Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan/worm


  • This topic is locked This topic is locked
7 replies to this topic

#1 TIA4EVA

TIA4EVA

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 29 December 2008 - 07:51 AM

I opened up a malicious file and I have been having problems with my computer ever since. Adaware and NOD32 has detected the malware but it keeps on coming back. Thanks for reading!

DDS (Version 1.1.0) - NTFSx86
Run by TJ at 21:30:53.98 on Mon 29/12/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.2047.1206 [GMT 9:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Razer\Krait\razerhid.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Westnet Usage Grabber\wug.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Razer\Krait\razerofa.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\DllHost.exe
D:\Users\TJ\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mail.google.com/mail/?shva=1#inbox
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {fb875729-3973-458d-9184-ac9e1d1389fb} - c:\windows\system32\wvUljHxv.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Krait] c:\program files\razer\krait\razerhid.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSServer] rundll32.exe c:\windows\system32\urqPjJBq.dll,#1
mRun: [60df027b] rundll32.exe "c:\windows\system32\ruivpore.dll",b
StartupFolder: c:\users\tj\appdata\roaming\micros~1\windows\startm~1\programs\startup\westne~1.lnk - c:\program files\westnet usage grabber\wug.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download Using &BitSpirit - c:\program files\bitspirit\bsurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: ÓñÈÌؾ«ÁéÏÂÔØ(&:thumbsup:
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {9F836C26-7392-413F-A8BA-026EDE413499} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\urqPjJBq.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvUljHxv

================= FIREFOX ===================

FF - ProfilePath - c:\users\tj\appdata\roaming\mozilla\firefox\profiles\69oyzzil.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R2 ekrn;Eset Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-2-20 472320]
R3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2008-11-2 13324]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2006-11-2 9216]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\common files\creative labs shared\service\CTAELicensing.exe" [2008-11-2 79360]

