Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://mtn.com-com.ws popups


  • This topic is locked This topic is locked
19 replies to this topic

#1 richkaycc

richkaycc

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 04 December 2008 - 09:03 PM

This laptop has been used by a staff members child and now it is acting as if it is possessed. Please help if you can. The web page always starts with the one I typed in the title of this post. Thanks in advance

Here is a copy of the Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:12 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSSystem32SCardSvr.exe
C:WINDOWSSystem32basfipm.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSY2lpYWRtaW4command.exe
C:Program FilesCAeTrust AntivirusInoRpc.exe
C:Program FilesCAeTrust AntivirusInoRT.exe
C:Program FilesCAeTrust AntivirusInoTask.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesPhotodexProShowGoldScsiAccess.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesRealVNCVNC4WinVNC4.exe
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSsvchost.exe
C:Program FilesApointApoint.exe
C:Program FilesDellQuickSetquickset.exe
C:WINDOWSSystem32DSentry.exe
C:PROGRA~1CAETRUST~1realmon.exe
C:Program FilesLogitechiTouchiTouch.exe
C:WINDOWSLogi_MwX.Exe
C:Program FilesZangobin10.3.75.0OEAddOn.exe
C:Program FilesZangobin10.3.75.0Weather.exe
C:Documents and SettingsuserApplication DataGoolGool.exe
C:Program FilesApointApntex.exe
C:Program FilesDigital Line DetectDLG.exe
C:WINDOWSexplorer.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32rundll32.exe
C:Documents and SettingsuserDesktopHiJackThis.exe
C:WINDOWSSystem32wbemwmiprvse.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dell.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dell.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://companyweb
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:WINDOWSsvchost.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll (file missing)
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [bascstray] BascsTray.exe
O4 - HKLM..Run: [Dell QuickSet] C:Program FilesDellQuickSetquickset.exe
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [Realtime Monitor] C:PROGRA~1CAETRUST~1realmon.exe -s
O4 - HKLM..Run: [zBrowser Launcher] C:Program FilesLogitechiTouchiTouch.exe
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [Synchronization Manager] %SystemRoot%system32mobsync.exe /logon
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [ZangoOE] C:Program FilesZangobin10.3.75.0OEAddOn.exe
O4 - HKLM..Run: [ZangoSA] "C:Program FilesZangobin10.3.75.0ZangoSA.exe"
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [WeatherDPA] "C:Program FilesZangobin10.3.75.0Weather.exe" -auto
O4 - HKCU..Run: [GetModule27] C:Program FilesGetModuleGetModule27.exe
O4 - HKCU..Run: [Gool] C:Documents and SettingsuserApplication DataGoolGool.exe
O4 - HKCU..Run: [SpeedRunner] C:Documents and SettingsuserApplication DataSpeedRunnerSpeedRunner.exe
O4 - Startup: Shortcut (2) to p1mon.exe.lnk = p6.oldp1mon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:Program FilesShoppingReportBin2.5.0ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:Program FilesShoppingReportBin2.5.0ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...16/sdcregie.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.touchofcolorphotography.com/Remote/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://photoonesoftware.webex.com/client/T...ort/ieatgpc.cab
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = TouchofColorPhotography.local
O17 - HKLMSoftware..Telephony: DomainName = TouchofColorPhotography.local
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = TouchofColorPhotography.local
O20 - AppInit_DLLs: vedxba.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:WINDOWSSystem32basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:WINDOWSY2lpYWRtaW4command.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:Program FilesCAeTrust AntivirusInoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:Program FilesCAeTrust AntivirusInoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:Program FilesCAeTrust AntivirusInoTask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:Program FilesPhotodexProShowGoldScsiAccess.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:Program FilesRealVNCVNC4WinVNC4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:WINDOWSSystem32WLTRYSVC.EXE

--
End of file - 8011 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 04 December 2008 - 09:30 PM.


BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:55 PM

Posted 04 December 2008 - 09:48 PM

Hello richkaycc,

Please download DDS and save it to your desktop.

Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

dds.txt

Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

Attach.txt

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Important! Please do not select the "Show all" checkbox during the scan..

Please post back with the requested reports.

