Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 BoboBriskey

BoboBriskey

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 January 2009 - 03:01 PM

Hi,

I need help to fix this virtumonde infection and a friend of mine told me
this was the place to go.

The problem started with some strange pop up ads and a virus scanner that
wanted to self install. Now my internet browsers are hijacked so that I can't
get to certain sites. Google seems to be hijacked. Virus software scanning
sites seem to be blocked also. I have to use a different computer to post this
message. I can't get to this site either.

Since this has started my virus scanner has caught a couple of "bo heap" buffer
overrun type viruses.

Also every time I log in the virus scanner is stopped. I have to enable it manually.

I have seen a prunnet.exe process in the HiJackThis log that keeps coming back. It
seems to be gone right now.

I sure hope you can help me!!!!!!!!! Thanks!!!!!!



DDS (Version 1.1.0) - NTFSx86
Run by Paul Malmanger at 12:43:12.00 on Sat 01/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1226 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\uglmd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\taskmgr.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: {343463fd-82b8-4d38-b632-3387405b26e1} - c:\windows\system32\efcARhiG.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ssqrRkHB.dll
BHO: {b2b7386c-d544-a8e9-2154-22430074eea8}: {8aee4700-3422-4512-9e8a-445dc6837b2b} - c:\windows\system32\addiqc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Hroroyaqo] rundll32.exe "c:\windows\Ndoxegadagakus.dll",e
mRun: [Vzadelukigateku] rundll32.exe "c:\windows\uhipofevinuyozew.dll",e
mRun: [44d6c687] rundll32.exe "c:\windows\system32\jynapcip.dll",b
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\paulma~1\startm~1\programs\startup\shortc~1.lnk - g:\gmw6.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {0C45266B-1BCE-4E0B-9860-E4CCC595524A} = 64.21.232.2,64.21.232.3
Notify: ssqrRkHB - ssqrRkHB.dll
AppInit_DLLs: addiqc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ssqrRkHB.dll
LSA: Authentication Packages = msv1_0 wvauth c:\windows\system32\efcARhiG

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulma~1\applic~1\mozilla\firefox\profiles\6vld9mdd.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: XUL Cache: {B20BD9DC-6B9D-4514-8AF0-7A330648340C} - c:\documents and settings\paul malmanger\local settings\application data\{B20BD9DC-6B9D-4514-8AF0-7A330648340C}

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-7-6 58016]
R3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-8-18 221191]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-7-6 108256]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-7-6 102463]
R4 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-8-18 28672]
R4 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\program files\ugs\license servers\ugnxflexlm\lmgrd.exe [2005-10-27 962560]
S3 GrooveInstallerService;Groove Installer Service;c:\program files\groove networks\groove\bin\GrooveInstallerService.exe [2006-7-5 104523]
S3 muIO;muIO;c:\windows\system32\muIO.sys [2006-7-6 2944]

=============== Created Last 30 ================

2009-01-03 12:21 5,619,080 a------- C:\Opera_963_en_Setup.exe
2009-01-02 22:17 59,904 a------- c:\windows\system32\drivers\TDSSmqlt.sys
2009-01-02 22:16 23,552 a------- c:\windows\system32\kjocyfne.exe
2009-01-02 22:16 <DIR> --d----- c:\docume~1\paulma~1\applic~1\SanDisk
2009-01-02 22:13 1,307,356 ---sh--- c:\windows\system32\picpanyj.ini
2009-01-02 22:13 89,600 a------- c:\windows\system32\jynapcip.dll
2009-01-02 22:12 134,144 a------- c:\windows\system32\addiqc.dll
2009-01-02 22:12 134,144 a------- c:\windows\system32\gnwxuski.dll
2009-01-02 19:33 134,656 a------- c:\windows\uhipofevinuyozew.dll
2009-01-02 08:11 <DIR> --d----- c:\program files\Rapid Antivirus
2009-01-02 07:47 40,448 a------- c:\windows\system32\k9261108.exe
2009-01-01 22:37 82,944 a------- c:\windows\system32\msiconf.exe
2009-01-01 20:10 40,448 a------- c:\windows\Ndoxegadagakus.dll
2009-01-01 19:48 50,176 a------- c:\windows\system32\urqRIyXR.dll
2009-01-01 19:48 132,608 a------- c:\windows\system32\okkpsd.dll
2009-01-01 19:48 1,307,356 ---sh--- c:\windows\system32\mehcimbs.ini
2009-01-01 19:48 132,608 a------- c:\windows\system32\shakmskl.dll
2009-01-01 19:48 90,112 -------- c:\windows\system32\sbmichem.dll
2009-01-01 19:45 675,967 a--sh--- c:\windows\system32\GihRAcfe.ini2
2009-01-01 19:45 675,967 a--sh--- c:\windows\system32\GihRAcfe.ini
2009-01-01 19:45 289,792 a------- c:\windows\system32\efcARhiG.dll
2009-01-01 19:40 72,192 a------- c:\windows\system32\geBRKdcy.dll
2009-01-01 19:40 50,176 a------- c:\windows\system32\ssqrRkHB.dll