=============== Created Last 30 ================

2008-12-29 18:28 1,757,993 ---sh--- c:\windows\system32\stkfltll.ini
2008-12-29 18:28 69,120 a------- c:\windows\system32\lltlfkts.dll
2008-12-29 18:20 36,864 a------- c:\windows\system32\urqPjJBq.dll
2008-12-28 21:05 1,757,993 ---sh--- c:\windows\system32\wghjwewg.ini
2008-12-28 21:05 68,608 -------- c:\windows\system32\gwewjhgw.dll
2008-12-28 12:58 192,307 a------- C:\wubildr
2008-12-28 12:58 8,192 a------- C:\wubildr.mbr
2008-12-28 10:49 1,757,993 ---sh--- c:\windows\system32\xvrbmoxp.ini
2008-12-28 01:35 1,752,114 ---sh--- c:\windows\system32\lqfmeqqt.ini
2008-12-28 01:17 1,752,120 ---sh--- c:\windows\system32\wlrairrd.ini
2008-12-27 13:52 649,695 a--sh--- c:\windows\system32\uDdLnUtv.ini2
2008-12-27 13:52 649,695 a--sh--- c:\windows\system32\uDdLnUtv.ini
2008-12-27 13:52 236,032 a------- c:\windows\system32\vtUnLdDu.dll
2008-12-27 10:43 649,871 a--sh--- c:\windows\system32\WDfgOXbc.ini2
2008-12-27 10:43 649,871 a--sh--- c:\windows\system32\WDfgOXbc.ini
2008-12-27 10:43 236,032 a------- c:\windows\system32\cbXOgfDW.dll
2008-12-27 00:39 1,664,085 ---sh--- c:\windows\system32\yeevsgqv.ini
2008-12-27 00:36 649,696 a--sh--- c:\windows\system32\cdKSCfhk.ini2
2008-12-27 00:36 649,696 a--sh--- c:\windows\system32\cdKSCfhk.ini
2008-12-27 00:36 236,032 a------- c:\windows\system32\khfCSKdc.dll
2008-12-26 23:00 <DIR> --d----- c:\users\tj\Tim's Backup
2008-12-26 18:01 <DIR> --d----- c:\programdata\Symantec
2008-12-26 18:01 <DIR> --d----- c:\progra~2\Symantec
2008-12-26 17:55 1,664,085 ---sh--- c:\windows\system32\hevxvnhy.ini
2008-12-26 17:41 1,664,085 ---sh--- c:\windows\system32\gadokckq.ini
2008-12-26 11:13 1,664,085 ---sh--- c:\windows\system32\bvdokcfa.ini
2008-12-26 11:10 650,433 a--sh--- c:\windows\system32\wHRtAcfe.ini2
2008-12-26 11:10 650,433 a--sh--- c:\windows\system32\wHRtAcfe.ini
2008-12-26 11:10 236,032 a------- c:\windows\system32\efcAtRHw.dll
2008-12-26 00:36 1,664,085 ---sh--- c:\windows\system32\vgybqjki.ini
2008-12-26 00:18 <DIR> --d----- c:\windows\system32\Adobe
2008-12-25 13:51 <DIR> --d----- c:\program files\DVDInfoPro
2008-12-25 13:37 462,401 a--sh--- c:\windows\system32\vxHjlUvw.ini2
2008-12-25 13:37 462,401 a--sh--- c:\windows\system32\vxHjlUvw.ini
2008-12-25 13:37 236,032 a------- c:\windows\system32\wvUljHxv.dll
2008-12-25 13:33 36,864 a------- c:\windows\system32\cbXRheeb.dll
2008-12-25 13:33 36,864 a------- c:\windows\system32\cbXPjgGv.dll
2008-12-25 13:32 45,056 a------- c:\windows\system32\pmnkLDvU.dll
2008-12-25 06:14 <DIR> --d----- C:\Downloads
2008-12-22 11:40 61,440 a------- C:\incating.exe
2008-12-20 14:33 <DIR> --d----- c:\users\tj\appdata\roaming\BitSpirit
2008-12-20 14:32 <DIR> --d----- c:\program files\BitSpirit
2008-12-20 14:23 <DIR> --d----- c:\users\tj\appdata\roaming\LimeWire
2008-12-20 07:00 <DIR> --d----- c:\users\tj\appdata\roaming\TrueCrypt
2008-12-20 06:59 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2008-12-20 06:58 <DIR> --d----- c:\program files\TrueCrypt
2008-12-20 01:51 53,964 a------- c:\windows\system32\netathr.inf
2008-12-20 01:51 695,808 a------- c:\windows\system32\drivers\athr.sys
2008-12-20 01:51 695,808 a------- c:\windows\system32\athr.sys
2008-12-20 01:51 <DIR> --d----- c:\windows\Options
2008-12-20 01:51 <DIR> --d----- c:\program files\TP-LINK
2008-12-17 22:01 <DIR> --d----- c:\program files\Bonjour
2008-12-17 21:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 22:22 2,108,068 a------- c:\windows\system32\cl32.dll
2008-12-12 22:22 1,071,088 a------- c:\windows\system32\MSComctl.OCX
2008-12-12 22:22 1,009,336 a------- c:\windows\system32\MSCHRT20.OCX
2008-12-12 22:22 98,304 a------- c:\windows\system32\VBAlDTab6.OCX
2008-12-12 22:22 41,008 a------- c:\windows\system32\DCSysTray.ocx
2008-12-12 22:22 40,960 a------- c:\windows\system32\ssubtmr6.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 22:33 <DIR> --d----- c:\programdata\Real
2008-12-11 22:33 <DIR> --d----- c:\program files\K-Lite Codec Pack
2008-12-11 20:25 27,864 a------- c:\windows\system32\athrext.cat
2008-12-11 20:24 <DIR> --d----- c:\programdata\TP-LINK
2008-12-11 20:24 <DIR> --d----- c:\progra~2\TP-LINK
2008-12-10 17:27 2,048 a------- c:\windows\system32\tzres.dll
2008-12-09 01:35 <DIR> --d----- c:\users\tj\appdata\roaming\FrostWire
2008-12-04 10:38 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-04 10:38 1,409 a------- c:\windows\QTFont.for
2008-12-04 08:20 413,760 a------- c:\windows\system32\mpg4c32.dll
2008-12-04 08:20 1,415,680 a------- c:\windows\system32\WMV9VCM.dll
2008-12-04 08:20 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-04 08:20 245,408 a------- c:\windows\system32\unicows.dll
2008-12-04 08:20 19,968 a------- c:\windows\system32\cpuinf32.dll
2008-12-01 07:02 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-01 07:02 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-01 07:01 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-01 07:01 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2008-12-20 01:51 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-20 01:51 51,200 a------- c:\windows\inf\infpub.dat
2008-12-20 01:51 86,016 a------- c:\windows\inf\infstor.dat
2008-11-24 23:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-13 12:18 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-02 22:30 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-11-02 22:30 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-11-01 12:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 12:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 12:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 12:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 12:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 12:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 10:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 15:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-29 07:35 684,032 a------- c:\windows\system32\divx.dll
2008-10-22 12:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 14:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 14:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 13:47 827,392 a------- c:\windows\system32\wininet.dll
2008-09-07 00:48 87,608 a------- c:\users\tj\appdata\roaming\inst.exe
2008-09-07 00:48 47,360 a------- c:\users\tj\appdata\roaming\pcouffin.sys
2008-09-06 22:05 174 a--sh--- c:\program files\desktop.ini
2008-09-06 18:38 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 21:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 21:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 21:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 21:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 23:58 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:32:22.86 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:36 PM

Posted 30 December 2008 - 09:34 AM

Hello Tia4Eva and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes'
    Anti-Malware
    , then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let
MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 TIA4EVA

TIA4EVA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 December 2008 - 04:47 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1579
Windows 6.0.6001 Service Pack 1

