Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan & Rootkit. PLEASE HELP.


  • This topic is locked This topic is locked
20 replies to this topic

#1 LumiTY

LumiTY

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 22 December 2008 - 10:53 PM

Mod. edit: For further contextual information and what's been done, please read this topic: http://www.bleepingcomputer.com/forums/t/188317/help-please/ in the Am I Infected forum. ~ OB

Been getting random pop-up ads and voice ads in my background. Saying things like "You've won a free ipod" and that smiley face screaming "HELLO". I've also been hearing rapid mouse clicking. These things have been happening even when i don't have internet explorer or firefox open. I've scaned my computer with malawarebytes, spybot, and others things. They have all come up with viruses and asked me to delete on reboot. I've done all these things repeatedly and i'm still having this problem. I've even tracked down what i think is an infected file that has been trying to unload a trojan on my computer. Whenever i go and delete it, it just keeps poping back up. I think it's called "msi setup". But i can't get rid of that either because it's obviously uploaded back-up. I'm at the end od my rope and really don't know what else to do. Here's the RSIT Report. I really hope someone can help me out. Thank you.



Time Written: 20080601155022.000000-240
Event Type: information
User:

Computer Name: GINETTE-7504588
Event Code: 0
Message:
Record Number: 4233
Source Name: iPod Service
Time Written: 20080601134538.000000-240
Event Type: information
User:

Computer Name: GINETTE-7504588
Event Code: 2002
Message:
Record Number: 4232
Source Name: EAPOL
Time Written: 20080601134534.000000-240
Event Type: information
User:

Computer Name: GINETTE-7504588
Event Code: 2003
Message:
Record Number: 4231
Source Name: EAPOL
Time Written: 20080601134534.000000-240
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"InfinitiDir"=C:\Program Files\Thought Technology\Infiniti\

-----------------EOF-----------------






Logfile of random's system information tool 1.05 (written by random/random)
Run by MusiqIsMeLife at 2008-12-22 22:38:14
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 62 GB (59%) free of 104 GB
Total RAM: 1015 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:14 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\aVpye6rw.exe
C:\Documents and Settings\MusiqIsMeLife\My Documents\My Music\RSIT.exe
C:\Program Files\trend micro\MusiqIsMeLife.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6219 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\Norton Security Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1392640]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2006-06-29 1032192]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-03-24 282624]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-14 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-10-14 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]
"pccguide.exe"=C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe [2005-08-22 823362]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-18 136600]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-31 50480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart []
"Veoh"=C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-08-28 3660848]
""= []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\MusiqIsMeLife\Start Menu\Programs\Startup
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\swapm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fd61bf8-bd71-11dc-ad31-0015c571ff87}]
shell\AutoRun\command - H:\PMB_Portable.exe