==================== Find3M ====================

2009-01-02 19:15 361,378 a------- c:\windows\system32\nvModes.dat
2008-12-12 11:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 19:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-15 19:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-15 19:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 19:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-04-15 08:20 56,912 a------- c:\documents and settings\paul malmanger\g2mdlhlpx.exe
2007-01-19 12:11 92,064 a------- c:\documents and settings\paul malmanger\mqdmmdm.sys
2007-01-19 12:11 79,328 a------- c:\documents and settings\paul malmanger\mqdmserd.sys
2007-01-19 12:11 66,656 a------- c:\documents and settings\paul malmanger\mqdmbus.sys
2007-01-19 12:11 25,600 a------- c:\documents and settings\paul malmanger\usbsermptxp.sys
2007-01-19 12:11 22,768 a------- c:\documents and settings\paul malmanger\usbsermpt.sys
2007-01-19 12:11 9,232 a------- c:\documents and settings\paul malmanger\mqdmmdfl.sys
2007-01-19 12:11 6,208 a------- c:\documents and settings\paul malmanger\mqdmcmnt.sys
2007-01-19 12:11 5,936 a------- c:\documents and settings\paul malmanger\mqdmwhnt.sys
2007-01-19 12:11 4,048 a------- c:\documents and settings\paul malmanger\mqdmcr.sys
2007-01-18 15:04 325,269,200 a------- c:\documents and settings\paul malmanger\MED-100NT-CD-350_M050_1OF3.zip
2007-01-18 10:50 576,590,076 a------- c:\documents and settings\paul malmanger\MED-100NT-CD-340_M240_1OF3.zip
2006-08-13 13:59 4,984,832 a------- c:\documents and settings\all users\dwgconnector2.dll

============= FINISH: 12:45:28.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 03 January 2009 - 03:44 PM

Hello BoboBriskey

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 January 2009 - 05:21 PM

Thanks for the help!!!!!!!!! :thumbsup: I really appreciate it!!! :)

I ran Combofix. It took a long time and here are the results.