31/12/2008 6:41:55 AM
mbam-log-2008-12-31 (06-41-55).txt

Scan type: Quick Scan
Objects scanned: 50723
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\ruivpore.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\wvUljHxv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\ssqRIASk.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a66808cb-acb0-46d7-aa97-2fffcdaf10cf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a66808cb-acb0-46d7-aa97-2fffcdaf10cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a66808cb-acb0-46d7-aa97-2fffcdaf10cf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60df027b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvuljhxv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvuljhxv -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\wvUljHxv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\vxHjlUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\vxHjlUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\cbXOgfDW.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\WDfgOXbc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\WDfgOXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\efcAtRHw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\wHRtAcfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\wHRtAcfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\khfCSKdc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\cdKSCfhk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\cdKSCfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ruivpore.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\eropviur.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\vtUnLdDu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\uDdLnUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\uDdLnUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ssqRIASk.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\cbXPjgGv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\cbXRheeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00008e26 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000900b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00009366 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp000093f3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000951b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000952b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00009b07 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00009d1a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000a122 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000a43e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp0000aa0b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00008627 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00008a1f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00008caf (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\TJ\AppData\Local\Temp\tmp00008d2c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pmnkLDvU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

DDS (Version 1.1.0) - NTFSx86
Run by TJ at 6:43:55.20 on Wed 31/12/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.2047.1251 [GMT 9:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Razer\Krait\razerhid.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Westnet Usage Grabber\wug.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\ehome\ehmsas.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
D:\Users\TJ\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mail.google.com/mail/?shva=1#inbox
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {a66808cb-acb0-46d7-aa97-2fffcdaf10cf} - c:\windows\system32\wvUljHxv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Krait] c:\program files\razer\krait\razerhid.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSServer] rundll32.exe c:\windows\system32\ssqRIASk.dll,#1
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\tj\appdata\roaming\micros~1\windows\startm~1\programs\startup\westne~1.lnk - c:\program files\westnet usage grabber\wug.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download Using &BitSpirit - c:\program files\bitspirit\bsurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: ÓñÈÌؾ«ÁéÏÂÔØ(&:thumbsup:
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {9F836C26-7392-413F-A8BA-026EDE413499} = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ssqRIASk.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvUljHxv

================= FIREFOX ===================

FF - ProfilePath - c:\users\tj\appdata\roaming\mozilla\firefox\profiles\69oyzzil.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R2 ekrn;Eset Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-2-20 472320]
R3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2008-11-2 13324]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-31 38496]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2006-11-2 9216]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\common files\creative labs shared\service\CTAELicensing.exe" [2008-11-2 79360]

