Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP freezes if not in safe mode/NTAuthority\System error


  • This topic is locked This topic is locked
9 replies to this topic

#1 oxygenetc

oxygenetc

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 06 January 2009 - 11:57 PM

Hello All,

First, thanks for being here! System is XP SP3.

This is a friend's restaurant pc that has, I believe, been infected. Internet is not available although it is connected. I think I need to download LSP fix but I'll get to that later. When I boot, I get an AVG error: "Connection to service failed. Please reinstall AVG Anti-Spyware 7.5." I was actually lucky to be able to run the dds scan as the pc usually freezes if not in safe mode. Also, while in safe mode, I received an error:"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM." and something about DCOM but the box went blank and the pc locked up. One more symptom, occasionally a browser will launch by itself. Please help, keeping in mind that I will be transferring files from one pc to the infected since I cannot access the internet.

Without further ado, here's the dds.txt:


DDS (Version 1.1.0) - NTFSx86
Run by Aloha at 23:32:28.92 on 06/01/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1775.1341 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Aloha\BACKOF~1\License\FSSecS.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\No-IP\DUC20.exe
C:\Aloha\ftp\PollCheck.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {52ca4169-4165-40ed-9a0a-4666f59275bc} - c:\windows\system32\pmnoLcDU.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
EB: ShopperReports: {2178c864-b8bc-41ae-a1fb-eb6a32f87eb1} - c:\program files\shopperreports\bin\2.0.20\ShprRprt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\owner\mydocu~1\startup\no-ipd~1.lnk - c:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alohad~1.lnk - c:\aloha\backoffice\ds\Dsoli08.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
Notify: igfxcui - igfxsrvc.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnoLcDU

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gvgzwc8r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - HiddenExtension: XUL Cache: {4D1CD216-6330-4966-AB36-EA5B4CB70D66} - c:\documents and settings\owner\local settings\application data\{4D1CD216-6330-4966-AB36-EA5B4CB70D66}

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-12 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-1-12 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-12 27776]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-12 3968]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-1-12 10760]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-1-12 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-1-12 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-1-12 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-1-12 4960]
R4 EdcSvr;EdcSvr;c:\aloha\bin\EdcSvr.exe [2004-12-13 3678208]
R4 FSSecurityServer;Fastech Security Server;c:\aloha\backof~1\license\FSSecS.exe [2005-1-27 105472]
R4 PollCheck;Radiant Heartbeat;c:\aloha\ftp\PollCheck.exe [2008-6-3 148992]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]
S4 CtlSvr;CtlSvr;c:\aloha\bin\CtlSvr.exe [2004-12-13 2527232]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]

=============== Created Last 30 ================

2009-01-06 04:09 111,616 a------- c:\windows\system32\ntdll64.exe
2009-01-06 03:39 502 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 03:39 111,616 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-06 01:38 4,785 a------- c:\windows\system32\warning.gif
2009-01-06 01:01 1 a------- c:\windows\system32\uniq.tll
2009-01-05 15:14 135,168 a------- c:\windows\ujuyetofiw.dll
2009-01-05 15:01 1,306,349 a--sh--- c:\windows\system32\twpdxjoy.ini
2009-01-05 15:01 89,600 a------- c:\windows\system32\yojxdpwt.dll
2009-01-05 15:01 133,632 a------- c:\windows\system32\lecyfy.dll
2009-01-05 15:01 133,632 a------- c:\windows\system32\axjnxtua.dll
2009-01-05 15:00 688,135 a--sh--- c:\windows\system32\UDcLonmp.ini2
2009-01-05 15:00 688,057 a--sh--- c:\windows\system32\UDcLonmp.ini
2009-01-05 15:00 289,280 a------- c:\windows\system32\pmnoLcDU.dll
2008-12-31 14:28 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-31 14:28 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 14:27 <DIR> --d----- c:\program files\iPod
2008-12-31 14:27 <DIR> --d----- c:\program files\iTunes
2008-12-31 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-01-06 03:39 111,616 a------- c:\windows\system32\userinit.exe
2008-11-13 14:32 299,008 -------- c:\windows\Setup1.exe
2008-11-13 14:32 73,216 a------- c:\windows\ST6UNST.EXE
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-01-15 10:10 1,443,213 a------- c:\docume~1\owner\applic~1\Install.dat
2001-10-26 07:24 21,504 a------- c:\program files\Iberspy.exe
2008-05-08 13:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050820080509\index.dat