ComboFix 09-01-02.01 - Paul Malmanger 2009-01-03 15:36:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1666 [GMT -6:00]
Running from: c:\documents and settings\Paul Malmanger\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Rapid Antivirus
c:\program files\Rapid Antivirus\Uninstall.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\addiqc.dll
c:\windows\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk
c:\windows\system32\cowtrdto.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekapklpsdot.sys
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\efcARhiG.dll
c:\windows\system32\GihRAcfe.ini
c:\windows\system32\GihRAcfe.ini2
c:\windows\system32\gnwxuski.dll
c:\windows\system32\itucypsy.dll
c:\windows\system32\mdm.exe
c:\windows\system32\mehcimbs.ini
c:\windows\system32\msiconf.exe
c:\windows\system32\okkpsd.dll
c:\windows\system32\otdrtwoc.ini
c:\windows\system32\packet.dll
c:\windows\system32\picpanyj.ini
c:\windows\system32\sbmichem.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaelxxucko.dll
c:\windows\system32\senekalmylkixo.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekatxgxjjos.dll
c:\windows\system32\shakmskl.dll
c:\windows\system32\ssqrRkHB.dll
c:\windows\system32\ugngrs.dll
c:\windows\system32\urqRIyXR.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 14:58 . 2009-01-03 14:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 14:58 . 2009-01-03 14:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 14:25 . 2009-01-03 14:25 16,168,344 --a------ C:\jre-6u11-windows-i586-p.exe
2009-01-03 12:26 . 2009-01-03 12:26 <DIR> d-------- c:\program files\Opera
2009-01-03 12:21 . 2009-01-03 12:11 5,619,080 --a------ C:\Opera_963_en_Setup.exe
2009-01-02 22:16 . 2009-01-02 22:16 <DIR> d-------- c:\documents and settings\Paul Malmanger\Application Data\SanDisk
2009-01-02 22:16 . 2009-01-02 22:16 23,552 --a------ c:\windows\system32\kjocyfne.exe
2009-01-02 19:33 . 2009-01-02 19:33 134,656 --a------ c:\windows\uhipofevinuyozew.dll
2009-01-02 08:11 . 2009-01-02 08:11 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_
2009-01-02 08:11 . 2009-01-02 08:11 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
2009-01-02 07:47 . 2009-01-02 07:47 40,448 --a------ c:\windows\system32\k9261108.exe
2009-01-01 20:10 . 2009-01-02 07:47 40,448 --a------ c:\windows\Ndoxegadagakus.dll
2009-01-01 19:40 . 2009-01-01 19:40 72,192 --a------ c:\windows\system32\geBRKdcy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 20:57 --------- d-----w c:\program files\Java
2009-01-03 00:09 --------- d-----w c:\program files\proeWildfire 3.0
2009-01-02 23:00 --------- d-----w c:\program files\Google
2009-01-02 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-23 00:17 --------- d-----w c:\documents and settings\Paul Malmanger\Application Data\FileZilla
2008-12-22 15:59 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-12 16:04 --------- d-----w c:\program files\FileZilla FTP Client
2008-11-05 03:09 --------- d-----w c:\program files\Lavasoft
2008-11-05 03:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-05 03:07 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-04-15 14:20 56,912 ----a-w c:\documents and settings\Paul Malmanger\g2mdlhlpx.exe
2007-01-19 18:11 92,064 ----a-w c:\documents and settings\Paul Malmanger\mqdmmdm.sys
2007-01-19 18:11 9,232 ----a-w c:\documents and settings\Paul Malmanger\mqdmmdfl.sys
2007-01-19 18:11 79,328 ----a-w c:\documents and settings\Paul Malmanger\mqdmserd.sys
2007-01-19 18:11 66,656 ----a-w c:\documents and settings\Paul Malmanger\mqdmbus.sys
2007-01-19 18:11 6,208 ----a-w c:\documents and settings\Paul Malmanger\mqdmcmnt.sys
2007-01-19 18:11 5,936 ----a-w c:\documents and settings\Paul Malmanger\mqdmwhnt.sys
2007-01-19 18:11 4,048 ----a-w c:\documents and settings\Paul Malmanger\mqdmcr.sys
2007-01-19 18:11 25,600 ----a-w c:\documents and settings\Paul Malmanger\usbsermptxp.sys
2007-01-19 18:11 22,768 ----a-w c:\documents and settings\Paul Malmanger\usbsermpt.sys
2007-01-18 21:04 325,269,200 ----a-w c:\documents and settings\Paul Malmanger\MED-100NT-CD-350_M050_1OF3.zip
2007-01-18 16:50 576,590,076 ----a-w c:\documents and settings\Paul Malmanger\MED-100NT-CD-340_M240_1OF3.zip
2006-08-13 19:59 4,984,832 ----a-w c:\documents and settings\All Users\dwgconnector2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-02-28 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-01-11 684032]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Hroroyaqo"="c:\windows\Ndoxegadagakus.dll" [2009-01-02 40448]
"Vzadelukigateku"="c:\windows\uhipofevinuyozew.dll" [2009-01-02 134656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2007-11-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-02-27 25214]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-06-01 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ugngrs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 2.0\\bin\\proe.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\ptcvconf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\obj\\csd.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\obj\\ptcvconf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\UGS\\NX 4.0\\UGII\\ugraf.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\proeWildfire 3.0\\bin\\proe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"21:TCP"= 21:TCP:FTP

