Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got into some bad stuff


  • This topic is locked This topic is locked
9 replies to this topic

#1 fidlhead

fidlhead

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 03 January 2009 - 01:34 PM

Hi,

I was referred here by quietman7. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/191197/i-got-into-some-bad-stuff/ ~ OB

I'm keeping the computer off the internet because I can't enable Windows update and McAfee is suspect. Many potentially useful web sites are blocked. I was unable to install MBAM successfully. A .pdf of my earlier topic from "Am I Infected..." is attached. More detail on the steps I've taken up to now can be found there. I ran DDS with the computer disconnected from the internet. My log follows.

I'd appreciate any assistance.

fh


DDS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 12:03:31.15 on Sat 01/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2529 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\PIEngineering\X-keys\XKWdkApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: {922d2be0-c4af-913b-f344-ba4616562005}: {50026561-64ab-443f-b319-fa4c0eb2d229} - c:\windows\system32\txvmji.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGywVLB.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {d2141433-2ae3-43bb-be1c-bed984d40c90} - c:\windows\system32\opnkljhf.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [gadcom] "c:\documents and settings\hp_administrator\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe
mRun: [OneTouch Monitor] c:\progra~1\vision~1\ONETOU~2.EXE
mRun: [AdaptecDirectCD] c:\program files\easy cd creator 5\directcd\DirectCD.exe
mRun: [EPSON Stylus Photo R2400] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9SA.EXE /P24 "EPSON Stylus Photo R2400" /O12 "EP1394D3_001" /M "Stylus Photo R2400"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [X-keys Programming] c:\program files\piengineering\x-keys\XKWdkApp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [3ec01b73] rundll32.exe "c:\windows\system32\fsnejpwl.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Notify: hgGywVLB - hgGywVLB.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: txvmji.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGywVLB.dll
LSA: Authentication Packages = msv1_0 relog_ap c:\windows\system32\opnkljhf

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-24 207656]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-24 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-24 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-24 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-24 40488]
R3 RDID1046;EDIROL UA-25;c:\windows\system32\drivers\rdwm1046.sys [2006-10-26 163390]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 358736]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-12-24 144704]
S3 epppdt;EPSON 1394.3 Class;c:\windows\system32\drivers\epppdt.sys [2006-12-26 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\system32\drivers\epppdtpr.sys [2006-12-26 14457]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-24 34152]
S3 xkeysw2k;X-keys Device;c:\windows\system32\drivers\XkeysW2k.sys [2008-4-16 33519]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

=============== Created Last 30 ================

2009-01-02 15:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 15:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 15:39 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 15:39 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 15:05 134,144 a------- c:\windows\system32\xajtcnxo.dll
2009-01-02 15:05 134,144 a------- c:\windows\system32\txvmji.dll
2009-01-02 15:02 1,307,356 ---sh--- c:\windows\system32\lwpjensf.ini
2009-01-02 15:02 89,600 a------- c:\windows\system32\fsnejpwl.dll
2008-12-31 15:17 --d----- c:\program files\common files\Wise Installation Wizard
2008-12-31 14:41 6,044 a------- c:\windows\system32\tmp.reg
2008-12-31 09:24 130,560 a------- c:\windows\system32\lozsuy.dll
2008-12-31 09:24 130,560 a------- c:\windows\system32\yxyegowd.dll
2008-12-31 09:18 1,307,356 ---sh--- c:\windows\system32\jmvjjwnp.ini
2008-12-31 09:18 89,600 a------- c:\windows\system32\pnwjjvmj.dll
2008-12-30 08:57 0 a------- c:\windows\system32\mcrh.tmp
2008-12-29 14:08 131,584 a------- c:\windows\system32\wrthzz.dll
2008-12-29 14:08 131,584 a------- c:\windows\system32\ctlbmxdf.dll
2008-12-29 14:05 1,307,934 ---sh--- c:\windows\system32\ybfvueci.ini
2008-12-29 14:05 87,552 a------- c:\windows\system32\iceuvfby.dll
2008-12-29 11:29 676,086 a--sh--- c:\windows\system32\fhjlknpo.ini2
2008-12-29 11:29 676,086 a--sh--- c:\windows\system32\fhjlknpo.ini
2008-12-29 11:29 287,744 a------- c:\windows\system32\opnkljhf.dll
2008-12-29 11:24 45,056 a------- c:\windows\system32\ssqNGxyv.dll
2008-12-29 11:24 50,176 a------- c:\windows\system32\hgGywVLB.dll
2008-12-29 11:24 35,328 a------- c:\windows\system32\prunnet.exe
2008-12-29 11:17 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-29 11:17 1,409 a------- c:\windows\QTFont.for
2008-12-29 10:59 --dsh--- c:\windows\system32\twain_32
2008-12-26 18:20 --d----- c:\documents and settings\hp_administrator\logitech
2008-12-26 18:19 --d----- c:\program files\common files\Remote Control Software Common
2008-12-26 18:19 --d----- c:\program files\common files\Remote Control USB Driver
2008-12-18 23:03 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-18 23:03 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-18 23:02 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-18 22:46 465,920 -------- c:\windows\system32\imapi2fs.dll
2008-12-18 22:46 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-18 22:46 317,952 -------- c:\windows\system32\imapi2.dll
2008-12-18 22:46 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2008-12-18 22:46 62,976 -------- c:\windows\system32\dllcache\cdrom.sys