============= FINISH: 23:33:15.51 ===============






AND the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:58 PM, on 06/01/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Aloha\BACKOF~1\License\FSSecS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\Aloha\ftp\PollCheck.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {52CA4169-4165-40ED-9A0A-4666F59275BC} - C:\WINDOWS\system32\pmnoLcDU.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Aloha Delivery-FB Interface.lnk = C:\Aloha\BackOffice\DS\Dsoli08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210267200109
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CtlSvr - Radiant Systems, Inc. - C:\Aloha\bin\Ctlsvr.EXE
O23 - Service: EdcSvr - Radiant Systems, Inc. - C:\Aloha\bin\Edcsvr.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Fastech Security Server (FSSecurityServer) - Aloha Technologies, LTD. - C:\Aloha\BACKOF~1\License\FSSecS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Radiant Heartbeat (PollCheck) - Radiant Systems - C:\Aloha\ftp\PollCheck.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - http://gallery.photo.net/photo/5293282-lg.jpg

--
End of file - 9280 bytes



Thanks for your help!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:32 AM

Posted 07 January 2009 - 04:11 AM

Hello Oxygenetc and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 oxygenetc

oxygenetc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 07 January 2009 - 08:50 AM

Thunder,

Thanks for your reply. I'll do this and post the logs this evening when I get home from work.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:32 AM

Posted 07 January 2009 - 05:06 PM

Fine, Oxygenetc :thumbsup:

I'll be waiting for your logs.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 oxygenetc

oxygenetc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 07 January 2009 - 07:39 PM

Thunder, thanks again!

Well, as I said, there's something wrong with the internet...I think I read something about lspfix (?)...so recovery console wouldn't install nor could I disable avg (even though I killed the processes and the services). I tried stopping but combofix kept going. Here are the logs:


GooredFix v1.72 by jpshortstuff
Log created at 19:02 on 07/01/2009 running Option #2 (Aloha)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{4D1CD216-6330-4966-AB36-EA5B4CB70D66}"="C:\Documents and Settings\Owner\Local Settings\Application Data\{4D1CD216-6330-4966-AB36-EA5B4CB70D66}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Owner\Local Settings\Application Data\{4D1CD216-6330-4966-AB36-EA5B4CB70D66}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}"



...and the next one:


ComboFix 09-01-07.01 - Aloha 2009-01-07 19:19:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1775.1404 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Install.dat
c:\program files\WinBudget
c:\windows\system32\axjnxtua.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekamnfndxxn.sys
c:\windows\system32\lecyfy.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\pmnoLcDU.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekapjuwodav.dll
c:\windows\system32\senekaygkdojfu.dll
c:\windows\system32\twpdxjoy.ini
c:\windows\system32\UDcLonmp.ini
c:\windows\system32\UDcLonmp.ini2
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\yojxdpwt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-07 01:07 . 2009-01-07 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-07 01:07 . 2009-01-07 01:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 03:39 . 2009-01-06 03:39 111,616 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-01-05 15:14 . 2009-01-05 15:14 135,168 --a------ c:\windows\ujuyetofiw.dll
2008-12-31 14:28 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-31 14:28 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 14:27 . 2008-12-31 14:28 <DIR> d-------- c:\program files\iTunes
2008-12-31 14:27 . 2008-12-31 14:27 <DIR> d-------- c:\program files\iPod
2008-12-31 14:27 . 2008-12-31 14:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-31 14:25 . 2008-12-31 14:26 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 13:00 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2009-01-07 03:58 --------- d-----w c:\program files\Yahoo!
2009-01-07 03:58 --------- d-----w c:\program files\Common Files\Scanner
2008-12-31 19:27 --------- d-----w c:\program files\Bonjour
2008-12-31 19:24 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-11 21:35 --------- d-----w c:\program files\Invoice by Click
2008-12-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-01 17:55 --------- d-----w c:\program files\Lavasoft
2008-12-01 17:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 19:32 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-13 19:32 299,008 ------w c:\windows\Setup1.exe
2008-11-13 14:56 --------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
2008-11-10 01:21 --------- d-----w c:\program files\Microsoft Works
2008-11-10 01:19 --------- d-----w c:\program files\Microsoft.NET
2008-11-08 18:39 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2001-10-26 12:24 21,504 ----a-w c:\program files\Iberspy.exe
2008-05-08 18:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-01-06 03:39 111616 67412a22840f827b42bf5c7df8ea16f5 c:\windows\system32\userinit.exe
2009-01-06 03:39 111616 67412a22840f827b42bf5c7df8ea16f5 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 71,328 2005-12-12 18:37:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 406,016 2006-12-30 15:28:47 c:\program files\Grisoft\AVG Free\bak\avgcc.exe
----a-w 590,848 2008-10-17 13:47:09 c:\program files\Grisoft\AVG Free\avgcc.exe