======List of files/folders created in the last 1 months======

2008-12-22 22:38:14 ----D---- C:\rsit
2008-12-18 12:24:48 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-18 12:24:48 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-18 12:24:48 ----A---- C:\WINDOWS\system32\java.exe
2008-12-18 12:24:48 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-14 21:23:48 ----A---- C:\WINDOWS\wininit.ini
2008-12-11 23:38:32 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-11 23:35:58 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-10 18:05:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 18:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-09 15:08:37 ----A---- C:\WINDOWS\system32\ctwdm32.dll
2008-12-09 15:07:12 ----D---- C:\Program Files\Thought Technology
2008-12-08 01:08:53 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-12-08 01:08:35 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-12-07 22:19:02 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-07 22:19:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 01:30:50 ----D---- C:\Program Files\iPod
2008-12-07 01:30:46 ----D---- C:\Program Files\iTunes
2008-12-07 01:30:46 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 00:44:16 ----D---- C:\WINDOWS\Prefetch
2008-12-07 00:32:37 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-07 00:32:31 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-07 00:32:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-07 00:32:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-07 00:32:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-07 00:31:59 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-07 00:31:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-07 00:31:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-07 00:31:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-07 00:31:30 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-12-07 00:31:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-07 00:31:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-07 00:31:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-12-07 00:31:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-07 00:30:57 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-07 00:30:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-07 00:30:43 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-07 00:30:37 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-07 00:27:34 ----A---- C:\WINDOWS\setuplog.txt
2008-12-07 00:25:43 ----D---- C:\WINDOWS\system32\scripting
2008-12-07 00:25:42 ----D---- C:\WINDOWS\l2schemas
2008-12-07 00:25:40 ----D---- C:\WINDOWS\system32\en
2008-12-07 00:25:39 ----D---- C:\WINDOWS\system32\bits
2008-12-07 00:19:03 ----D---- C:\WINDOWS\ServicePackFiles
2008-12-07 00:10:38 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-12-06 22:45:18 ----A---- C:\WINDOWS\system32\aVpye6rw.exe
2008-11-27 03:04:33 ----A---- C:\WINDOWS\ODBC.INI
2008-11-27 03:04:21 ----A---- C:\WINDOWS\system32\mdimon.dll
2008-11-27 03:02:30 ----D---- C:\Program Files\Common Files\L&H
2008-11-27 03:02:16 ----D---- C:\Program Files\Microsoft.NET
2008-11-27 03:02:03 ----D---- C:\Program Files\Microsoft ActiveSync
2008-11-27 03:00:48 ----D---- C:\Program Files\Common Files\DESIGNER
2008-11-27 03:00:07 ----D---- C:\Program Files\Microsoft Visual Studio
2008-11-27 02:59:37 ----D---- C:\WINDOWS\SHELLNEW
2008-11-27 02:55:57 ----RHD---- C:\MSOCache
2008-11-26 17:44:31 ----D---- C:\WINDOWS\pss
2008-11-26 17:42:57 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2008-12-22 22:39:14 ----D---- C:\Program Files\Trend Micro
2008-12-22 22:37:56 ----D---- C:\WINDOWS\Temp
2008-12-22 22:33:52 ----D---- C:\WINDOWS
2008-12-22 18:22:16 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-22 17:22:49 ----D---- C:\WINDOWS\system32
2008-12-22 17:21:49 ----D---- C:\WINDOWS\system32\drivers
2008-12-22 17:21:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-21 15:12:13 ----D---- C:\Program Files\Mozilla Firefox
2008-12-21 13:02:10 ----SH---- C:\boot.ini
2008-12-21 13:02:10 ----N---- C:\WINDOWS\System.ini
2008-12-21 13:02:10 ----A---- C:\WINDOWS\win.ini
2008-12-21 00:21:13 ----D---- C:\Documents and Settings\MusiqIsMeLife\Application Data\LimeWire
2008-12-20 21:40:08 ----D---- C:\Program Files\LimeWire
2008-12-19 11:10:43 ----RD---- C:\Program Files
2008-12-18 12:24:55 ----SHD---- C:\WINDOWS\Installer
2008-12-18 12:24:51 ----SHD---- C:\Config.Msi
