Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

boopme said come here


  • This topic is locked This topic is locked
13 replies to this topic

#1 mkgphoto

mkgphoto

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 31 December 2008 - 05:19 PM

hi, i had some malware that was removed and i'm just following up on some instructions by one of your VERY helpful pros.

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/190712/google-redirects-and-general-funnyness/ ~ OB

i might not be infected with a virus, but i'd like somebody to take a look just to be sure. i know some processes are legitimate and others are trojans depending on where they are, but i don't know enough to determine that. any help in cleaning up my registry/infections is greatly appreciated.

thank you for all you do.

Kurt


DDS (Version 1.1.0) - NTFSx86
Run by MKG at 16:04:24.32 on Wed 12/31/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.167 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\MKG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\MKG\Desktop\bleepingcomputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Start WingMan Profiler]
uRun: [Google Update] "c:\documents and settings\mkg\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-28 26824]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 231704]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-9-12 61526]

=============== Created Last 30 ================

2008-12-30 16:00 --d----- c:\docume~1\mkg\applic~1\Malwarebytes
2008-12-30 16:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:00 --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:00 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 15:52 79 a------- c:\windows\wininit.ini
2008-12-17 01:07 --d----- c:\program files\Ziosoft
2008-12-09 14:16 --d----- c:\windows\system32\appmgmt
2008-12-09 13:31 --d----- c:\windows\system32\RegVac
2008-12-09 13:30 --d----- c:\program files\RegVac Registry Cleaner

==================== Find3M ====================

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2007-04-19 01:07 92,064 ac------ c:\documents and settings\mkg\mqdmmdm.sys
2007-04-19 01:07 79,328 ac------ c:\documents and settings\mkg\mqdmserd.sys
2007-04-19 01:07 9,232 ac------ c:\documents and settings\mkg\mqdmmdfl.sys
2007-04-19 01:07 5,936 ac------ c:\documents and settings\mkg\mqdmwhnt.sys
2007-04-19 01:07 66,656 ac------ c:\documents and settings\mkg\mqdmbus.sys
2007-04-19 01:07 25,600 ac------ c:\documents and settings\mkg\usbsermptxp.sys
2007-04-19 01:07 22,768 ac------ c:\documents and settings\mkg\usbsermpt.sys
2007-04-19 01:07 6,208 ac------ c:\documents and settings\mkg\mqdmcmnt.sys
2007-04-19 01:07 4,048 ac------ c:\documents and settings\mkg\mqdmcr.sys
2007-03-25 14:42 81,920 ac------ c:\docume~1\mkg\applic~1\ezpinst.exe
2007-03-25 14:42 47,360 ac------ c:\docume~1\mkg\applic~1\pcouffin.sys
2005-05-13 16:12 217,073 ac-shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 ac-shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 ac-shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 ac-shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 ac-shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 ac-shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 ac-shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 ac-shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 ac-shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-09-27 22:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 16:05:35.10 ===============

Attached Files


Edited by Orange Blossom, 31 December 2008 - 08:11 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 07 January 2009 - 12:01 PM

Hello.

Looks like most of it was taken care of. Let's see what we can find.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 08 January 2009 - 02:11 PM

thanks so much The Panda.

ok, i did what you asked, and here are my two logs you requested (since i have not used HJT for this request, i simply reran DDS and posted that log - i also attached the "attach" log just in case you needed that, too).

thank you very much again for your help.