Regards
SNOWHITE
Posted Image

#3 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 05 December 2008 - 04:49 PM

DDS (Version 1.0) - NTFSx86
Run by user at 7:43:52.42 on Fri 12/05/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.288 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Y2lpYWRtaW4\command.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
"C:\WINDOWS\svchost.exe"
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe
C:\Program Files\Zango\bin\10.3.75.0\Weather.exe
C:\Documents and Settings\user\Application Data\Gool\Gool.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\dds.com
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com
uDefault_Page_URL = hxxp://www.dell.com
mDefault_Page_URL = hxxp://companyweb
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uWindows: load=c:\windows\svchost.exe
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - c:\program files\webtools\webtools.dll
BHO: {31FB4006-9C4E-47F0-AB2C-2FB161D78454} - c:\windows\system32\byXNfCRl.dll
BHO: {674C4571-79B1-4D0E-9A9F-B468A1FCAC9C} - c:\windows\system32\iifeeDvv.dll
BHO: {8e5e0293-11ba-4eb7-971b-aefd975a651f} - c:\windows\system32\vedxba.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\awtqpPhF.dll
BHO: {D88E1558-7C2D-407A-953A-C044F5607CEA} - c:\program files\mjcore\Mjcore.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WeatherDPA] "c:\program files\zango\bin\10.3.75.0\Weather.exe" -auto
uRun: [GetModule27] c:\program files\getmodule\GetModule27.exe
uRun: [Gool] c:\documents and settings\user\application data\gool\Gool.exe
uRun: [SpeedRunner] c:\documents and settings\user\application data\speedrunner\SpeedRunner.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [bascstray] BascsTray.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZangoOE] c:\program files\zango\bin\10.3.75.0\OEAddOn.exe
mRun: [ZangoSA] "c:\program files\zango\bin\10.3.75.0\ZangoSA.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\shortc~1.lnk - \\tocfs1\companydata\p6.old\p1mon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: awtqpPhF - awtqpPhF.dll
AppInit_DLLs: vedxba.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\awtqpPhF.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXNfCRl

============= SERVICES / DRIVERS ===============

R2 cmdService;Command Service;c:\windows\y2lpywrtaw4\command.exe [2008-11-14 293888]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
S3 WLAN;NETGEAR Wireless 802.11b LAN Driver;c:\windows\system32\drivers\MA401RB.SYS [2003-3-5 614400]

=============== Created Last 30 ================

2008-12-04 21:04 766 a--sh--- c:\windows\system32\lRCfNXyb.ini
2008-11-14 15:39 687,592 a------- c:\windows\system32\atmtd.dll._
2008-11-14 15:39 687,592 a------- c:\windows\system32\atmtd.dll
2008-11-14 15:38 1,989 a------- c:\windows\uninstall_nmon.vbs
2008-11-14 15:38 <DIR> --d----- c:\program files\Network Monitor
2008-11-14 15:38 <DIR> --dsh--- c:\windows\Y2lpYWRtaW4
2008-11-14 15:38 <DIR> --d----- c:\program files\InetGet2
2008-11-14 15:35 0 a------- c:\windows\system32\mcrh.tmp
2008-11-14 15:21 <DIR> --d----- c:\program files\Webtools
2008-11-14 15:19 1,975,608 ---sh--- c:\windows\system32\rxracbhe.ini
2008-11-14 15:19 68,096 a------- c:\windows\system32\ehbcarxr.dll
2008-11-14 15:17 1,975,608 ---sh--- c:\windows\system32\acbheehv.ini
2008-11-11 09:56 245,248 a------- c:\windows\svchost.exe
2008-11-11 09:27 1,937,378 ---sh--- c:\windows\system32\lgjggymr.ini
2008-11-11 09:26 <DIR> --d----- c:\program files\GetPack
2008-11-09 18:32 41,723 ---sh--- c:\program files\common files\Yazzle3090OinUninstaller.exe
2008-11-09 18:16 <DIR> --d----- c:\docume~1\user\applic~1\SpeedRunner
2008-11-09 18:11 <DIR> --d----- c:\docume~1\user\applic~1\Gool
2008-11-09 18:02 1,937,315 ---sh--- c:\windows\system32\jqoaelnr.ini
2008-11-09 18:01 <DIR> --d----- c:\program files\Mjcore
2008-11-08 16:23 1,931,385 ---sh--- c:\windows\system32\wiwlywtc.ini
2008-11-08 16:20 2,271 a--sh--- c:\windows\system32\RqpssBeg.ini2
2008-11-08 16:20 2,271 a--sh--- c:\windows\system32\RqpssBeg.ini
2008-11-08 14:35 1,931,403 ---sh--- c:\windows\system32\stctxfog.ini
2008-11-08 14:35 68,096 a------- c:\windows\system32\gofxtcts.dll
2008-11-08 14:34 313,856 -------- c:\windows\system32\byXNfCRl.dll
2008-11-08 13:13 1,931,403 ---sh--- c:\windows\system32\jityoado.ini
2008-11-08 13:11 936,655 a--sh--- c:\windows\system32\vvDeefii.ini2
2008-11-08 13:11 896,603 a--sh--- c:\windows\system32\vvDeefii.ini
2008-11-08 13:11 313,856 a------- c:\windows\system32\iifeeDvv.dll
2008-11-08 13:06 <DIR> --d----- c:\docume~1\user\applic~1\gadcom
2008-11-08 13:06 <DIR> --d----- c:\docume~1\user\applic~1\GetModule
2008-11-08 13:06 25,600 a------- c:\windows\system32\awtqpPhF.dll
2008-11-08 13:06 198,604 a------- c:\windows\system32\wpv0910.cpx
2008-11-08 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZangoSA
2008-11-08 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2008-11-08 13:05 <DIR> --d----- c:\docume~1\user\applic~1\WeatherDPA
2008-11-08 13:05 <DIR> --d----- c:\program files\Zango
2008-11-08 13:05 <DIR> --d----- c:\docume~1\user\applic~1\Zango
2008-11-08 13:05 <DIR> --d----- c:\docume~1\user\applic~1\ShoppingReport