2008-12-18 12:24:32 ----D---- C:\Program Files\Java
2008-12-18 12:06:55 ----HD---- C:\WINDOWS\inf
2008-12-18 12:06:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-18 12:06:29 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 20:04:49 ----D---- C:\Program Files\AIMTunes
2008-12-13 19:22:56 ----D---- C:\WINDOWS\network diagnostic
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 15:17:35 ----D---- C:\Program Files\Internet Explorer
2008-12-11 23:38:36 ----A---- C:\WINDOWS\imsins.BAK
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 14:52:05 ----AC---- C:\WINDOWS\OEWABLog.txt
2008-12-07 23:04:25 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-07 11:22:23 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-07 01:29:23 ----D---- C:\Program Files\QuickTime
2008-12-07 01:28:55 ----D---- C:\Program Files\Common Files\Apple
2008-12-07 00:43:35 ----RSD---- C:\WINDOWS\Fonts
2008-12-07 00:43:35 ----D---- C:\WINDOWS\system32\wbem
2008-12-07 00:43:35 ----D---- C:\WINDOWS\system32\Setup
2008-12-07 00:43:35 ----D---- C:\WINDOWS\ime
2008-12-07 00:43:35 ----D---- C:\WINDOWS\AppPatch
2008-12-07 00:43:35 ----D---- C:\Program Files\Messenger
2008-12-07 00:42:57 ----D---- C:\WINDOWS\security
2008-12-07 00:32:39 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-07 00:26:33 ----D---- C:\WINDOWS\WinSxS
2008-12-07 00:26:14 ----D---- C:\WINDOWS\Help
2008-12-07 00:25:45 ----D---- C:\WINDOWS\system32\usmt
2008-12-07 00:25:45 ----D---- C:\WINDOWS\system32\en-US
2008-12-07 00:25:39 ----D---- C:\WINDOWS\PeerNet
2008-12-07 00:25:39 ----D---- C:\Program Files\Movie Maker
2008-12-07 00:18:49 ----D---- C:\WINDOWS\system32\Restore
2008-12-07 00:18:49 ----D---- C:\WINDOWS\system32\npp
2008-12-07 00:18:47 ----D---- C:\WINDOWS\msagent
2008-12-07 00:18:43 ----D---- C:\WINDOWS\srchasst
2008-12-07 00:18:39 ----D---- C:\Program Files\NetMeeting
2008-12-07 00:18:35 ----D---- C:\WINDOWS\system32\Com
2008-12-07 00:18:26 ----D---- C:\Program Files\Windows Media Player
2008-12-07 00:18:25 ----D---- C:\Program Files\Windows NT
2008-12-07 00:18:24 ----D---- C:\Program Files\Outlook Express
2008-12-07 00:18:18 ----D---- C:\Program Files\Common Files\System
2008-12-07 00:17:52 ----D---- C:\WINDOWS\system32\oobe
2008-12-07 00:17:49 ----D---- C:\WINDOWS\system
2008-12-07 00:14:01 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-07 00:10:36 ----D---- C:\WINDOWS\EHome
2008-12-06 23:19:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-06 23:00:32 ----SD---- C:\WINDOWS\Tasks
2008-12-02 18:28:06 ----SD---- C:\Documents and Settings\MusiqIsMeLife\Application Data\Microsoft
2008-11-27 03:09:40 ----AC---- C:\WINDOWS\vbaddin.ini
2008-11-27 03:08:23 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-27 03:08:00 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-27 03:08:00 ----D---- C:\Program Files\Microsoft Office
2008-11-27 03:02:30 ----D---- C:\Program Files\Common Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2005-05-11 32256]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 swapm;DRAM Cash Driver; C:\WINDOWS\system32\swapm.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\System32\Drivers\tmtdi.sys [2005-04-25 38528]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 tm_cfw;Common Firewall Driver; C:\WINDOWS\System32\Drivers\tm_cfw.sys [2005-04-25 1884585]
R2 Tmfilter;Tmfilter; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2008-05-02 205328]
R2 Tmpreflt;Tmpreflt; C:\WINDOWS\system32\drivers\Tmpreflt.sys [2008-05-02 36368]
R2 Vsapint;Vsapint; C:\WINDOWS\system32\drivers\Vsapint.sys [2008-05-02 1169240]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-12 604928]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2005-08-05 45312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-07-22 201600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-03-24 1156648]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-18 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2006-06-29 376832]
R2 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2006-09-04 880722]
R2 Tmntsrv;Trend Micro Real-time Service; C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-22 290889]
R2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-04-25 585792]
R2 tmproxy;Trend Micro Proxy Service; C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Edited by Orange Blossom, 22 December 2008 - 11:44 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 23 December 2008 - 01:33 AM