Kurt

ComboFix 09-01-08.01 - MKG 2009-01-08 12:53:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.209 [GMT -6:00]
Running from: c:\documents and settings\MKG\Desktop\bleepingcomputer\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\Readme.txt
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\winsecurityxp
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-08 11:55 . 2009-01-08 11:55 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-08 11:55 . 2009-01-08 11:55 1,409 --a------ c:\windows\QTFont.for
2008-12-30 16:00 . 2008-12-30 16:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:00 . 2008-12-30 16:00 <DIR> d-------- c:\documents and settings\MKG\Application Data\Malwarebytes
2008-12-30 16:00 . 2008-12-30 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 16:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 15:52 . 2008-12-30 15:52 79 --a------ c:\windows\wininit.ini
2008-12-17 01:07 . 2008-12-17 01:11 <DIR> d-------- c:\program files\Ziosoft
2008-12-09 13:31 . 2008-12-09 13:31 <DIR> d-------- c:\windows\system32\RegVac
2008-12-09 13:30 . 2008-12-09 13:30 <DIR> d-------- c:\program files\RegVac Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 18:56 --------- d-----w c:\program files\GE Security Supra
2009-01-08 17:23 --------- d-----w c:\documents and settings\MKG\Application Data\WTablet
2008-12-30 22:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 19:33 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-20 19:35 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-12-19 07:37 --------- d-----w c:\documents and settings\MKG\Application Data\Azureus
2008-12-17 07:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-13 06:16 --------- d-----w c:\program files\Bodog Poker
2008-12-09 20:17 --------- d-----w c:\program files\Orb Networks
2008-12-09 20:15 --------- d-----w c:\program files\Macromedia
2008-12-09 20:15 --------- d-----w c:\program files\Common Files\Macromedia
2008-11-18 23:13 --------- d-----w c:\documents and settings\MKG\Application Data\romcenter
2008-11-10 21:14 --------- d-----w c:\program files\Free WMA to MP3 Converter
2008-11-09 05:25 --------- d-----w c:\documents and settings\MKG\Application Data\Audacity
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2007-04-19 07:07 92,064 -c--a-w c:\documents and settings\MKG\mqdmmdm.sys
2007-04-19 07:07 9,232 -c--a-w c:\documents and settings\MKG\mqdmmdfl.sys
2007-04-19 07:07 79,328 -c--a-w c:\documents and settings\MKG\mqdmserd.sys
2007-04-19 07:07 66,656 -c--a-w c:\documents and settings\MKG\mqdmbus.sys
2007-04-19 07:07 6,208 -c--a-w c:\documents and settings\MKG\mqdmcmnt.sys
2007-04-19 07:07 5,936 -c--a-w c:\documents and settings\MKG\mqdmwhnt.sys
2007-04-19 07:07 4,048 -c--a-w c:\documents and settings\MKG\mqdmcr.sys
2007-04-19 07:07 25,600 -c--a-w c:\documents and settings\MKG\usbsermptxp.sys
2007-04-19 07:07 22,768 -c--a-w c:\documents and settings\MKG\usbsermpt.sys
2007-03-25 20:42 81,920 -c--a-w c:\documents and settings\MKG\Application Data\ezpinst.exe
2007-03-25 20:42 47,360 -c--a-w c:\documents and settings\MKG\Application Data\pcouffin.sys
2005-05-13 22:12 217,073 -csha-r c:\windows\meta4.exe
2005-10-24 16:13 66,560 -csha-r c:\windows\MOTA113.exe
2005-10-14 02:27 422,400 -csha-r c:\windows\x2.64.exe
2005-10-08 00:14 308,224 -csha-r c:\windows\system32\avisynth.dll
2005-07-14 17:31 27,648 -csha-r c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 616,448 -csha-r c:\windows\system32\cygwin1.dll
2005-06-22 03:37 45,568 -csha-r c:\windows\system32\cygz.dll
2004-01-25 05:00 70,656 -csha-r c:\windows\system32\i420vfw.dll
2006-04-27 15:24 2,945,024 -csha-r c:\windows\system32\Smab.dll
2005-02-28 18:16 240,128 -csha-r c:\windows\system32\x.264.exe
2004-01-25 05:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2008-09-28 04:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\MKG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-22 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-15 805392]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-09-18 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-22 19:08 450646 c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Frame from AVI v3.1 TRIAL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Frame from AVI v3.1 TRIAL.lnk
backup=c:\windows\pss\Frame from AVI v3.1 TRIAL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^MKG^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\MKG\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MKG^Start Menu^Programs^Startup^Frame from AVI v3.1 TRIAL.lnk]
path=c:\documents and settings\MKG\Start Menu\Programs\Startup\Frame from AVI v3.1 TRIAL.lnk
backup=c:\windows\pss\Frame from AVI v3.1 TRIAL.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2006-11-12 04:48 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2006-05-22 12:26 694272 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a--c--- 2007-06-25 07:47 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-22 10:12 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a--c--- 2007-06-25 07:47 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%SystemDir%\\winsecurityxp\\mswinup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2557:UDP"= 2557:UDP:Windows Media Format SDK (iexplore.exe)
"2556:UDP"= 2556:UDP:Windows Media Format SDK (iexplore.exe)
"2559:UDP"= 2559:UDP:Windows Media Format SDK (iexplore.exe)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-03 97928]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-03 231704]
R4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-09-12 61526]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDrec
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-682003330-725345543-1003.job
- c:\documents and settings\MKG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 18:30]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Start WingMan Profiler - (no file)
HKLM-Run-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe
MSConfigStartUp-NBCUniversal Media Manager Tray - c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en