=============== Created Last 30 ================

2008-12-31 06:43 371 a--sh--- c:\windows\system32\vxHjlUvw.ini2
2008-12-31 06:43 371 a--sh--- c:\windows\system32\vxHjlUvw.ini
2008-12-31 06:42 1,759,230 ---sh--- c:\windows\system32\eropviur.ini
2008-12-31 06:36 <DIR> --d----- c:\users\tj\appdata\roaming\Malwarebytes
2008-12-31 06:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 06:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 06:36 <DIR> --d----- c:\programdata\Malwarebytes
2008-12-31 06:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 06:36 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-31 06:27 36,864 -------- c:\windows\system32\ssqRIASk.dll
2008-12-29 21:31 69,120 -------- c:\windows\system32\ruivpore.dll
2008-12-29 18:28 1,757,993 ---sh--- c:\windows\system32\stkfltll.ini
2008-12-28 21:05 1,757,993 ---sh--- c:\windows\system32\wghjwewg.ini
2008-12-28 12:58 192,307 a------- C:\wubildr
2008-12-28 12:58 8,192 a------- C:\wubildr.mbr
2008-12-28 10:49 1,757,993 ---sh--- c:\windows\system32\xvrbmoxp.ini
2008-12-28 01:35 1,752,114 ---sh--- c:\windows\system32\lqfmeqqt.ini
2008-12-28 01:17 1,752,120 ---sh--- c:\windows\system32\wlrairrd.ini
2008-12-27 00:39 1,664,085 ---sh--- c:\windows\system32\yeevsgqv.ini
2008-12-26 23:00 <DIR> --d----- c:\users\tj\Tim's Backup
2008-12-26 18:01 <DIR> --d----- c:\programdata\Symantec
2008-12-26 18:01 <DIR> --d----- c:\progra~2\Symantec
2008-12-26 17:55 1,664,085 ---sh--- c:\windows\system32\hevxvnhy.ini
2008-12-26 17:41 1,664,085 ---sh--- c:\windows\system32\gadokckq.ini
2008-12-26 11:13 1,664,085 ---sh--- c:\windows\system32\bvdokcfa.ini
2008-12-26 00:36 1,664,085 ---sh--- c:\windows\system32\vgybqjki.ini
2008-12-26 00:18 <DIR> --d----- c:\windows\system32\Adobe
2008-12-25 13:51 <DIR> --d----- c:\program files\DVDInfoPro
2008-12-25 13:37 236,032 -------- c:\windows\system32\wvUljHxv.dll
2008-12-25 06:14 <DIR> --d----- C:\Downloads
2008-12-22 11:40 61,440 a------- C:\incating.exe
2008-12-20 14:33 <DIR> --d----- c:\users\tj\appdata\roaming\BitSpirit
2008-12-20 14:32 <DIR> --d----- c:\program files\BitSpirit
2008-12-20 14:23 <DIR> --d----- c:\users\tj\appdata\roaming\LimeWire
2008-12-20 07:00 <DIR> --d----- c:\users\tj\appdata\roaming\TrueCrypt
2008-12-20 06:59 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2008-12-20 06:58 <DIR> --d----- c:\program files\TrueCrypt
2008-12-20 01:51 53,964 a------- c:\windows\system32\netathr.inf
2008-12-20 01:51 695,808 a------- c:\windows\system32\drivers\athr.sys
2008-12-20 01:51 695,808 a------- c:\windows\system32\athr.sys
2008-12-20 01:51 <DIR> --d----- c:\windows\Options
2008-12-20 01:51 <DIR> --d----- c:\program files\TP-LINK
2008-12-17 22:01 <DIR> --d----- c:\program files\Bonjour
2008-12-17 21:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 22:22 2,108,068 a------- c:\windows\system32\cl32.dll
2008-12-12 22:22 1,071,088 a------- c:\windows\system32\MSComctl.OCX
2008-12-12 22:22 1,009,336 a------- c:\windows\system32\MSCHRT20.OCX
2008-12-12 22:22 98,304 a------- c:\windows\system32\VBAlDTab6.OCX
2008-12-12 22:22 41,008 a------- c:\windows\system32\DCSysTray.ocx
2008-12-12 22:22 40,960 a------- c:\windows\system32\ssubtmr6.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 22:33 <DIR> --d----- c:\programdata\Real
2008-12-11 22:33 <DIR> --d----- c:\program files\K-Lite Codec Pack
2008-12-11 20:25 27,864 a------- c:\windows\system32\athrext.cat
2008-12-11 20:24 <DIR> --d----- c:\programdata\TP-LINK
2008-12-11 20:24 <DIR> --d----- c:\progra~2\TP-LINK
2008-12-10 17:27 2,048 a------- c:\windows\system32\tzres.dll
2008-12-09 01:35 <DIR> --d----- c:\users\tj\appdata\roaming\FrostWire
2008-12-04 10:38 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-04 10:38 1,409 a------- c:\windows\QTFont.for
2008-12-04 08:20 413,760 a------- c:\windows\system32\mpg4c32.dll
2008-12-04 08:20 1,415,680 a------- c:\windows\system32\WMV9VCM.dll
2008-12-04 08:20 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-04 08:20 245,408 a------- c:\windows\system32\unicows.dll
2008-12-04 08:20 19,968 a------- c:\windows\system32\cpuinf32.dll
2008-12-01 07:02 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-01 07:02 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-01 07:01 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-01 07:01 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2008-12-20 01:51 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-20 01:51 51,200 a------- c:\windows\inf\infpub.dat
2008-12-20 01:51 86,016 a------- c:\windows\inf\infstor.dat
2008-11-24 23:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-13 12:18 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-02 22:30 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-11-02 22:30 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-11-01 12:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 12:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 12:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 12:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 12:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 12:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 10:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 15:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-29 07:35 684,032 a------- c:\windows\system32\divx.dll
2008-10-22 12:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 14:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 14:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 13:47 827,392 a------- c:\windows\system32\wininet.dll
2008-09-07 00:48 87,608 a------- c:\users\tj\appdata\roaming\inst.exe
2008-09-07 00:48 47,360 a------- c:\users\tj\appdata\roaming\pcouffin.sys
2008-09-06 22:05 174 a--sh--- c:\program files\desktop.ini
2008-09-06 18:38 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 21:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 21:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 21:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 21:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 23:58 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:44:47.43 ===============

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:36 PM

Posted 30 December 2008 - 05:02 PM

Hello Tia4Eva,

No need to post a DDS log each time. :thumbsup:

Did you run ComboFix yet ?
If so, can you post the log please ? (can also be found as C:/Combofix.txt)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 TIA4EVA

TIA4EVA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 30 December 2008 - 05:11 PM