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-07-06 58016]
R4 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\program files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe [2005-10-27 962560]
S3 GrooveInstallerService;Groove Installer Service;c:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2006-07-05 104523]
S3 muIO;muIO;c:\windows\system32\muIO.sys [2006-07-06 2944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94beda4-7a83-11db-893a-0016415dc2a4}]
\Shell\AutoRun\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-03 c:\windows\Tasks\wujvxieg.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ssqrRkHB.dll
BHO-{6f63faf3-602e-48ee-b0c9-6bd831b7d449} - c:\windows\system32\ugngrs.dll
BHO-{A6DD1407-E6B3-4417-8B61-9C7EDAB09944} - c:\windows\system32\efcARhiG.dll
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
HKU-Default-Run-msiexec.exe - msiconf.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ssqrRkHB.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C45266B-1BCE-4E0B-9860-E4CCC595524A} = 64.21.232.2,64.21.232.3

O16 -: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\program files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
FF - ProfilePath - c:\documents and settings\Paul Malmanger\Application Data\Mozilla\Firefox\Profiles\6vld9mdd.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 15:57:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\UGS\License Servers\UGNXFLEXlm\uglmd.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-03 16:05:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 22:05:55

Pre-Run: 26,742,366,208 bytes free
Post-Run: 29,863,178,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

297 --- E O F --- 2008-12-19 09:01:18

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 03 January 2009 - 07:28 PM

I would like for you to submit some files for me to analyze.

I will need to you show hidden files\folders so we can find the files.
To Set:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to these locations and upload the following files.

c:\windows\system32\kjocyfne.exe
c:\windows\system32\k9261108.exe


Click Here to upload the files please.
===========
After that Please download DirLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
Link 3
  • Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
Note: Scanning may take longer for large folders.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 January 2009 - 08:15 PM

I uploaded the file kjocyfne.exe.  The other was deleted by Mcafee Viruscan.

Thanks again for your help.  I appreciate your time.



Here are the results of DirLook:



DirLook.exe v2.0 by jpshortstuff
Log created at 19:11 on 03/01/2009
==================================
Contents of "c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_"

---FOLDERS---

(none found)

---FILES---

spl.ini (4400 bytes - created on 02/01/2009 at 14:11, modified on 02/01/2009 at 14:11) --a---

==================================
=EOF=

#6 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 January 2009 - 09:56 PM

Here's some more info for you.  These have all been found and deleted or blocked by McAfee after the Comobfix run.





Detected as Trojans and deleted :



C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP701\A0136248.dll

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP701\A0136272.exe

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP701\A0136281.dll

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP701\A0136284.dll

C:\WINDOWS\system32\geBRKdcy.dll

C:\WINDOWS\system32\k9261108.exe

------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------------------



There was also this one that was blocked.  It was detected as bo:heap, Detection type was Buffer Overflow

C:\WINDOWS\explorer.exe::VirtualProtect

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 04 January 2009 - 08:49 AM

NO problem.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\kjocyfne.exe
c:\windows\uhipofevinuyozew.dll
c:\windows\system32\k9261108.exe
c:\windows\Ndoxegadagakus.dll
c:\windows\system32\geBRKdcy.dll
c:\windows\Tasks\wujvxieg.job


Folder::
c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus

ADS::
C:\WINDOWS\explorer.exe::VirtualProtect

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 January 2009 - 10:47 AM

A couple of error messages came up after the reboot.

A small box with RUNDLL in the upper left corner and a red X below with the 

following errors:



Error loading C:\WINDOWS\uhipofevinuyozew.dll

The specified module could not be loaded.



and



Error loading C:\Windows\Ndoxegadagakus.dll

The specified module could not be loaded.



There was also a compaint in the task bar from Google search about the search settings getting changed.

I did nothing with this.