c:\windows\system32\cpucheck.ocx - O16 -: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2}
hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
c:\windows\Downloaded Program Files\centrinodetect.inf

O16 -: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_6_0_15_Silent.cab
c:\windows\Downloaded Program Files\MediaSphere.inf

O16 -: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_9.cab
c:\windows\Downloaded Program Files\MediaSphere.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 12:56:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo R320 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"????????????????????????????????p???W?D~0?A~????I???????????????J?A~????????l????????????????cE~????????l???`t????????????????????????????A~?Og???????????A~???????????????????????????????|?????????Og?????????????`t??`cE~??A~-?B~??????????????????????????????M?????C???????4????YB~????????????????????????????????T????YB~?????????????D??????????????X?C~????????????j?C~????????8???????????`??

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-08 13:00:05
ComboFix-quarantined-files.txt 2009-01-08 18:58:45

Pre-Run: 11,269,828,608 bytes free
Post-Run: 11,723,182,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
226 --- E O F --- 2008-12-18 08:36:37


*******************************************************************************
********************end COMBOFIX log***************start DDS log*******************
*******************************************************************************


DDS (Version 1.1.0) - NTFSx86
Run by MKG at 13:03:34.76 on Thu 01/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.162 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\MKG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\MKG\Desktop\bleepingcomputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\mkg\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-28 26824]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 231704]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-9-12 61526]

=============== Created Last 30 ================

2009-01-08 12:50 <DIR> a-dshr-- C:\cmdcons
2009-01-08 12:49 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:49 98,816 a------- c:\windows\sed.exe
2009-01-08 11:55 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-08 11:55 1,409 a------- c:\windows\QTFont.for
2008-12-30 16:00 <DIR> --d----- c:\docume~1\mkg\applic~1\Malwarebytes
2008-12-30 16:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 15:52 79 a------- c:\windows\wininit.ini
2008-12-17 01:07 <DIR> --d----- c:\program files\Ziosoft
2008-12-09 14:16 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-09 13:31 <DIR> --d----- c:\windows\system32\RegVac
2008-12-09 13:30 <DIR> --d----- c:\program files\RegVac Registry Cleaner