Hello LumiTY,

Posted Image

I've read your other thread, so let's do this first :

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 24 December 2008 - 05:37 PM

here's the combofix log.

ComboFix 08-12-24.01 - MusiqIsMeLife 2008-12-24 16:54:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.486 [GMT -5:00]
Running from: c:\documents and settings\MusiqIsMeLife\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_004196_.tmp.dll
c:\windows\system32\_004197_.tmp.dll
c:\windows\system32\_004198_.tmp.dll
c:\windows\system32\_004199_.tmp.dll
c:\windows\system32\_004206_.tmp.dll
c:\windows\system32\_004207_.tmp.dll
c:\windows\system32\_004208_.tmp.dll
c:\windows\system32\_004209_.tmp.dll
c:\windows\system32\_004211_.tmp.dll
c:\windows\system32\_004212_.tmp.dll
c:\windows\system32\_004215_.tmp.dll
c:\windows\system32\_004216_.tmp.dll
c:\windows\system32\_004218_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004220_.tmp.dll
c:\windows\system32\_004222_.tmp.dll
c:\windows\system32\_004225_.tmp.dll
c:\windows\system32\_004226_.tmp.dll
c:\windows\system32\_004230_.tmp.dll
c:\windows\system32\_004231_.tmp.dll
c:\windows\system32\_004233_.tmp.dll
c:\windows\system32\_004236_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004239_.tmp.dll
c:\windows\system32\_004240_.tmp.dll
c:\windows\system32\_004241_.tmp.dll
c:\windows\system32\_004242_.tmp.dll
c:\windows\system32\_004245_.tmp.dll
c:\windows\system32\_004246_.tmp.dll
c:\windows\system32\_004247_.tmp.dll
c:\windows\system32\_004248_.tmp.dll
c:\windows\system32\_004249_.tmp.dll
c:\windows\system32\_004254_.tmp.dll
c:\windows\system32\_004256_.tmp.dll
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\k86.bin
c:\windows\system32\kwave.sys
c:\windows\system32\TDSSlryd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-22 22:38 . 2008-12-22 22:39 <DIR> d-------- C:\rsit
2008-12-18 12:24 . 2008-12-18 12:24 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 14:16 . 2008-12-24 16:36 14 --a------ c:\windows\system32\tmcontrol.bin
2008-12-16 15:09 . 2008-12-16 15:09 4,707 --a------ c:\windows\system32\aidb.dat
2008-12-16 15:08 . 2008-12-16 15:08 8,512 --a------ c:\windows\system32\swapm.sys
2008-12-14 21:23 . 2008-12-18 23:32 319 --a------ c:\windows\wininit.ini
2008-12-09 20:47 . 2008-12-09 20:47 1,409 --a------ c:\windows\system32\tmpF4A91.FOT
2008-12-09 20:47 . 2008-12-09 20:47 1,409 --a------ c:\windows\system32\tmpE8A91.FOT
2008-12-09 20:27 . 2008-12-09 20:27 1,409 --a------ c:\windows\system32\tmpE869F.FOT
2008-12-09 20:27 . 2008-12-09 20:27 1,409 --a------ c:\windows\system32\tmpCE69F.FOT
2008-12-09 20:27 . 2008-12-09 20:27 1,409 --a------ c:\windows\system32\tmpB179F.FOT
2008-12-09 20:27 . 2008-12-09 20:27 1,409 --a------ c:\windows\system32\tmp9479F.FOT
2008-12-09 15:08 . 2001-08-17 22:36 4,096 --a--c--- c:\windows\system32\dllcache\ctwdm32.dll
2008-12-09 15:08 . 2001-08-17 22:36 4,096 --a------ c:\windows\system32\ctwdm32.dll
2008-12-09 15:07 . 2008-12-09 15:08 <DIR> d-------- c:\program files\Thought Technology
2008-12-07 22:19 . 2008-12-15 15:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 22:19 . 2008-12-15 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 01:30 . 2008-12-07 01:30 <DIR> d-------- c:\program files\iTunes
2008-12-07 01:30 . 2008-12-07 01:30 <DIR> d-------- c:\program files\iPod
2008-12-07 01:30 . 2008-12-07 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 00:25 . 2008-12-07 00:25 <DIR> d-------- c:\windows\system32\scripting
2008-12-07 00:25 . 2008-12-07 00:25 <DIR> d-------- c:\windows\system32\en
2008-12-07 00:25 . 2008-12-07 00:25 <DIR> d-------- c:\windows\system32\bits
2008-12-07 00:25 . 2008-12-07 00:25 <DIR> d-------- c:\windows\l2schemas
2008-12-07 00:19 . 2008-12-07 00:19 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-06 22:45 . 2008-12-06 23:00 73,728 --a------ c:\windows\system32\aVpye6rw.exe
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp8C865.FOT
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp60965.FOT
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp53965.FOT
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp39965.FOT
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp2C965.FOT
2008-12-05 07:24 . 2008-12-05 07:24 1,409 --a------ c:\windows\system32\tmp1F965.FOT
2008-11-27 03:04 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-11-27 03:04 . 2008-11-27 08:07 376 --a------ c:\windows\ODBC.INI
2008-11-27 03:02 . 2008-11-27 03:02 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-27 03:02 . 2008-11-27 03:02 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-27 03:02 . 2008-11-27 03:02 <DIR> d-------- c:\program files\Common Files\L&H
2008-11-27 02:59 . 2008-11-27 03:02 <DIR> d-------- c:\windows\SHELLNEW