ComboFix 08-12-29.02 - TJ 2008-12-31 6:53:27.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2047.1390 [GMT 9:00]
Running from: d:\users\TJ\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\TJ\AppData\Roaming\inst.exe
c:\windows\system32\bvdokcfa.ini
c:\windows\system32\gadokckq.ini
c:\windows\system32\hevxvnhy.ini
c:\windows\system32\lqfmeqqt.ini
c:\windows\system32\mpg4c32.dll
c:\windows\system32\stkfltll.ini
c:\windows\system32\vgybqjki.ini
c:\windows\system32\wghjwewg.ini
c:\windows\system32\wlrairrd.ini
c:\windows\system32\xvrbmoxp.ini
c:\windows\system32\yeevsgqv.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-31 06:36 . 2008-12-31 06:36 <DIR> d-------- c:\users\TJ\AppData\Roaming\Malwarebytes
2008-12-31 06:36 . 2008-12-31 06:36 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-31 06:36 . 2008-12-31 06:36 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-31 06:36 . 2008-12-31 06:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 06:36 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-31 06:36 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-28 12:58 . 2008-10-28 02:37 192,307 --a------ C:\wubildr
2008-12-28 12:58 . 2008-10-28 02:37 8,192 --a------ C:\wubildr.mbr
2008-12-26 23:00 . 2008-12-26 23:17 <DIR> d-------- c:\users\TJ\Tim's Backup
2008-12-26 18:01 . 2008-12-27 00:21 <DIR> d-------- c:\users\All Users\Symantec
2008-12-26 18:01 . 2008-12-27 00:21 <DIR> d-------- c:\programdata\Symantec
2008-12-26 00:18 . 2008-12-29 21:55 <DIR> d-------- c:\windows\System32\Adobe
2008-12-25 13:51 . 2008-12-25 13:52 <DIR> d-------- c:\program files\DVDInfoPro
2008-12-25 06:14 . 2008-12-25 13:51 <DIR> d-------- C:\Downloads
2008-12-22 11:40 . 2008-12-22 11:40 61,440 --a------ C:\incating.exe
2008-12-21 12:52 . 2008-12-21 12:54 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 14:33 . 2008-12-20 14:33 <DIR> d-------- c:\users\TJ\AppData\Roaming\BitSpirit
2008-12-20 14:32 . 2008-12-20 14:32 <DIR> d-------- c:\program files\BitSpirit
2008-12-20 14:23 . 2008-12-20 14:28 <DIR> d-------- c:\users\TJ\AppData\Roaming\LimeWire
2008-12-20 07:00 . 2008-12-20 07:04 <DIR> d-------- c:\users\TJ\AppData\Roaming\TrueCrypt
2008-12-20 06:59 . 2008-12-20 06:59 215,872 --a------ c:\windows\System32\drivers\truecrypt.sys
2008-12-20 06:58 . 2008-12-20 06:59 <DIR> d-------- c:\program files\TrueCrypt
2008-12-20 01:51 . 2008-12-20 01:51 <DIR> d-------- c:\windows\Options
2008-12-20 01:51 . 2008-12-20 01:51 <DIR> d-------- c:\program files\TP-LINK
2008-12-20 01:51 . 2007-03-05 23:30 695,808 --a------ c:\windows\System32\drivers\athr.sys
2008-12-20 01:51 . 2007-03-05 23:30 695,808 --a------ c:\windows\System32\athr.sys
2008-12-20 01:51 . 2007-06-18 10:54 53,964 --a------ c:\windows\System32\netathr.inf
2008-12-17 22:01 . 2008-12-17 22:01 <DIR> d-------- c:\program files\Bonjour
2008-12-17 21:58 . 2008-12-17 21:58 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-12 22:22 . 2003-11-06 14:09 2,108,068 --a------ c:\windows\System32\cl32.dll
2008-12-12 22:22 . 2005-04-15 22:58 1,071,088 --a------ c:\windows\System32\MSComctl.OCX
2008-12-12 22:22 . 2000-05-22 00:00 1,009,336 --a------ c:\windows\System32\MSCHRT20.OCX
2008-12-12 22:22 . 2003-04-27 19:04 98,304 --a------ c:\windows\System32\VBAlDTab6.OCX
2008-12-12 22:22 . 1999-12-14 12:57 41,008 --a------ c:\windows\System32\DCSysTray.ocx
2008-12-12 22:22 . 2003-01-26 13:41 40,960 --a------ c:\windows\System32\ssubtmr6.dll
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\System32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\System32\dnssd.dll
2008-12-11 22:33 . 2008-12-11 22:33 <DIR> d-------- c:\users\All Users\Real
2008-12-11 22:33 . 2008-12-11 22:33 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-11 21:18 . 2008-12-11 21:18 <DIR> d-------- c:\program files\FLV Player
2008-12-11 20:25 . 2007-03-12 05:29 27,864 --a------ c:\windows\System32\athrext.cat
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\users\All Users\TP-LINK
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\programdata\TP-LINK
2008-12-10 17:27 . 2008-10-22 10:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-09 01:35 . 2008-12-20 14:20 <DIR> d-------- c:\users\TJ\AppData\Roaming\FrostWire
2008-12-06 11:37 . 2008-12-06 11:37 <DIR> d-------- c:\users\TJ\AppData\Roaming\Media Player Classic
2008-12-04 10:38 . 2008-12-11 19:52 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-04 10:38 . 2008-12-04 10:38 1,409 --a------ c:\windows\QTFont.for
2008-12-04 08:20 . 2003-06-23 02:44 1,415,680 --a------ c:\windows\System32\WMV9VCM.dll