==================== Find3M ====================

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-04-19 01:07 92,064 ac------ c:\documents and settings\mkg\mqdmmdm.sys
2007-04-19 01:07 79,328 ac------ c:\documents and settings\mkg\mqdmserd.sys
2007-04-19 01:07 9,232 ac------ c:\documents and settings\mkg\mqdmmdfl.sys
2007-04-19 01:07 5,936 ac------ c:\documents and settings\mkg\mqdmwhnt.sys
2007-04-19 01:07 66,656 ac------ c:\documents and settings\mkg\mqdmbus.sys
2007-04-19 01:07 25,600 ac------ c:\documents and settings\mkg\usbsermptxp.sys
2007-04-19 01:07 22,768 ac------ c:\documents and settings\mkg\usbsermpt.sys
2007-04-19 01:07 6,208 ac------ c:\documents and settings\mkg\mqdmcmnt.sys
2007-04-19 01:07 4,048 ac------ c:\documents and settings\mkg\mqdmcr.sys
2007-03-25 14:42 81,920 ac------ c:\docume~1\mkg\applic~1\ezpinst.exe
2007-03-25 14:42 47,360 ac------ c:\docume~1\mkg\applic~1\pcouffin.sys
2005-05-13 16:12 217,073 ac-shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 ac-shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 ac-shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 ac-shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 ac-shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 ac-shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 ac-shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 ac-shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 ac-shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-09-27 22:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 13:03:58.67 ===============

Attached Files


Edited by mkgphoto, 08 January 2009 - 02:14 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 09 January 2009 - 08:08 AM

Sorry for the delay. Was busy yesterday.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    c:\windows\meta4.exe
    c:\windows\MOTA113.exe
    c:\windows\x2.64.exe
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTMoveIt log
-the F-Secure scan log
-a fresh DDS log (only DDS.txt is fine)

Any problems with the machine rght now?

With Regards,
The Panda

#5 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 January 2009 - 01:59 AM

no major problems with my computer. it runs pretty good considering how old and slight of memory it is (512ram).

i've been pretty cautious and know just enough to keep me safer than most, i think.

i didn't realize my java was outdated, that explains why my gmail is displaying funny i bet.

mostly, i'm just being very thorough with really smart people like you to check me out.

i'll get to all the steps you suggested for me, and post as soon as i'm done.

thanks again very much for your help and time.

Kurt

Edited by mkgphoto, 10 January 2009 - 02:00 AM.


#6 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 January 2009 - 04:46 AM

ok, i used the cleaner and then otmoveit3.

here is that log:

========== FILES ==========
c:\windows\meta4.exe moved successfully.
c:\windows\MOTA113.exe moved successfully.
c:\windows\x2.64.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\MKG\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01102009_013348

Files moved on Reboot...
File C:\DOCUME~1\MKG\LOCALS~1\Temp\WCESLog.log not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

===========================================================================

i deleted all my old java and followed the link to install the java6.

i disabled my avg, went to f-secure and scanned my entire computer.

here is that report (i was a little surprised):

Scanning Report
Saturday, January 10, 2009 02:29:43 - 03:33:36
Computer name: MKGPHOTO
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found
Backdoor.Win32.SubSeven (virus)
System
Backdoor.Win32.SubSeven.asw (virus)
C:\DOCUMENTS AND SETTINGS\MKG\DESKTOP\BLEEPINGCOMPUTER\OTMOVEIT3.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37209
System: 3770
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MAILFRONTIER\REGINFO.XML

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 2.8.8110, 2009-01-10
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure AVP: 7.0.171, 2009-01-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

====================================================================

finally, here is my new DDS txt file:


DDS (Version 1.1.0) - NTFSx86
Run by MKG at 3:45:12.20 on Sat 01/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.55 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\ge security supra\syncservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\Documents and Settings\MKG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MKG\Desktop\bleepingcomputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\mkg\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-28 26824]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 231704]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.EXE [2006-9-12 61526]

