-{D28906E9-07E6-43B0-B16E-71A3E0E2D944} - C:\WINDOWS\system32\pmnnNddd.dll
BHO-{E9B1688D-E011-4315-AEEE-D5D94CA233A4} - C:\WINDOWS\system32\vtUmNHXr.dll
Notify-geBqPIab - geBqPIab.dll
MSConfigStartUp-AdaptecDirectCD - C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\tbuser\Application Data\Mozilla\Firefox\Profiles\iohxiqnd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 16:54:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
.
**************************************************************************
.
Completion time: 2008-08-05 17:02:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 01:01:57

Pre-Run: 20,330,369,024 bytes free
Post-Run: 20,254,982,144 bytes free

228 --- E O F --- 2008-05-19 03:24:19



Deckard's System Scanner v20071014.68
Run by tbuser on 2008-08-05 17:30:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as tbuser.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:49 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tbuser\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\tbuser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {679b4c58-89c2-570b-4014-452d9d2255af} - {fa5522d9-d254-4104-b075-2c9885c4b976} - C:\WINDOWS\system32\bprjyp.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...298/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5744 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 17:03:51 0 d-------- C:\WINDOWS\LastGood
2008-08-05 16:42:46 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 16:42:46 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 16:42:46 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 16:42:46 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 16:42:46 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 16:42:46 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 16:42:46 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 16:42:46 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 16:34:51 0 dr-hs---- C:\cmdcons
2008-08-05 16:34:49 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 16:34:28 0 d-------- C:\WINDOWS\setupupd
2008-08-04 10:10:35 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:37:39 0 d--h----- C:\$AVG8.VAULT$
2008-08-03 18:07:16 98688 --a------ C:\WINDOWS\system32\jxcvnikf.dll
2008-08-03 18:04:20 130432 --a------ C:\WINDOWS\system32\bprjyp.dll
2008-08-03 18:04:18 130432 --a------ C:\WINDOWS\system32\wdvfcsyy.dll
2008-08-03 17:39:59 0 d-------- C:\Program Files\AVG
2008-08-03 17:39:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 16:50:54 130432 --a------ C:\WINDOWS\system32\hcfhop.dll
2008-08-03 16:50:51 130432 --a------ C:\WINDOWS\system32\lhtpcclq.dll
2008-08-03 15:01:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 13:47:04 130432 --a------ C:\WINDOWS\system32\xvpovz.dll
2008-08-03 13:46:57 130432 --a------ C:\WINDOWS\system32\afrqfvre.dll
2008-08-02 13:21:08 130432 --a------ C:\WINDOWS\system32\yfbkbj.dll
2008-08-02 13:21:04 130432 --a------ C:\WINDOWS\system32\kkglaeqy.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-05 16:47:20 0 d-------- C:\Program Files\Common Files
2008-08-03 15:02:07 0 d-------- C:\Program Files\Lavasoft
2008-07-28 20:58:45 0 d-------- C:\Program Files\Shopper Routing Database
2008-07-27 19:32:53 0 d-------- C:\Program Files\TBMS For Windows
2008-06-30 23:18:07 0 d-------- C:\Program Files\Enigma Software Group
2008-05-29 17:43:24 73216 --a------ C:\WINDOWS\ODEUNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-29 17:43:24 101888 -----n--- C:\WINDOWS\odestkit.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-29 17:43:24 151622 -----n--- C:\WINDOWS\modcas.dll <Not Verified; Microsoft Corporation; Microsoft ® Office Developer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa5522d9-d254-4104-b075-2c9885c4b976}]
08/03/2008 06:04 PM 130432 --a------ C:\WINDOWS\system32\bprjyp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [12/19/2003 09:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:56 PM]

C:\Documents and Settings\tbuser\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 9:58:38 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 9:58:38 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 01/13/2004 12:17 PM 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\afJ36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bfI37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\chL47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hlP61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mqT60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nrV73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vaD37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c92436d]
rundll32.exe "C:\WINDOWS\system32\jxcvnikf.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\tbuser\LOCALS~1\Temp\stdcons.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide




-- End of Deckard's System Scanner: finished at 2008-08-05 17:31:32 ------------

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 06 August 2008 - 02:52 PM

Hello Ross99515. Glad to hear it's better. There is still some more to do.