2008-12-04 08:20 . 2004-01-12 00:00 348,160 --a------ c:\windows\System32\msvcr71.dll
2008-12-04 08:20 . 2003-04-21 15:09 245,408 --a------ c:\windows\System32\unicows.dll
2008-12-04 08:20 . 2001-09-17 13:20 19,968 --a------ c:\windows\System32\cpuinf32.dll
2008-12-01 07:02 . 2008-10-17 06:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-01 07:02 . 2008-10-17 05:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-01 07:02 . 2008-10-17 06:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-01 07:02 . 2008-10-17 05:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-01 07:02 . 2008-10-17 06:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-01 07:02 . 2008-10-17 06:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-01 07:02 . 2008-10-17 06:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-01 07:01 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-01 07:01 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-29 22:31 . 2008-11-29 22:31 <DIR> d-------- c:\users\TJ\Documents
2008-11-28 09:25 . 2008-12-10 00:57 <DIR> d-------- c:\users\All Users\eMule
2008-11-28 09:25 . 2008-12-10 00:57 <DIR> d-------- c:\programdata\eMule
2008-11-27 11:37 . 2008-10-21 14:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-27 11:37 . 2008-08-28 12:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-27 11:37 . 2008-08-28 12:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-27 11:37 . 2008-08-28 12:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-27 11:37 . 2008-10-22 12:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-24 21:24 . 2008-11-24 21:25 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 21:24 . 2008-11-24 21:25 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 21:24 . 2008-11-24 21:25 <DIR> d-------- c:\program files\iTunes
2008-11-24 21:24 . 2008-11-24 21:24 <DIR> d-------- c:\program files\iPod
2008-11-24 21:22 . 2008-12-11 22:17 <DIR> d-------- c:\program files\QuickTime
2008-11-16 02:14 . 2008-11-16 07:22 <DIR> d-------- c:\users\All Users\Lavasoft
2008-11-16 02:14 . 2008-11-16 07:22 <DIR> d-------- c:\programdata\Lavasoft
2008-11-16 02:14 . 2008-11-16 02:14 <DIR> d-------- c:\program files\Lavasoft
2008-11-16 02:13 . 2008-11-16 02:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-13 12:18 . 2008-11-13 12:18 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-11-12 23:00 . 2008-09-10 12:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-12 23:00 . 2008-09-05 14:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-12 23:00 . 2008-08-27 10:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-10 19:03 . 2008-11-10 19:03 <DIR> d-------- c:\program files\Apple Software Update
2008-11-10 19:02 . 2008-11-10 19:02 <DIR> d----c--- c:\windows\System32\DRVSTORE
2008-11-10 19:02 . 2008-11-10 19:02 <DIR> d-------- c:\users\TJ\AppData\Roaming\Apple Computer
2008-11-10 19:02 . 2008-04-17 13:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2008-11-10 19:02 . 2008-04-17 13:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2008-11-10 18:43 . 2008-11-24 21:24 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-07 17:56 . 2008-11-24 21:24 <DIR> d-------- c:\users\All Users\Apple Computer
2008-11-07 17:56 . 2008-11-24 21:24 <DIR> d-------- c:\programdata\Apple Computer
2008-11-07 17:55 . 2008-11-07 17:55 <DIR> d-------- c:\users\All Users\Apple
2008-11-07 17:55 . 2008-11-07 17:55 <DIR> d-------- c:\programdata\Apple
2008-11-07 17:29 . 2008-12-26 01:00 <DIR> d-------- c:\program files\Magic Video Converter
2008-11-07 17:29 . 2004-05-26 21:37 719,872 --a------ c:\windows\System32\devil.dll
2008-11-07 17:29 . 2003-03-19 11:03 544,768 --a------ c:\windows\System32\msvcr71d.dll
2008-11-07 17:29 . 2002-01-05 14:37 344,064 --a------ c:\windows\System32\msvcr70.dll
2008-11-07 17:29 . 2006-09-16 19:44 314,368 --a------ c:\windows\System32\avisynth.dll
2008-11-03 00:41 . 2008-11-03 00:41 1,080 --a------ c:\windows\System32\settingsbkup.sfm
2008-11-03 00:41 . 2008-11-03 00:41 1,080 --a------ c:\windows\System32\settings.sfm
2008-11-02 22:42 . 2008-11-02 22:42 <DIR> d-------- c:\users\All Users\Creative Labs
2008-11-02 22:42 . 2008-11-02 22:42 <DIR> d-------- c:\programdata\Creative Labs
2008-11-02 22:35 . 2008-12-31 06:48 55,084 --a------ c:\windows\System32\BMXStateBkp-{00000003-00000000-00000006-00001102-00000005-00211102}.rfx
2008-11-02 22:35 . 2008-12-31 06:48 55,084 --a------ c:\windows\System32\BMXState-{00000003-00000000-00000006-00001102-00000005-00211102}.rfx
2008-11-02 22:35 . 2008-12-31 06:48 788 --a------ c:\windows\System32\DVCState-{00000003-00000000-00000006-00001102-00000005-00211102}.rfx