2008-11-27 02:55 . 2008-11-27 02:55 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 03:39 --------- d-----w c:\program files\Trend Micro
2008-12-21 05:21 --------- d-----w c:\documents and settings\MusiqIsMeLife\Application Data\LimeWire
2008-12-21 02:40 --------- d-----w c:\program files\LimeWire
2008-12-18 17:24 --------- d-----w c:\program files\Java
2008-12-16 01:04 --------- d-----w c:\program files\AIMTunes
2008-12-07 06:29 --------- d-----w c:\program files\QuickTime
2008-12-07 06:28 --------- d-----w c:\program files\Common Files\Apple
2008-12-07 04:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-02 23:29 4,582 ----a-w c:\documents and settings\MusiqIsMeLife\Application Data\wklnhst.dat
2008-11-16 03:44 --------- d-----w c:\program files\AIM6
2008-11-16 03:43 --------- d-----w c:\program files\Viewpoint
2008-11-16 03:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-16 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-05-28 22:34 350 -c--a-w c:\documents and settings\Ginette\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 823362]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\MusiqIsMeLife\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-01-07 368640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2008-12-16 8512]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2005-02-18 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-22 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-04-25 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2005-02-18 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-15 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fd61bf8-bd71-11dc-ad31-0015c571ff87}]
\Shell\AutoRun\command - H:\PMB_Portable.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-23 c:\windows\Tasks\At1.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At10.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At11.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At12.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At13.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At14.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At15.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At16.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At17.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-22 c:\windows\Tasks\At18.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At19.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-08 c:\windows\Tasks\At2.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At20.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At21.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At22.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At23.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At24.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At25.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-08 c:\windows\Tasks\At26.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At27.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At28.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At29.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At3.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At30.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-10 c:\windows\Tasks\At31.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At32.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At33.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At34.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At35.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At36.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At37.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At38.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At39.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At4.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At40.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-21 c:\windows\Tasks\At41.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-22 c:\windows\Tasks\At42.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-22 c:\windows\Tasks\At43.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At44.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At45.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At46.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At47.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-23 c:\windows\Tasks\At48.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At5.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-07 c:\windows\Tasks\At6.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-10 c:\windows\Tasks\At7.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At8.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-12-19 c:\windows\Tasks\At9.job
- c:\windows\system32\aVpye6rw.exe [2008-12-06 23:00]