Submit File to Jotti Scanner
There is an unidentified file that I would like you to check out for me using Jotti.
  • Open Jotti Online Scanner.
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).

    C:\WINDOWS\SYSTEM32\jxcvnikf.dll
    C:\WINDOWS\SYSTEM32\bprjyp.dll


  • Click Submit.
    If more than one file was listed, repeat for each of them.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad and copy/paste the text in the quotebox below into it:


    File::
    C:\WINDOWS\SYSTEM32\wdvfcsyy.dll
    C:\WINDOWS\SYSTEM32\bprjyp.dll
    C:\WINDOWS\SYSTEM32\lhtpcclq.dll
    C:\WINDOWS\SYSTEM32\hcfhop.dll
    C:\WINDOWS\SYSTEM32\xvpovz.dll
    C:\WINDOWS\SYSTEM32\afrqfvre.dll
    C:\WINDOWS\SYSTEM32\yfbkbj.dll
    C:\WINDOWS\SYSTEM32\jxcvnikf.dll
    C:\WINDOWS\SYSTEM32\kkglaeqy.dll
    c:\WINDOWS\Setup1.exe
    C:\WINDOWS\SETUP.LST.tmp

    Folder::
    C:\$AVG8.VAULT$
    C:\Program Files\AVG

    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fa5522d9-d254-4104-b075-2c9885c4b976}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{679b4c58-89c2-570b-4014-452d9d2255af}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bfI37.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\chL47.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hlP61.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mqT60.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nrV73.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vaD37.sys]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c92436d]

    Driver::
    bfI37
    chL47
    hlP61
    mqT60
    nrV73
    vaD37

    Rootkit:
    C:\DOCUME~1\tbuser\LOCALS~1\Temp\stdcons.exe

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Update Java to Version 6 Update 7
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java from this page. Follow the prompts and select the appropriate settings for your machine. Click on the "Required File" jdk-6u7-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.


Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete[/color] choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

-------------------
Please post back with:
-the Jotti results
-the ComboFix log
-the Kaspersky log

Also comment on how your computer is running now. Do you still get those popups?

With Regards,
The Panda

#6 Ross99515

Ross99515
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 August 2008 - 04:20 AM

The computer appears to be working fine; I am no longer getting the pop-ups or any other problems.
Here are the requested logs:

File: jxcvnikf.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6c9bd941768a4f25fac744e505b64c22
Packers detected: -

Scanner results
Scan taken on 07 Aug 2008 06:03:17 (GMT)
A-Squared Found nothing
AntiVir Found TR/Monder.cet
ArcaVir Found nothing
Avast Found Win32:Monder-ET
AVG Antivirus Found Generic11.EVX
BitDefender Found Trojan.Vundo.JIJ
ClamAV Found nothing
CPsecure Found Troj.W32.Monder.cet
Dr.Web Found Trojan.Virtumod.458
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Monder.cet
Fortinet Found nothing
Ikarus Found Virus.Trojan.Win32.Monder.cet
Kaspersky Anti-Virus Found Trojan.Win32.Monder.cet
NOD32 Found Win32/Adware.Virtumonde application
Norman Virus Control Found W32/Vundo.DXI
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Monder.cet



File: bprjyp.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 3f08749c70b647ba824bbea8f275b31b
Packers detected: -

Scanner results
Scan taken on 07 Aug 2008 06:06:56 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/Superjuan.cas
ArcaVir Found nothing
Avast Found Win32:Monder-ET
AVG Antivirus Found Generic3.KLQ
BitDefender Found Trojan.Vundo.JIJ
ClamAV Found nothing
CPsecure Found AdWare.W32.SuperJuan.cas
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SuperJuan.cas (4, 1, 400)
Fortinet Found nothing
Ikarus Found Trojan.Win32.Vundo.C
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SuperJuan.cas
NOD32 Found Win32/Adware.SuperJuan application
Norman Virus Control Found W32/Virtumonde.YYC
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.SuperJuan.cas