2008-11-02 22:30 . 2008-11-02 22:42 <DIR> d-------- c:\users\All Users\Creative
2008-11-02 22:30 . 2008-11-02 22:42 <DIR> d-------- c:\programdata\Creative
2008-11-02 22:30 . 2008-11-02 22:30 <DIR> d-------- c:\program files\OpenAL
2008-11-02 22:30 . 2008-11-02 22:31 <DIR> d-------- c:\program files\Creative
2008-11-02 22:30 . 2008-11-02 22:30 <DIR> d-------- c:\program files\Common Files\Creative Labs Shared
2008-11-02 22:30 . 2008-11-02 22:30 413,696 --a------ c:\windows\System32\wrap_oal.dll
2008-11-02 22:30 . 2008-11-02 22:30 110,592 --a------ c:\windows\System32\OpenAL32.dll
2008-11-02 22:30 . 2007-02-26 15:24 94,208 --a------ c:\windows\System32\cttele32.dll
2008-11-02 22:29 . 2007-08-28 10:22 108,544 --a------ c:\windows\System32\APOMngr.DLL
2008-11-02 22:29 . 2007-05-28 11:28 69,120 --a------ c:\windows\System32\CmdRtr.DLL
2008-11-02 22:29 . 2008-11-02 22:29 87 -rah----- c:\windows\ctfile.rfc
2008-11-02 22:28 . 2008-11-02 22:29 <DIR> d-------- c:\windows\System32\Data
2008-11-02 22:28 . 2008-07-11 15:53 11,776 --a------ c:\windows\INRES.DLL
2008-11-02 22:12 . 2008-11-02 22:12 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-11-02 22:12 . 2008-07-15 01:08 24,089,151 --a------ c:\windows\System32\AppSetup.exe
2008-11-02 22:11 . 2008-11-02 22:11 <DIR> d-------- c:\program files\Razer
2008-11-02 22:11 . 2005-12-08 13:43 65,536 --a------ c:\windows\System32\krait.cpl
2008-11-02 22:11 . 2005-12-07 17:27 13,324 --a------ c:\windows\System32\drivers\krait.sys
2008-11-02 22:09 . 2008-11-02 22:09 <DIR> d-------- c:\users\TJ\AppData\Roaming\InstallShield
2008-11-02 20:31 . 2008-11-02 20:31 <DIR> d-------- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 21:49 --------- d-----w c:\users\TJ\AppData\Roaming\DNA
2008-12-30 21:49 --------- d-----w c:\program files\DNA
2008-12-27 02:56 --------- d-----w c:\users\TJ\AppData\Roaming\Vso
2008-12-20 05:22 --------- d-----w c:\users\TJ\AppData\Roaming\Shareaza
2008-12-19 16:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 12:58 --------- d-----w c:\program files\Java
2008-12-12 13:22 --------- d-----w c:\program files\Westnet Usage Grabber
2008-12-10 08:32 --------- d-----w c:\program files\Windows Mail
2008-12-10 08:31 --------- d-----w c:\programdata\Microsoft Help
2008-12-03 23:20 --------- d-----w c:\program files\DivX
2008-11-24 14:32 57,344 ----a-w c:\windows\System32\ff_vfw.dll
2008-11-14 17:25 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-31 04:50 --------- d-----w c:\users\TJ\AppData\Roaming\BitTorrent
2008-10-30 13:26 --------- d-----w c:\users\TJ\AppData\Roaming\OpenOffice.org2
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\divx.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 07:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-19 21:57 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-06 15:48 47,360 ----a-w c:\users\TJ\AppData\Roaming\pcouffin.sys
2008-09-06 13:05 174 --sha-w c:\program files\desktop.ini
2008-09-06 08:05 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-06 08:05 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-05 02:27 269,312 ----a-w c:\windows\System32\es.dll
2008-09-05 02:24 988,216 ----a-w c:\windows\System32\winload.exe
2008-09-05 02:24 927,288 ----a-w c:\windows\System32\winresume.exe
2008-09-05 02:24 615,992 ----a-w c:\windows\System32\ci.dll
2008-09-05 02:24 6,656 ----a-w c:\windows\System32\kbd106n.dll
2008-09-05 02:24 46,592 ----a-w c:\windows\System32\setbcdlocale.dll
2008-09-05 02:24 40,960 ----a-w c:\windows\System32\srclient.dll
2008-09-05 02:24 378,368 ----a-w c:\windows\System32\srcore.dll
2008-09-05 02:24 318,464 ----a-w c:\windows\System32\rstrui.exe
2008-09-05 02:24 19,000 ----a-w c:\windows\System32\kd1394.dll
2008-09-05 02:24 14,848 ----a-w c:\windows\System32\srdelayed.exe
2008-09-04 00:59 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-09-04 00:59 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-09-04 00:59 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-09-04 00:59 272,896 ----a-w c:\windows\System32\polstore.dll
2008-09-04 00:30 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-09-04 00:28 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-09-04 00:27 1,695,744 ----a-w c:\windows\System32\gameux.dll
2008-09-04 00:26 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-09-04 00:26 738,304 ----a-w c:\windows\System32\inetcomm.dll
2008-09-04 00:25 1,314,816 ----a-w c:\windows\System32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"Krait"="c:\program files\Razer\Krait\razerhid.exe" [2007-02-16 126976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\System32\Ctxfihlp.exe]