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-28 16:32 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-28 16:32 208,896 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
2008-11-28 16:31 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2008-11-28 16:31 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2008-11-28 16:31 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2008-11-28 16:31 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2008-11-28 16:31 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2008-11-28 16:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2008-11-28 16:31 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2008-11-28 16:31 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-11-10 12:09 40,832 a------- c:\windows\system32\drivers\zumbus.sys
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-12-16 20:32 20 -c--h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-12-16 20:32 20 -c--h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2003-11-10 16:26 376,884 ac------ c:\program files\image001.bmp
2001-10-30 06:11 61,440 ac------ c:\windows\inf\i386\onetUSD.dll
2001-10-02 07:58 36,864 ac------ c:\windows\inf\i386\Wiamicro.dll
2001-09-28 07:00 139,264 ac------ c:\windows\inf\i386\Rtscan.dll
2001-09-27 07:11 167,936 ac------ c:\windows\inf\i386\viceo.dll
2001-01-18 15:13 12,400 ac------ c:\windows\inf\i386\Usbscan.sys
2006-12-31 13:31 22 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 12:06:43.48 ===============

Attached Files


Edited by Orange Blossom, 03 January 2009 - 01:52 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:28 AM

Posted 05 January 2009 - 07:20 AM

Hello Fidlhead and welcome to BleepingComputer,

If necessary, download ComboFix using another PC and transfer it to your system.
Next, perform these steps in safe mode.
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 fidlhead

fidlhead
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 05 January 2009 - 11:53 PM

Thunder,

Thanks for getting back to me.

ComboFix setup wouldn't run until I re-named it.

I started it off in the safe mode. It did not ask to install the Recovery Console.

It told me to write these down for possible future reference:

C:\WINDOWS\system32\drivers\TDSSmvpt.sys
C:\WINDOWS\system32\TDSSotun.dll
C:\WINDOWS\system32\TDSSwryh.dat
C:\WINDOWS\system32\TDSShrrx.dll
C:\WINDOWS\system32\TDSSbvqo.dll
C:\WINDOWS\system32\TDSSjnst.dll
C:\WINDOWS\system32\TDSSublj.dll
C:\WINDOWS\system32\TDSSkkdu.log

Combofix rebooted twice in normal Windows. McAfee was on and popped some windows open. 4 were registry changes that I allowed. Two were PUP warnings that I told it to trust. It was kind of scary because I wasn't sure what to do.

I didn't do any testing after ComboFix (alias C_Bomb) ran -- it was getting late.

I'd appreciate any advice.

Thanks,

fh

Here's the log:

ComboFix 09-01-05.03 - HP_Administrator 2009-01-05 22:16:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2705 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\c-bomb.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\aiamfpty.ini
c:\windows\system32\avknlx.dll
c:\windows\system32\bkqmntkm.dll
c:\windows\system32\ctlbmxdf.dll
c:\windows\system32\drivers\TDSSmvpt.sys
c:\windows\system32\fhjlknpo.ini
c:\windows\system32\fhjlknpo.ini2
c:\windows\system32\hgGywVLB.dll
c:\windows\system32\iceuvfby.dll
c:\windows\system32\jmvjjwnp.ini
c:\windows\system32\lgeejgpt.dll
c:\windows\system32\lozsuy.dll
c:\windows\system32\luyhnvdy.dll
c:\windows\system32\lwpjensf.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mktnmqkb.ini
c:\windows\system32\mypujrks.dll
c:\windows\system32\opnkljhf.dll
c:\windows\system32\pnwjjvmj.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\qqvdfhjt.ini
c:\windows\system32\TDSSbvqo.dll
c:\windows\system32\TDSShrrx.dll
c:\windows\system32\TDSSjnst.dll
c:\windows\system32\TDSSkkdu.log
c:\windows\system32\TDSSotun.dll
c:\windows\system32\TDSSublj.dll
c:\windows\system32\TDSSwryh.dat
c:\windows\system32\tmp.reg
c:\windows\system32\trynsz.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\txvmji.dll
c:\windows\system32\wrthzz.dll
c:\windows\system32\xajtcnxo.dll
c:\windows\system32\ybfvueci.ini
c:\windows\system32\yghouy.dll
c:\windows\system32\ytpfmaia.dll
c:\windows\system32\yxyegowd.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-02 15:39 . 2009-01-02 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 15:39 . 2009-01-02 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 15:39 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 15:39 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-31 15:17 . 2008-12-31 15:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 14:12 . 2008-12-31 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-12-29 11:24 . 2008-12-29 11:24 45,056 --a------ c:\windows\system32\ssqNGxyv.dll
2008-12-29 11:17 . 2008-12-29 11:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-29 11:17 . 2008-12-29 11:17 1,409 --a------ c:\windows\QTFont.for
2008-12-26 18:20 . 2008-12-26 18:22 <DIR> d-------- c:\documents and settings\HP_Administrator\logitech
2008-12-26 18:19 . 2008-12-26 18:19 <DIR> d-------- c:\program files\Logitech
2008-12-26 18:19 . 2008-12-26 18:19 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-12-26 18:19 . 2008-12-26 18:20 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-12-26 18:17 . 2008-12-26 18:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2008-12-18 23:03 . 2008-12-18 23:03 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-18 23:03 . 2008-12-18 23:03 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-18 23:02 . 2008-12-18 23:02 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-18 22:46 . 2008-05-02 07:25 465,920 --a------ c:\windows\system32\imapi2fs.dll
2008-12-18 22:46 . 2008-05-02 07:25 465,920 --a------ c:\windows\system32\dllcache\imapi2fs.dll
2008-12-18 22:46 . 2008-05-02 07:25 317,952 --a------ c:\windows\system32\imapi2.dll
2008-12-18 22:46 . 2008-05-02 07:25 317,952 --a------ c:\windows\system32\dllcache\imapi2.dll
2008-12-18 22:46 . 2008-05-02 04:49 62,976 --a------ c:\windows\system32\dllcache\cdrom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-29 20:32 --------- d-----w c:\program files\DivX
2008-12-29 03:34 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2008-12-27 00:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 05:20 --------- d-----w c:\program files\Zune
2008-12-07 17:35 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ZoomBrowser EX
2008-12-07 17:30 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\CameraWindowDC
2008-11-15 19:36 --------- d-----w c:\program files\McAfee
2008-11-10 18:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2007-12-17 02:32 20 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-12-17 02:32 20 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2003-11-10 22:26 376,884 -c--a-w c:\program files\image001.bmp
2006-12-31 19:31 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-10-15 43008]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-04-04 335872]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 49152]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-30 86016]
"AdaptecDirectCD"="c:\program files\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-10-28 684032]
"EPSON Stylus Photo R2400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE" [2004-11-09 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"X-keys Programming"="c:\program files\PIEngineering\X-keys\XKWdkApp.exe" [2001-11-20 422400]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=trynsz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= rddv1046.dll
"midi1"= rddv1046.dll
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

R3 epppdt;EPSON 1394.3 Class;c:\windows\system32\DRIVERS\epppdt.sys [2004-08-31 31269]
R3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\system32\DRIVERS\epppdtpr.sys [2004-08-31 14457]
R3 xkeysw2k;X-keys Device;c:\windows\system32\DRIVERS\XkeysW2k.sys [2001-08-02 33519]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\Drivers\rdwm1046.sys [2004-04-01 163390]


--- Other Services/Drivers In Memory ---

*Deregistered* - AcrSch2Svc
*Deregistered* - AdobeActiveFileMonitor5.0
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - CCALib8
*Deregistered* - Cdfs
*Deregistered* - cdudf_xp
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - dvd_2K
*Deregistered* - eeCtrl
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ELService
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IAANTMON
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - IpFilterDriver
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LightScribeService
*Deregistered* - LmHosts
*Deregistered* - mcmscsvc
*Deregistered* - McNASvc
*Deregistered* - McProxy
*Deregistered* - McrdSvc
*Deregistered* - McShield
*Deregistered* - McSysmon
*Deregistered* - MDM
*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfehidk
*Deregistered* - mfesmfk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MPFP
*Deregistered* - MpfService
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tifsfilter
*Deregistered* - timounter
*Deregistered* - TrkWks
*Deregistered* - Udfreadr_xp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - ViaIde
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum
.
Contents of the 'Scheduled Tasks' folder