2008-10-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 22:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
Notify-swapdm - swapdm.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\MusiqIsMeLife\Application Data\Mozilla\Firefox\Profiles\sfuqnqed.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 17:05:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
.
**************************************************************************
.
Completion time: 2008-12-24 17:09:46 - machine was rebooted [MusiqIsMeLife]
ComboFix-quarantined-files.txt 2008-12-24 22:09:23

Pre-Run: 64,400,834,560 bytes free
Post-Run: 67,410,509,824 bytes free

333 --- E O F --- 2008-12-23 05:52:52





HIJACKTHIS LOGS
DDS


DDS (Version 1.1.0) - NTFSx86
Run by MusiqIsMeLife at 17:21:20.26 on Wed 12/24/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.431 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MusiqIsMeLife\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\musiqi~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\musiqi~1\applic~1\mozilla\firefox\profiles\sfuqnqed.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {04956EC3-A97C-46A5-94A7-03306B1A3792} - c:\documents and settings\musiqismelife\local settings\application data\{04956ec3-a97c-46a5-94a7-03306b1a3792}\

============= SERVICES / DRIVERS ===============

R1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2008-12-16 8512]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2005-2-18 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-22 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-4-25 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2005-2-18 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-4-25 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-11-15 24652]

=============== Created Last 30 ================

2008-12-24 16:51 <DIR> --d----- C:\cmdcons
2008-12-24 16:47 161,792 a------- c:\windows\SWREG.exe
2008-12-24 16:47 98,816 a------- c:\windows\sed.exe
2008-12-18 12:24 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-17 14:16 14 a------- c:\windows\system32\tmcontrol.bin
2008-12-16 15:09 4,707 a------- c:\windows\system32\aidb.dat
2008-12-16 15:08 8,512 a------- c:\windows\system32\swapm.sys
2008-12-14 21:23 319 a------- c:\windows\wininit.ini
2008-12-09 20:47 1,409 a------- c:\windows\system32\tmpF4A91.FOT
2008-12-09 20:47 1,409 a------- c:\windows\system32\tmpE8A91.FOT
2008-12-09 20:27 1,409 a------- c:\windows\system32\tmpE869F.FOT
2008-12-09 20:27 1,409 a------- c:\windows\system32\tmpCE69F.FOT
2008-12-09 20:27 1,409 a------- c:\windows\system32\tmpB179F.FOT
2008-12-09 20:27 1,409 a------- c:\windows\system32\tmp9479F.FOT
2008-12-09 15:08 4,096 ac------ c:\windows\system32\dllcache\ctwdm32.dll
2008-12-09 15:08 4,096 a------- c:\windows\system32\ctwdm32.dll
2008-12-09 15:07 <DIR> --d----- c:\program files\Thought Technology
2008-12-07 22:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-07 22:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-07 01:30 <DIR> --d----- c:\program files\iPod
2008-12-07 01:30 <DIR> --d----- c:\program files\iTunes
2008-12-07 01:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 00:25 <DIR> --d----- c:\windows\system32\scripting
2008-12-07 00:25 <DIR> --d----- c:\windows\l2schemas
2008-12-07 00:25 <DIR> --d----- c:\windows\system32\en
2008-12-07 00:25 <DIR> --d----- c:\windows\system32\bits
2008-12-07 00:19 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-06 22:45 73,728 a------- c:\windows\system32\aVpye6rw.exe
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp8C865.FOT
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp60965.FOT
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp53965.FOT
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp39965.FOT
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp2C965.FOT
2008-12-05 07:24 1,409 a------- c:\windows\system32\tmp1F965.FOT
2008-11-27 03:04 376 a------- c:\windows\ODBC.INI
2008-11-27 03:04 17,920 a------- c:\windows\system32\mdimon.dll
2008-11-27 03:02 <DIR> --d----- c:\program files\common files\L&H
2008-11-27 03:02 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-11-27 02:59 <DIR> --d----- c:\windows\SHELLNEW
2008-11-26 17:44 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2008-12-07 00:28 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-02 18:29 4,582 a------- c:\docume~1\musiqi~1\applic~1\wklnhst.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 17:21:34.25 ===============