c:\users\TJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Westnet Usage Grabber.lnk - c:\program files\Westnet Usage Grabber\wug.exe [2008-12-12 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3737038783-2961344820-3662135125-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{309B1284-326B-4B8B-A9E4-2D46426765BF}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{0CFBC4DE-A3DE-4B54-A97E-741B48521F65}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{C7BD934E-4773-4F19-9B05-A2E447CD4404}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{9196C464-85FB-4EB1-9D10-23A403B9AF58}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"{CE4106EB-80F0-4D45-9F54-24DC4A093BEF}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{449A6119-4D93-4ABF-83F3-2943260AF522}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{75CE616D-A23C-4F33-952F-324142542765}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{06DC48C3-0DCC-4E6F-A43E-031FB541237C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D821FE10-42A2-445F-8565-40B19FE5D0FA}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4A01BBCB-27C0-4382-8805-C878151CD0DE}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{692863F4-44CB-4060-AE3D-86B4FE284685}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BDFEFBC3-C3DC-4053-9127-3C2DF7F49268}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DFA826B5-D857-48A5-AE14-FA27C489F628}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{42500E91-F396-491E-9145-45EDC88B54ED}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2A7974AD-08C4-48FF-88B4-E6A9DF4104AE}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{5344FE90-8A07-4043-857F-7B1310DFD154}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{F29B1FF4-8076-45FA-809F-1AE423F75D74}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{2611BF32-F5CB-4765-8247-D6B1537D4305}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"{7FA1E237-E9EF-4B2D-B576-F1B57FCDEEB0}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{FB823CD7-8310-438C-847F-E7493D53C0AF}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{DAB00A2D-0F7D-4B5F-B027-3888DE3112D3}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{35E4221D-9A3A-4367-B8A5-C6CA3C390151}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{4B19594A-E561-4039-8FE3-725FA55C21D4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0138AE85-4DA9-40C0-B05F-6BCC0DAAD9DC}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC95693E-079E-45DE-A4E5-3E7F3E765A41}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3CF4DCC9-FB8D-4028-A6FC-3EB42769964C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7BDBABEA-39BA-4DCB-838B-D34625346FD2}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C17895A7-19EE-4E1C-BB43-0C6CDA47428E}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{89247264-05E3-4A24-A750-CF6C765357F4}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{3E0BC6FE-9FB9-4801-AE05-07A5EDB3E98D}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{94831947-85F5-4EB2-8D3D-DDCA34D75C24}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{48CD53BD-EDAE-4951-8D80-5D8A009449EE}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{9B692C6B-4D5E-4203-873C-87F182BC3642}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{5808F904-890F-47AC-B363-38F35890FFF6}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{C942580E-B0FD-4F3C-B671-B3E219A799AF}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C94B4E55-8730-4523-A537-58249E680B2B}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{82DEE409-78C6-43F6-ACC1-AD4D14D7B380}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{AD6A866D-9D92-47D4-96C9-1CE03270F30D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{E4397465-7827-44B4-A3C1-6D20EAA64CBE}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{3E55E7FE-EC70-4721-A0B6-3FA8162E49EB}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{FEF70840-DB62-4C75-846F-29E69088AAA8}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{6A37FA9E-D650-4730-ABFC-4A1A5864B919}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"= c:\program files\BitSpirit\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-02-20 472320]
R3 krait03;Razer krait USB Filter Driver;c:\windows\system32\Drivers\krait.sys [2008-11-02 13324]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2006-11-02 9216]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe" [2008-11-02 79360]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\xzewvkoj.job
- c:\windows\system32\rundll32.exe [2006-11-02 18:45]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 06:55:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-31 7:09:57
ComboFix-quarantined-files.txt 2008-12-30 22:09:54

Pre-Run: 1,428,123,648 bytes free
Post-Run: 1,504,088,064 bytes free

319 --- E O F --- 2008-12-19 12:39:02

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:36 PM

Posted 30 December 2008 - 05:37 PM

Hello Tia4Eva,

We're closing in. :thumbsup:

Please go to http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button, browse to:
C:\incating.exe
Then click on 'Send File'.
Post the results into your next reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 TIA4EVA

TIA4EVA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 31 December 2008 - 11:56 PM

I actually reformatted my computer because after those steps I took I didn't have an internet connection. My OS was on another partition so it was fairly easy. Thanks for all the help anyway.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:36 PM

Posted 01 January 2009 - 07:39 AM

Hello Tia4Eva,

That's another way to solve your problem. :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users