2007-07-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-01-06 c:\windows\Tasks\vrjbdhon.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{29e19f9d-716f-476b-9ff5-3df730b9192b} - c:\windows\system32\trynsz.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\hgGywVLB.dll
BHO-{8B967A4B-7F1F-4B46-A03A-E21B5420C5C1} - c:\windows\system32\opnkljhf.dll
HKCU-Run-BMUpdate - c:\windows\system32\BMUpdate.exe
HKLM-Run-3ec01b73 - c:\windows\system32\tjhfdvqq.dll
HKLM-Run-PCDrProfiler - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\hgGywVLB.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=hxxp://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/vehicles/2007/sequoia/key_features/int360.html?noreloadredir
c:\windows\Downloaded Program Files\MetaStream3.inf

O16 -: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen10.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 22:27:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\windows\system32\rddv1046.dll

- - - - - - - > 'lsass.exe'(1148)
c:\windows\system32\rddv1046.dll
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Nikon\PictureProject\NkbMonitor.exe
c:\program files\Updates from HP\9972322\Program\Updates from HP.exe
c:\hp\KBD\kbd.exe
.
**************************************************************************
.
Completion time: 2009-01-05 22:30:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 04:30:00

Pre-Run: 162,482,802,688 bytes free
Post-Run: 162,910,064,640 bytes free

387 --- E O F --- 2008-12-18 04:02:32

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:28 AM

Posted 06 January 2009 - 05:15 AM

Hello Fidlhead,

Before we continue,
please go to http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button, browse to:
c:\windows\system32\rddv1046.dll
Then click on 'Send File'.
Post the results into your next reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 fidlhead

fidlhead
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 06 January 2009 - 08:33 PM

Thunder,

Big improvement in computer operation:

1. It now starts up without errors.
2. Windows Update is back on.
3. So far, Explorer seems normal with internet connection in.
4. I was able to adjust internet settings, and so far they've stayed put.
5. McAfee is back on, updated itself, and looks normal.
6. The hard drive is no longer cycling every few seconds, as though trying to open a program.

Not an exhaustive test, but so far, so good.

I completed the VirusTotal scan you requested. Results below.

Thanks,

fh

File rddv1046.dll received on 01.07.2009 02:16:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.06 -
AhnLab-V3 2009.1.6.3 2009.01.07 -
AntiVir 7.9.0.45 2009.01.06 -
Authentium 5.1.0.4 2009.01.06 -
Avast 4.8.1281.0 2009.01.06 -
AVG 8.0.0.199 2009.01.05 -
BitDefender 7.2 2009.01.07 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.06 -
Comodo 878 2009.01.05 -
DrWeb 4.44.0.09170 2009.01.07 -
eTrust-Vet 31.6.6294 2009.01.06 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.05 -
F-Secure 8.0.14470.0 2009.01.07 -
Fortinet 3.117.0.0 2009.01.06 -
GData 19 2009.01.06 -
Ikarus T3.1.1.45.0 2009.01.06 -
K7AntiVirus 7.10.576 2009.01.05 -
Kaspersky 7.0.0.125 2009.01.07 -
McAfee 5486 2009.01.05 -
McAfee+Artemis 5486 2009.01.05 -
Microsoft 1.4205 2009.01.07 -
NOD32 3741 2009.01.05 -
Norman 5.80.02 2009.01.06 -
Panda 9.0.0.4 2009.01.06 -
PCTools 4.4.2.0 2009.01.05 -
Prevx1 V2 2009.01.07 -
Rising 21.11.12.00 2009.01.06 -
SecureWeb-Gateway 6.7.6 2009.01.05 -
Sophos 4.37.0 2009.01.06 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.06 -
TheHacker 6.3.1.4.210 2009.01.07 -
TrendMicro 8.700.0.1004 2009.01.06 -
VBA32 3.12.8.10 2009.01.06 -
ViRobot 2009.1.6.1546 2009.01.06 -
VirusBuster 4.5.11.0 2009.01.06 -
Additional information
File size: 52636 bytes
MD5...: 833847bb02517849daddc40407e19a1f
SHA1..: 6c2e17df150dd736d3120bdd6f0d2b99170f2fb9
SHA256: a8aa268ef6874f6798b105eaabe52df8466ca52335140447c7bcdb81ba18f210
SHA512: ada5f582d8c86f4e8fb50472af3d9b0d0acf226c16be9d51eb7a638c89f54a6d
f4706be3724339cd331b979635608aba309480724b39bac7473e1bade2778a6e

ssdeep: 768:RCiWS0PnwGH+O1ts3WtWAOY5XJXclwKD/wb0dAge7vDzX0Gy6qYNLo+:7h0P
NH3d59cVD/wb0dAge7vXVqYNLB