==================== Find3M ====================

2008-12-04 21:00 <DIR> --d----- c:\program files\IrfanView
2008-11-26 06:41 46,972 a------- c:\windows\system32\nvModes.dat
2008-10-22 11:53 <DIR> --d----- c:\program files\TimeExposure
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2007-10-10 12:44 <DIR> --d--r-- c:\docume~1\user\applic~1\Brother
2007-06-14 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ProSelect_Server
2006-06-21 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2005-02-04 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2004-09-09 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2005-08-02 16:46 187,904 a--shr-- c:\windows\y2lpywrtaw4\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\y2lpywrtaw4\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\y2lpywrtaw4\sZ5DsqlQuqb.vbs

============= FINISH: 7:47:44.40 ===============

#4 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 05 December 2008 - 04:52 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 16:54:57
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe[308] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\System32\alg.exe[520] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\CA\eTrust Antivirus\InoRpc.exe[608] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\CA\eTrust Antivirus\InoRT.exe[680] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Zango\bin\10.3.75.0\OEAddOn.exe[704] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\CA\eTrust Antivirus\InoTask.exe[748] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\system32\nvsvc32.exe[812] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe[888] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[920] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[920] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Apoint\Apntex.exe[920] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Apoint\Apntex.exe[920] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[1480] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1552] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\System32\bcmwltry.exe[1664] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2028] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[2232] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Zango\bin\10.3.75.0\Weather.exe[2292] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\wscntfy.exe[2592] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2592] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2592] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\user\Application Data\Gool\Gool.exe[2728] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
mimi1 C:\WINDOWS\svchost.exe[2852] C:\WINDOWS\svchost.exe entry point in "mimi1" section [0x0048F866]
mimi1 C:\WINDOWS\svchost.exe[2852] C:\WINDOWS\svchost.exe unknown last section [0x004CC000, 0x1A4, 0x42000040]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\svchost.exe[2852] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\svchost.exe[2852] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\svchost.exe[2852] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\svchost.exe[2852] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[3052] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[3052] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Apoint\Apoint.exe[3052] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Apoint\Apoint.exe[3052] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\user\Application Data\SpeedRunner\SpeedRunner.exe[3136] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[3256] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[3256] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\rundll32.exe[3256] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\rundll32.exe[3256] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Digital Line Detect\DLG.exe[3364] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell\QuickSet\quickset.exe[3448] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\DSentry.exe[3552] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\System32\DSentry.exe[3552] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\DSentry.exe[3552] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\DSentry.exe[3552] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\CA\ETRUST~1\realmon.exe[3668] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\Program Files\Logitech\iTouch\iTouch.exe[3680] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\Logi_MwX.Exe[3800] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Logi_MwX.Exe[3800] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Logi_MwX.Exe[3800] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[4036] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\Explorer.EXE[4036] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[4036] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[4036] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ino_fltr.sys (CA eTrust Antivirus/InoculateIT File System Filter Driver for Windows 2000/XP/2003/Computer Associates)
AttachedDevice \FileSystem\Ntfs \Ntfs ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/.Net/Computer Associates)

Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat ino_fltr.sys (CA eTrust Antivirus/InoculateIT File System Filter Driver for Windows 2000/XP/2003/Computer Associates)
AttachedDevice \FileSystem\Fastfat \Fat ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/.Net/Computer Associates)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{B48EE667-376E-903C-1C54-1A6563F8BBD9}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{B48EE667-376E-903C-1C54-1A6563F8BBD9}\LocalServer32@ C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE

---- EOF - GMER 1.0.14 ----

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:55 PM

Posted 05 December 2008 - 06:44 PM

Hello richkaycc :thumbsup:

Please follow steps bellow:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Visit this link to see instructions how to disable security programs:
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please include the C:\ComboFix.txt in your next reply for further review.

After combofix will do its job reboot once again, then:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please post back with the requested reports and fresh HijackThis log.

Regards
SNOWHITE
Posted Image

#6 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 05 December 2008 - 10:36 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2

12/5/2008 10:39:30 PM
mbam-log-2008-12-05 (22-39-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 124206
Time elapsed: 57 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036559.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036621.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036623.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036624.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036629.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036630.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036631.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036633.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036634.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036679.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP535\A0036683.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#7 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 05 December 2008 - 10:37 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:24 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut (2) to p1mon.exe.lnk = p6.old\p1mon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...16/sdcregie.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.touchofcolorphotography.com/Remote/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://photoonesoftware.webex.com/client/T...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TouchofColorPhotography.local
O17 - HKLM\Software\..\Telephony: DomainName = TouchofColorPhotography.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TouchofColorPhotography.local
O20 - AppInit_DLLs: vedxba.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6516 bytes

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:55 PM

Posted 07 December 2008 - 03:47 PM

Hello again Hello richkaycc,

Have you ran Combofix per my instructions? could you please post the report from combofix ?

Thanks and regards
SNOWHITE
Posted Image

#9 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 08 December 2008 - 07:41 AM

Sorry about that, I don't know how I missed the first part of the message. Here is the combifix file:

ComboFix 08-12-06.06 - user 2008-12-08 7:32:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.648 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\user\Application Data\WeatherDPA
c:\documents and settings\user\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\user\Application Data\Zango
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\1064372.sdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\2884501.sdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\444801.sdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\10192
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\11891
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1450
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1491
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17025
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\17252
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\18906
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\230524
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\23757
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\23923
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\282887
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\288733
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\297534
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\31262
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35006
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35017
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\36768
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\40012
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\40256
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\403537
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\41854
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\42491
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43719
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44228
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\44313
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\4500
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\455392
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\460458
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\47155
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\47346
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\47638
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\477253
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\47891
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\512635
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51880
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52335
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\53923
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\54473
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\547723
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\552212
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\55428
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\56463
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\569524
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\572898
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\58197
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59215
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\62936
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\685955
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69263
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\71340
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\71999
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\72001
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745146
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745148
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745215
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745434
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748359
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\78600
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79432
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\81010
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\8120
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83216
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84449
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84578
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\84753
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\90154
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95142
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\95825
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\97734
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\99496
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\dynamic\ustat\376f.dat
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\avatar.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\btntrans.idx
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\components.cdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\cursors.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\default.cdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\icons2.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\progress.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\documents and settings\user\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
c:\documents and settings\user\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\setup.inf
c:\windows\jestertb.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\fad.sys
c:\windows\SYSTEM32\RqpssBeg.ini
c:\windows\SYSTEM32\RqpssBeg.ini2
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-06 09:53 . 2008-12-06 09:53 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 09:53 . 2008-12-06 09:53 1,409 --a------ c:\windows\QTFont.for
2008-12-05 23:15 . 2008-12-05 23:15 <DIR> d-------- c:\documents and settings\user\Patty
2008-12-05 17:08 . 2008-12-05 17:08 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-05 17:07 . 2008-12-05 17:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 17:07 . 2008-12-05 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 17:07 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-05 17:07 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-05 07:59 . 2008-12-05 08:14 345 --a------ c:\windows\gmer.ini
2008-11-14 15:38 . 2008-12-05 18:07 <DIR> d--hs---- c:\windows\Y2lpYWRtaW4
2008-11-14 15:17 . 2008-11-14 15:19 1,975,608 ---hs---- c:\windows\SYSTEM32\acbheehv.ini
2008-11-11 09:27 . 2008-11-14 15:15 1,937,378 ---hs---- c:\windows\SYSTEM32\lgjggymr.ini
2008-11-09 18:02 . 2008-11-11 09:26 1,937,315 ---hs---- c:\windows\SYSTEM32\jqoaelnr.ini
2008-11-08 16:23 . 2008-11-09 18:01 1,931,385 ---hs---- c:\windows\SYSTEM32\wiwlywtc.ini
2008-11-08 13:13 . 2008-11-08 13:33 1,931,403 ---hs---- c:\windows\SYSTEM32\jityoado.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 03:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 02:00 --------- d-----w c:\program files\IrfanView
2008-10-27 20:11 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-22 16:53 --------- d-----w c:\program files\TimeExposure
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2004-12-03 21:15 3,866,112 ----a-w c:\program files\epson11237.exe
2004-11-15 02:22 6,811,656 ----a-w c:\program files\psa201se_us.exe
2004-11-15 02:22 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2005-07-29 21:24 472 --sha-r c:\windows\Y2lpYWRtaW4\sZ5DsqlQuqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"nwiz"="nwiz.exe" [2004-10-26 c:\windows\SYSTEM32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vedxba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\TimeExposure\\ProSelect.exe"=
"\\\\tocfs1\\companydata\\p6\\contpnl.exe"=
"\\\\tocfs1\\companydata\\p6\\ordmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 GTICARD;GTICARD;c:\windows\system32\DRIVERS\gticard.sys [2003-02-14 59328]
S3 WLAN;NETGEAR Wireless 802.11b LAN Driver;c:\windows\system32\DRIVERS\MA401RB.SYS [2003-03-05 614400]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
HKLM-Run-PaperPort PTD - c:\program files\ScanSoft\PaperPort\pptd40nt.exe
HKLM-Run-IndexSearch - c:\program files\ScanSoft\PaperPort\IndexSearch.exe
HKLM-Run-bascstray - BascsTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 07:36:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-08 7:37:18
ComboFix-quarantined-files.txt 2008-12-08 12:36:59

Pre-Run: 17,694,572,544 bytes free
Post-Run: 18,185,805,824 bytes free

316 --- E O F --- 2008-12-08 12:15:23

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:55 PM

Posted 10 December 2008 - 12:35 AM

Hello richkaycc,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\SYSTEM32\acbheehv.ini
c:\windows\SYSTEM32\lgjggymr.ini
c:\windows\SYSTEM32\jqoaelnr.ini
c:\windows\SYSTEM32\wiwlywtc.ini
c:\windows\SYSTEM32\jityoado.ini
c:\windows\system32\vedxba.dll

Folder::
c:\windows\Y2lpYWRtaW4

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply post.

Post back with Combofix report and fresh HijackThis report ran after combofix has done its work and rebooted.

Regards
SNOWHITE
Posted Image

#11 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 11 December 2008 - 08:50 PM

I had to break the combofix txt file in half . I'll send in 2 posts because of their size.
Here is the HJ file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:59 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut (2) to p1mon.exe.lnk = p6.old\p1mon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...16/sdcregie.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.touchofcolorphotography.com/Remote/msrdp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://photoonesoftware.webex.com/client/T...ort/ieatgpc.cab
O20 - AppInit_DLLs: vedxba.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6471 bytes

Attached Files



#12 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 11 December 2008 - 09:00 PM

Here is the 2nd part of the Combofix txt

Attached Files



#13 richkaycc

richkaycc
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 December 2008 - 11:11 AM

Did you have anny problems with my log entries?

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:55 AM

Posted 16 December 2008 - 10:54 PM

Hello, richkaycc
I'm sorry to report that SNOW has been having some problems.

Give me 10 mins or so to look these over :thumbsup:

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:55 AM

Posted 16 December 2008 - 10:56 PM

Hello, richkaycc
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/184141/httpmtncom-comws-popups/
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    suspect::[54]
    C:\WINDOWS\System32\basfipm.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users