Attached File  Attach.txt   8.38KB   27 downloads

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 24 December 2008 - 05:55 PM

Hello,

Have you had another run with MBAM since you ran ComboFix? If not, please do so now and post the report for me. How is it running? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 24 December 2008 - 06:57 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 3

12/24/2008 6:56:38 PM
mbam-log-2008-12-24 (18-56-38).txt

Scan type: Quick Scan
Objects scanned: 53781
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

i'm hoping that this finally gets rid of it.

#6 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 25 December 2008 - 12:09 AM

i'm still hearing voice ads in the background and mouse clicking. I haven't gotten any pop-ups, though.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 25 December 2008 - 12:10 AM

Might seem like a silly question, but did you reboot?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 25 December 2008 - 04:13 PM

yeah i did. but mbam gives telling the same two infections need to be deleted on rebooting now matter how many times i run it. before i ran combofix i kept getting 3 infections that wouldn't go away no matter times i tried to delete them. one of those infections is gone but these two are the same ones from before that will remain on my computer even after rebooting. should i run combofix again?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 25 December 2008 - 04:40 PM

Yes, run them both, but this time run them in Safe Mode. Sometimes they go easier that way since they can't usually start up in Safe Mode. :thumbsup:

Post the logs, if you please. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 25 December 2008 - 06:30 PM

well. to start things off, i couldn't put my computer in safe maunally with the whole msconfig thing. when i tried to, i got a repsonse that told me that program doesn't exist. i think that program might have been my first infected file which was deleted. but i found another way to put my computer in safe mode anyway. and while in safe mode i ran combofix and mbam like you said but with combofix somethng weird happened. while it was running, my computer automatically restarted. and when it restarted i got the combofix log but with only a blank screen. no icons, shortcuts, or taskbar. so i couldn't save that log to post here. i'm not really sure if that was suppose to happen or not. but i restarted my computer again, still i safe mode, and ran mbam. now this time, it was reported back to me that i didn't have any infected files.


Malwarebytes' Anti-Malware 1.31
Database version: 1546
Windows 5.1.2600 Service Pack 3

12/25/2008 6:14:58 PM
mbam-log-2008-12-25 (18-14-58).txt

Scan type: Quick Scan
Objects scanned: 53638
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



maybe combofix managed to delete the files, but everything's going well so far. i hope i've finally fixed my problem.
thanks for your help so far.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 25 December 2008 - 07:26 PM

Hi,

........with the whole msconfig thing

Are you saying it's missing? Have you done a Windows search for msconfig.exe?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 25 December 2008 - 08:51 PM

it's not missing. i can't access it through my start menu. i managed to get an shortcut that goes right to my system configuration menu.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 25 December 2008 - 08:56 PM

I see.

How is it running now? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 LumiTY

LumiTY
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 26 December 2008 - 01:50 PM

i don't know what else to do. I'm still getting voice ads in the background but not as many pop-ups. I'm still getting clicking, though not as often either. When i run mbam the same two infections need to be deleted when reboot my computer but they don't actually go away. They just stay there apparently. I don't know what else to do. Should i actually go somewhere and have someone check it out or is there anything else i could do?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 26 December 2008 - 03:39 PM

Hello,

I'm not out of things to do. :thumbsup:

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

File::
c:\windows\system32\aVpye6rw.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Can you please confirm that you've recently installed some fonts? You have a bunch of .FOT files showing, and I want to be sure you put them there.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users