Again, thanks a lot for you help.  The computer feels like it is getting better already.  I am now able to use

it to access bleeping computer and leave this post.  A little less sneaker netting at least  :thumbsup:



Here are the combo fix and HijackThis logs:



ComboFix 09-01-02.01 - Paul Malmanger 2009-01-04 9:15:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1213 [GMT -6:00]
Running from: c:\documents and settings\Paul Malmanger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Malmanger\Desktop\CFScript.txt
 * Created a new restore point
 * Resident AV is active


FILE ::
c:\windows\Ndoxegadagakus.dll
c:\windows\system32\geBRKdcy.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\kjocyfne.exe
c:\windows\Tasks\wujvxieg.job
c:\windows\uhipofevinuyozew.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ndoxegadagakus.dll
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_
c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1MzQ5ODN8_\spl.ini
c:\windows\system32\kjocyfne.exe
c:\windows\Tasks\wujvxieg.job
c:\windows\uhipofevinuyozew.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 09:13 . 2009-01-04 09:13 <DIR> d-------- C:\32788R22FWJFW
2009-01-03 22:28 . 2009-01-03 23:25 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-03 14:58 . 2009-01-03 14:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 14:58 . 2009-01-03 14:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 14:25 . 2009-01-03 14:25 16,168,344 --a------ C:\jre-6u11-windows-i586-p.exe
2009-01-03 12:26 . 2009-01-03 12:26 <DIR> d-------- c:\program files\Opera
2009-01-03 12:21 . 2009-01-03 12:11 5,619,080 --a------ C:\Opera_963_en_Setup.exe
2009-01-02 22:16 . 2009-01-02 22:16 <DIR> d-------- c:\documents and settings\Paul Malmanger\Application Data\SanDisk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-01-04 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-03 20:57 --------- d-----w c:\program files\Java
2009-01-03 00:09 --------- d-----w c:\program files\proeWildfire 3.0
2009-01-02 23:00 --------- d-----w c:\program files\Google
2008-12-23 00:17 --------- d-----w c:\documents and settings\Paul Malmanger\Application Data\FileZilla
2008-12-12 16:04 --------- d-----w c:\program files\FileZilla FTP Client
2008-11-05 03:09 --------- d-----w c:\program files\Lavasoft
2008-11-05 03:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-05 03:07 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-04-15 14:20 56,912 ----a-w c:\documents and settings\Paul Malmanger\g2mdlhlpx.exe
2007-01-19 18:11 92,064 ----a-w c:\documents and settings\Paul Malmanger\mqdmmdm.sys
2007-01-19 18:11 9,232 ----a-w c:\documents and settings\Paul Malmanger\mqdmmdfl.sys
2007-01-19 18:11 79,328 ----a-w c:\documents and settings\Paul Malmanger\mqdmserd.sys
2007-01-19 18:11 66,656 ----a-w c:\documents and settings\Paul Malmanger\mqdmbus.sys
2007-01-19 18:11 6,208 ----a-w c:\documents and settings\Paul Malmanger\mqdmcmnt.sys
2007-01-19 18:11 5,936 ----a-w c:\documents and settings\Paul Malmanger\mqdmwhnt.sys
2007-01-19 18:11 4,048 ----a-w c:\documents and settings\Paul Malmanger\mqdmcr.sys
2007-01-19 18:11 25,600 ----a-w c:\documents and settings\Paul Malmanger\usbsermptxp.sys
2007-01-19 18:11 22,768 ----a-w c:\documents and settings\Paul Malmanger\usbsermpt.sys
2007-01-18 21:04 325,269,200 ----a-w c:\documents and settings\Paul Malmanger\MED-100NT-CD-350_M050_1OF3.zip
2007-01-18 16:50 576,590,076 ----a-w c:\documents and settings\Paul Malmanger\MED-100NT-CD-340_M240_1OF3.zip
2006-08-13 19:59 4,984,832 ----a-w c:\documents and settings\All Users\dwgconnector2.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-03_16.05.13.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-03 21:37:20 73,198 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-03 22:01:06 73,198 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-03 21:37:20 428,972 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-03 22:01:06 428,972 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-04 15:21:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_154.dat
+ 2009-01-04 15:21:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_234.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-02-28 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-01-11 684032]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2007-11-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-02-27 25214]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-06-01 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 2.0\\bin\\proe.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\ptcvconf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\obj\\csd.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\obj\\ptcvconf.exe"=
"c:\\Program Files\\PTC Collaboration Tools\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 3.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\UGS\\NX 4.0\\UGII\\ugraf.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\proeWildfire 3.0\\bin\\proe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"21:TCP"= 21:TCP:FTP