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404090
timedatestamp.....: 0x4063dbec (Fri Mar 26 07:29:48 2004)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xaeee 0xb000 5.93 56fbf2393f78bdf90c0607d8a7407be0
.data 0xc000 0xc7c 0x200 1.07 beb8d7a406d3650c603fe5919726b5fa
.SHDATA 0xd000 0x8 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0xe000 0x398 0x400 2.94 d12f16bcec5273a4aeec1d0cde9635bd
.reloc 0xf000 0x50c 0x600 5.41 8abd38a5f84f6ffd53654c4f0163fd11

( 4 imports )
> MSVCRT.dll: wcslen
> KERNEL32.dll: InterlockedDecrement, InterlockedIncrement, WinExec, FindClose, FindNextFileW, FindFirstFileW, GetSystemDirectoryW, GetWindowsDirectoryW, MoveFileExW, DeleteFileW, SetFileAttributesW, CloseHandle, SetFilePointer, CreateFileW, ReadFile, DeviceIoControl, GetLastError, CreateEventW, WaitForSingleObject, SetEvent, EnterCriticalSection, LeaveCriticalSection, Sleep, DeleteCriticalSection, DisableThreadLibraryCalls, GlobalLock, GlobalAlloc, GlobalFree, GlobalUnlock, GlobalHandle, WaitForMultipleObjects, SetThreadPriority, GetCurrentThread, CreateThread, InitializeCriticalSection
> USER32.dll: wsprintfA, wsprintfW
> WINMM.dll: DriverCallback, timeGetTime, DefDriverProc

( 5 exports )
DriverProc, midMessage, modMessage, widMessage, wodMessage

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:28 AM

Posted 07 January 2009 - 04:00 AM

Well done, Fidlhead :thumbsup:

Looks like we got rid of that malware.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 11 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 fidlhead

fidlhead
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 07 January 2009 - 08:04 PM

Thunder,

ComboFix uninstall and Java update completed.

Everything still appears normal. :thumbsup: Two questions:

1. What was it?
2. What would have prevented it?

Thanks for your help. Great job!

fh

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:28 AM

Posted 08 January 2009 - 05:22 PM

Hello Fidlhead,

It was a combinated infection : rootkit, Vundo/Conhook and some other malware.
Being careful while downloading, surfing the net or opening attachments is the best way to avoid things like these.
Security programs can do a lot, but if you're unlucky enough to catch something unknown, or if you don't update enough, then there's only common sense to guide you. :thumbsup:

Btw. I noticed I left one file lingering :

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
c:\windows\system32\ssqNGxyv.dll) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt


Save this as del.bat. Choose to save as "all files" and place it on your Desktop.
Doubleclick on it and post the content of the log file that opens in your next reply.

And that should have been the last one. :)

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 fidlhead

fidlhead
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 January 2009 - 12:29 PM

Thunder,

Here is the log from the short program you sent:

Deleting files
c:\windows\system32\ssqNGxyv.dll not found

Once I regained control of the computer I was able to install and run MBAM. Here is the log from the first scan:

Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

1/8/2009 7:25:19 PM
mbam-log-2009-01-08 (19-25-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 228295
Time elapsed: 1 hour(s), 17 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041661.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041662.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041682.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041687.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041688.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041689.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041690.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041691.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041693.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041694.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041695.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041699.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041700.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041702.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041703.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041704.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041705.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041707.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041708.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041709.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP585\A0041698.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP586\A0041823.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Subsequent scans have been clean.

McAfee seemed glitchy at first -- It found a lot of things it didn't like, including much of the above and some of the anti-malware software I'd used based on McAfee forum advice (before you got in touch with me). It identifed Smitfraudfix as a particular problem. (I've subsequently cleared all those programs off the computer.) McAfee also gave me a notice that it needed to be re-installed. I haven't acted on that, because I didn't immediately know how to do it. That notice hasn't appeared again, and McAfee appears to be updating and auto-scanning normally. The only thing I've noticed is that I wasn't able to start a scan manually. I need to try it again sometime.

Please let me know if you see or think of anything else.

Thank you for all the excellent advice. You did a very professional job. :thumbsup: I was lucky to have a clean computer available so as not to be totally dead in the water.

Best regards,

fidlhead

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:28 AM

Posted 10 January 2009 - 01:06 PM

Glad we could help Fidlhead :thumbsup:

To me, you seem all set to go again.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users