ComboFix 08-08-06.02 - tbuser 2008-08-06 22:13:21.3 - NTFSx86
Running from: C:\Documents and Settings\tbuser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tbuser\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SETUP.LST.tmp
c:\WINDOWS\Setup1.exe
C:\WINDOWS\SYSTEM32\afrqfvre.dll
C:\WINDOWS\SYSTEM32\bprjyp.dll
C:\WINDOWS\SYSTEM32\hcfhop.dll
C:\WINDOWS\SYSTEM32\jxcvnikf.dll
C:\WINDOWS\SYSTEM32\kkglaeqy.dll
C:\WINDOWS\SYSTEM32\lhtpcclq.dll
C:\WINDOWS\SYSTEM32\wdvfcsyy.dll
C:\WINDOWS\SYSTEM32\xvpovz.dll
C:\WINDOWS\SYSTEM32\yfbkbj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\afrqfvre.dll
C:\WINDOWS\SYSTEM32\bprjyp.dll
C:\WINDOWS\SYSTEM32\hcfhop.dll
C:\WINDOWS\SYSTEM32\jxcvnikf.dll
C:\WINDOWS\SYSTEM32\kkglaeqy.dll
C:\WINDOWS\SYSTEM32\lhtpcclq.dll
C:\WINDOWS\SYSTEM32\wdvfcsyy.dll
C:\WINDOWS\SYSTEM32\xvpovz.dll
C:\WINDOWS\SYSTEM32\yfbkbj.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 19:03 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-06 18:41 . 2008-08-06 18:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 20:20 . 2008-08-05 20:20 832,896 --a------ C:\Documents and Settings\tbuser\Sevinst.exe
2008-08-05 20:20 . 2008-08-05 20:50 10,563 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-08-05 20:20 . 2008-08-05 20:50 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-08-05 17:05 . 2008-06-13 05:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-04 11:26 . 2008-08-04 11:26 <DIR> d-------- C:\Deckard
2008-08-04 10:10 . 2008-08-04 10:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 17:39 . 2008-08-05 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 15:01 . 2008-08-03 15:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 03:03 --------- d-----w C:\Program Files\Java
2008-08-06 04:50 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-08-06 04:50 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-06 04:50 --------- d-----w C:\Program Files\Symantec
2008-08-03 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 04:58 --------- d-----w C:\Program Files\Shopper Routing Database
2008-07-28 03:32 --------- d-----w C:\Program Files\TBMS For Windows
2008-07-01 07:18 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 01:43 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE
2008-05-30 01:43 151,622 ------w C:\WINDOWS\modcas.dll
2008-05-30 01:43 101,888 ------w C:\WINDOWS\odestkit.dll
2008-05-30 01:43 1,386,496 ------w C:\WINDOWS\msvbvm60.dll
2008-05-16 19:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-06_17.40.13.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-06 15:06:14 224,005 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-07 02:12:21 224,004 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
- 2008-02-22 09:23:35 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 09:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2008-02-22 09:23:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 09:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2008-02-22 10:33:32 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-06-10 10:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 09:49 86016]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-22 10:10 100056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 13:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 10:30 85184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 12:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\afJ36.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 12:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 17:59 487424 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 07:18 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 09:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 03:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-14 20:08 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 20:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys [2003-10-27 17:42]
S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-08-07 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]

2008-08-07 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 15:32]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 22:16:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 22:20:50
ComboFix-quarantined-files.txt 2008-08-07 06:20:46
ComboFix2.txt 2008-08-07 01:40:50
ComboFix3.txt 2008-08-06 01:02:16

Pre-Run: 19,455,537,152 bytes free
Post-Run: 19,558,760,448 bytes free

171 --- E O F --- 2008-08-06 05:04:00


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 07, 2008 08:29:04
Records in database: 1065689
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 45965
Threat name: 4
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 01:20:33


File name / Threat name / Threats count
C:\Program Files\Symantec\LiveUpdate\DISreboot.exe Infected: not-a-virus:AdWare.Win32.Alibabar.t 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\afrqfvre.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bprjyp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbtory.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghurwgqj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hcfhop.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jxcvnikf.dll.vir Infected: Trojan.Win32.Monder.cet 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kkglaeqy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lhtpcclq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wdvfcsyy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xvpovz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yfbkbj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001104.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001105.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001106.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001107.dll Infected: Trojan.Win32.Monder.cet 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001108.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001109.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001110.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001111.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\A0001112.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP4\A0000138.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP4\A0000139.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP5\A0000257.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

The selected area was scanned.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 07 August 2008 - 08:55 AM

Hello. Looks like only one more little entry to kill. We should be near done.

Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:


    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\afJ36.sys]

    Driver:
    afJ36
    afJ36.sys

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall
-------------------
Post back with the ComboFix log for a final checkup.

With Regards,
The Panda

#8 Ross99515

Ross99515
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 August 2008 - 03:48 PM

Thanks for all of your help Panda.

ComboFix 08-08-06.02 - tbuser 2008-08-07 12:34:17.4 - NTFSx86
Running from: C:\Documents and Settings\tbuser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tbuser\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 19:03 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-06 18:41 . 2008-08-06 18:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 20:20 . 2008-08-05 20:20 832,896 --a------ C:\Documents and Settings\tbuser\Sevinst.exe
2008-08-05 20:20 . 2008-08-05 20:50 10,563 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-08-05 20:20 . 2008-08-05 20:50 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-08-05 17:05 . 2008-06-13 05:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-04 11:26 . 2008-08-04 11:26 <DIR> d-------- C:\Deckard
2008-08-04 10:10 . 2008-08-04 10:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 17:39 . 2008-08-05 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-03 15:01 . 2008-08-03 15:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 03:03 --------- d-----w C:\Program Files\Java
2008-08-06 04:50 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-06 04:50 --------- d-----w C:\Program Files\Symantec
2008-08-03 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-29 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-29 04:58 --------- d-----w C:\Program Files\Shopper Routing Database
2008-07-28 03:32 --------- d-----w C:\Program Files\TBMS For Windows
2008-07-01 07:18 --------- d-----w C:\Program Files\Enigma Software Group
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 01:43 73,216 ----a-w C:\WINDOWS\ODEUNST.EXE
2008-05-30 01:43 151,622 ------w C:\WINDOWS\modcas.dll
2008-05-30 01:43 101,888 ------w C:\WINDOWS\odestkit.dll
2008-05-30 01:43 1,386,496 ------w C:\WINDOWS\msvbvm60.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-06_17.40.13.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-06 15:06:14 224,005 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-07 15:25:00 224,005 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
- 2008-02-22 09:23:35 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 09:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2008-02-22 09:23:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 09:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2008-02-22 10:33:32 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-06-10 10:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 09:49 86016]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-22 10:10 100056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 13:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 10:30 85184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 12:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-02-02 12:32 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 17:59 487424 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 07:18 28672 C:\WINDOWS\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 09:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 03:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-14 20:08 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 20:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys [2003-10-27 17:42]
S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-08-07 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 15:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3F57148E-29EC-4C9B-A139-FAC2364FCBEC} - (no file)
BHO-{4B006C6B-E763-4480-BB7B-037550DADE1B} - (no file)
BHO-{AE8D5CD1-58FD-4A37-8F67-7C54FB60DA9A} - (no file)
BHO-{C6A855D8-6D4D-4A77-98E1-1A31F15CB10D} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 12:38:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-07 12:42:58
ComboFix-quarantined-files.txt 2008-08-07 20:42:46
ComboFix2.txt 2008-08-07 06:20:51
ComboFix3.txt 2008-08-07 01:40:50
ComboFix4.txt 2008-08-06 01:02:16

Pre-Run: 19,524,231,168 bytes free
Post-Run: 19,545,395,200 bytes free

136 --- E O F --- 2008-08-06 05:04:00

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 08 August 2008 - 11:20 AM

Hello. Your logs look clean :thumbsup: . I would like to thank the Team Coach Shaba for supervision our work. Just some final cleanup to do.

Install Firewall
Please now a third-party firewall from the following selection of excellent programsThe main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall if you have it enabled.


Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
You should now re-enable all your protection.

Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Start Menu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select at least one of the three .
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for choosing Bleeping Computer as you malware removal source. Be sure to tell your friends about us!
----------------
If the problems have now been resolved, please say so we can close this topic.

With Regards,
The Panda

#10 Ross99515

Ross99515
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 09 August 2008 - 04:28 PM

All is well! Thanks so much for all of your help. Everybody at Bleeping Computer is awesome.

Ross99515

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 09 August 2008 - 04:53 PM

Glad we could help :thumbsup: .

The Panda

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 10 August 2008 - 04:01 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users