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-07-06 58016]
R4 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\program files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe [2005-10-27 962560]
S3 GrooveInstallerService;Groove Installer Service;c:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2006-07-05 104523]
S3 muIO;muIO;c:\windows\system32\muIO.sys [2006-07-06 2944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94beda4-7a83-11db-893a-0016415dc2a4}]
\Shell\AutoRun\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Hroroyaqo - c:\windows\Ndoxegadagakus.dll
HKLM-Run-Vzadelukigateku - c:\windows\uhipofevinuyozew.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0C45266B-1BCE-4E0B-9860-E4CCC595524A} = 64.21.232.2,64.21.232.3

O16 -: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\program files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
FF - ProfilePath - c:\documents and settings\Paul Malmanger\Application Data\Mozilla\Firefox\Profiles\6vld9mdd.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 09:22:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1128)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\UGS\License Servers\UGNXFLEXlm\uglmd.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-04 9:28:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 15:28:10
ComboFix2.txt 2009-01-03 22:05:59

Pre-Run: 30,554,423,296 bytes free
Post-Run: 30,587,850,752 bytes free

263 --- E O F --- 2008-12-19 09:01:18









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:08 AM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\uglmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to gmw6.exe.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151692714062
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://crenlo.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C45266B-1BCE-4E0B-9860-E4CCC595524A}: NameServer = 64.21.232.2,64.21.232.3
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE (file missing)O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exeO23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 14868 bytes

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 04 January 2009 - 12:45 PM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 January 2009 - 07:01 PM

That was a long one.  It took about 4 hours.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Sunday, January 4, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Sunday, January 04, 2009 09:59:52
 Records in database: 1557877
--------------------------------------------------------------------------------

Scan settings:
 Scan using the following database: extended
 Scan archives: yes
 Scan mail databases: yes

Scan area - My Computer:
 C:\
 D:\

Scan statistics:
 Files scanned: 356262
 Threat name: 15
 Infected objects: 22
 Suspicious objects: 0
 Duration of the scan: 03:54:48


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\Ndoxegadagakus.dll.vir Infected: Trojan-Downloader.Win32.Agent.azcz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\addiqc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cowtrdto.dll.vir Infected: Trojan.Win32.Monder.agtu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmqlt.sys.vir Infected: Packed.Win32.Krap.e 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcARhiG.dll.vir Infected: Trojan.Win32.Monder.agwe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gnwxuski.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\itucypsy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\okkpsd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sbmichem.dll.vir Infected: Trojan.Win32.Monder.agmv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalmylkixo.dll.vir Infected: Trojan.Win32.Agent.aykk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\shakmskl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqrRkHB.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ugngrs.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fqr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\urqRIyXR.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File 1
C:\quarantine\game.class-be78a07-5e6a8243.class.Vir Infected: Exploit.Java.Gimsh.a 1
C:\quarantine\loaderadv626.jar-7faef7c5-3b7d9df7.zip.Vir Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\quarantine\loaderadv626.jar-7faef7c5-3b7d9df7.zip.Vir Infected: Trojan.Java.ClassLoader.h 1
C:\quarantine\loaderadv626.jar-7faef7c5-3b7d9df7.zip.Vir Infected: Trojan.Java.ClassLoader.d 1
C:\quarantine\version.jar-4d048a14-10264305.zip.Vir Infected: Trojan.Java.ClassLoader.ao 3

The selected area was scanned.

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 04 January 2009 - 08:04 PM

Looks good please delete everything in this folder:
C:\quarantine

the rest was stuff Combofix took out and it is in Combofix's quarantine folder qoobox.
We will remove that down below:
=======================
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 January 2009 - 09:40 PM

I got everything cleaned up and I think I have things locked down for now. 

:thumbsup:   :) Thanks for all your help :) :)

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:37 AM

Posted 05 January 2009 - 08:06 AM

You are welcome :thumbsup:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users