=============== Created Last 30 ================

2009-01-10 02:23 <DIR> --d----- C:\fsaua.data
2009-01-10 02:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-10 02:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-10 01:33 <DIR> --d----- C:\_OTMoveIt
2009-01-08 12:50 <DIR> a-dshr-- C:\cmdcons
2009-01-08 12:49 161,792 a------- c:\windows\SWREG.exe
2009-01-08 12:49 98,816 a------- c:\windows\sed.exe
2009-01-08 11:55 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-08 11:55 1,409 a------- c:\windows\QTFont.for
2008-12-30 16:00 <DIR> --d----- c:\docume~1\mkg\applic~1\Malwarebytes
2008-12-30 16:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 15:52 79 a------- c:\windows\wininit.ini
2008-12-17 01:07 <DIR> --d----- c:\program files\Ziosoft

==================== Find3M ====================

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-04-19 01:07 92,064 ac------ c:\documents and settings\mkg\mqdmmdm.sys
2007-04-19 01:07 79,328 ac------ c:\documents and settings\mkg\mqdmserd.sys
2007-04-19 01:07 9,232 ac------ c:\documents and settings\mkg\mqdmmdfl.sys
2007-04-19 01:07 5,936 ac------ c:\documents and settings\mkg\mqdmwhnt.sys
2007-04-19 01:07 66,656 ac------ c:\documents and settings\mkg\mqdmbus.sys
2007-04-19 01:07 25,600 ac------ c:\documents and settings\mkg\usbsermptxp.sys
2007-04-19 01:07 22,768 ac------ c:\documents and settings\mkg\usbsermpt.sys
2007-04-19 01:07 6,208 ac------ c:\documents and settings\mkg\mqdmcmnt.sys
2007-04-19 01:07 4,048 ac------ c:\documents and settings\mkg\mqdmcr.sys
2007-03-25 14:42 81,920 ac------ c:\docume~1\mkg\applic~1\ezpinst.exe
2007-03-25 14:42 47,360 ac------ c:\docume~1\mkg\applic~1\pcouffin.sys
2005-10-07 18:14 308,224 ac-shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 ac-shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 ac-shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 ac-shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 ac-shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 ac-shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-09-27 22:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 3:45:41.40 ===============

thanks, Panda.

Kurt

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 10 January 2009 - 09:39 AM

Hello Kurt.

Looks clean. Unless you have other problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#8 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 January 2009 - 02:29 PM

i typed in the combofix /u (careful to note the space between x and /u) and instead of uninstalling, i got a box telling me there is an updated version of combofix available, did i want to download it? i said no, then it began the process of scanning my computer again.

it made a logfile and did (what seemed to be) the same thing it did before.

to me, it seems that it didn't uninstall.

i haven't moved to the next step, yet. should i just go to the add/remove programs section to take out combofix?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 10 January 2009 - 02:56 PM

Hello.

ComboFix does not uninstall through Add/REmove programs.

In that case, just run the CleanUp with OTMoveIt, which should remove ComboFix as well.

Also manually reset your system restore in that case.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
With Regards,
The Panda

#10 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 January 2009 - 03:01 PM

it seems that because the last scan (f-secure) thought otmoveit3 was a virus, it has been deleted from my files.

should i download it again, and then "uninstall" it?

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 10 January 2009 - 03:11 PM

Hello.

The AVs often flag our tools. The developers are always trying to prevent this.

Just use OTCleanIt in that case.

With Regards,
The Panda

#12 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 10 January 2009 - 03:38 PM

thanks TP.

i think everything is shiny and fresh.

if you have any other suggestions as far as system clean-up (for speed and performance), i'd look over them. again, i know at 512 ram, i'll never win any sprints for performance, but still...

also if you have any suggestions for registry cleaners (free) that might help me do some uncluttering, that might be helpful.

otherwise, you and your group have helped me tremendously and i thank you for all your time.

blessings.

Kurt

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 10 January 2009 - 05:47 PM

You are welcome Kurt.

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.

if you have any other suggestions as far as system clean-up (for speed and performance), i'd look over them. again, i know at 512 ram, i'll never win any sprints for performance,

Running CCleaner regularly will increase performace.

Running defragmenting and chkdsk helps too.

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 15 January 2009 - 12:07 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users