----a-w 100,056 2006-04-11 14:03:51 c:\program files\SymNetDrv\bak\SNDMon.exe

----a-w 111,816 2004-11-11 04:15:31 c:\program files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe
----a-w 112,336 2007-01-04 21:38:18 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\IMJP8_1\imjpmig.exe

----a-w 114,688 2003-04-07 07:07:38 c:\windows\system32\bak\hkcmd.exe

----a-w 155,648 2003-04-07 07:19:52 c:\windows\system32\bak\igfxtray.exe

----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-17 590848]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-05 6731312]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2004-06-20 630854]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 219136]

c:\documents and settings\Owner\My Documents\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2007-05-14 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Aloha Delivery-FB Interface.lnk - c:\aloha\BackOffice\DS\Dsoli08.exe [2007-07-10 290816]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5800:TCP"= 5800:TCP:UVNC
"5900:TCP"= 5900:TCP:UltraVNC

R4 EdcSvr;EdcSvr;c:\aloha\BIN\EdcSvr.exe [2004-12-13 3678208]
R4 FSSecurityServer;Fastech Security Server;c:\aloha\BACKOF~1\License\FSSecS.exe [2005-01-27 105472]
R4 PollCheck;Radiant Heartbeat;c:\aloha\ftp\PollCheck.exe [2008-06-03 148992]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S4 CtlSvr;CtlSvr;c:\aloha\BIN\CtlSvr.exe [2004-12-13 2527232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d36c98d-9c36-11dc-aafb-00111141d5ef}]
\Shell\AutoRun\command - E:\SETUP.EXE
\Shell\VERB\COMMAND - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91b2cfcf-4b39-11dc-aac1-00111141d5ef}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8b8a5e7-2fc6-11d9-a939-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\ahdfmghk.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{EC564D85-B774-4CFB-9EDB-A13A1EC7EBE8} - c:\windows\system32\pmnoLcDU.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gvgzwc8r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 19:26:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\pcAnywhere\AWHOST32.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-07 19:33:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 00:33:01

Pre-Run: 21,834,194,944 bytes free
Post-Run: 23,355,514,880 bytes free

225 --- E O F --- 2008-12-18 08:00:50



Thanks again, Thunder!

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:32 AM

Posted 08 January 2009 - 05:53 PM

Hello Zaraph,

Download LSPFix and extract it to your desktop.
Close all windows on your computer.
Double click on Lspfix to run it.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "ntdll64.dll" into the remove box using the >> button.
Press the finish button.
A tutorial on this procedure can be found here : http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/

Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/192998/xp-freezes-if-not-in-safe-modentauthoritysystem-error/
Collect::[9]
c:\windows\ujuyetofiw.dll
File::
c:\windows\Tasks\ahdfmghk.job

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=9 :1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic192998
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :thumbsup:
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 oxygenetc

oxygenetc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 08 January 2009 - 10:49 PM

Thunder,

The ComboFix Log:


ComboFix 09-01-08.02 - Aloha 2009-01-08 22:31:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1775.1373 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\ahdfmghk.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\windows media player\mplayer2.exe
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\ahdfmghk.job
c:\windows\ujuyetofiw.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 01:07 . 2009-01-07 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-07 01:07 . 2009-01-07 01:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 14:28 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-31 14:28 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-31 14:27 . 2008-12-31 14:28 <DIR> d-------- c:\program files\iTunes
2008-12-31 14:27 . 2008-12-31 14:27 <DIR> d-------- c:\program files\iPod
2008-12-31 14:27 . 2008-12-31 14:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-31 14:25 . 2008-12-31 14:26 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 03:23 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-01-07 03:58 --------- d-----w c:\program files\Yahoo!
2009-01-07 03:58 --------- d-----w c:\program files\Common Files\Scanner
2008-12-31 19:27 --------- d-----w c:\program files\Bonjour
2008-12-31 19:24 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-11 21:35 --------- d-----w c:\program files\Invoice by Click
2008-12-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-01 17:55 --------- d-----w c:\program files\Lavasoft
2008-12-01 17:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 19:32 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-13 19:32 299,008 ------w c:\windows\Setup1.exe
2008-11-13 14:56 --------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
2008-11-10 01:21 --------- d-----w c:\program files\Microsoft Works
2008-11-10 01:19 --------- d-----w c:\program files\Microsoft.NET
2001-10-26 12:24 21,504 ----a-w c:\program files\Iberspy.exe
2008-05-08 18:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_19.31.15.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-06 08:39:33 111,616 -c--a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 12:00:00 24,576 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2009-01-06 08:39:33 111,616 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 71,328 2005-12-12 18:37:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 406,016 2006-12-30 15:28:47 c:\program files\Grisoft\AVG Free\bak\avgcc.exe

----a-w 100,056 2006-04-11 14:03:51 c:\program files\SymNetDrv\bak\SNDMon.exe

----a-w 111,816 2004-11-11 04:15:31 c:\program files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe
----a-w 112,336 2007-01-04 21:38:18 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 12:00:00 c:\windows\ime\IMJP8_1\imjpmig.exe

----a-w 114,688 2003-04-07 07:07:38 c:\windows\system32\bak\hkcmd.exe

----a-w 155,648 2003-04-07 07:19:52 c:\windows\system32\bak\igfxtray.exe

----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 12:00:00 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-05 6731312]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2004-06-20 630854]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\Owner\My Documents\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2007-05-14 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Aloha Delivery-FB Interface.lnk - c:\aloha\BackOffice\DS\Dsoli08.exe [2007-07-10 290816]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-15 21:02 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5800:TCP"= 5800:TCP:UVNC
"5900:TCP"= 5900:TCP:UltraVNC

R4 EdcSvr;EdcSvr;c:\aloha\BIN\EdcSvr.exe [2004-12-13 3678208]
R4 FSSecurityServer;Fastech Security Server;c:\aloha\BACKOF~1\License\FSSecS.exe [2005-01-27 105472]
R4 PollCheck;Radiant Heartbeat;c:\aloha\ftp\PollCheck.exe [2008-06-03 148992]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S4 CtlSvr;CtlSvr;c:\aloha\BIN\CtlSvr.exe [2004-12-13 2527232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d36c98d-9c36-11dc-aafb-00111141d5ef}]
\Shell\AutoRun\command - E:\SETUP.EXE
\Shell\VERB\COMMAND - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91b2cfcf-4b39-11dc-aac1-00111141d5ef}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8b8a5e7-2fc6-11d9-a939-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gvgzwc8r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 22:34:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\pcAnywhere\AWHOST32.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-01-08 22:41:09 - machine was rebooted [Aloha]
ComboFix-quarantined-files.txt 2009-01-09 03:41:06
ComboFix2.txt 2009-01-08 00:33:05

Pre-Run: 23,367,409,664 bytes free
Post-Run: 23,355,744,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

200 --- E O F --- 2008-12-18 08:00:50



and the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:38 PM, on 08/01/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Aloha\BACKOF~1\License\FSSecS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\No-IP\DUC20.exe
C:\Aloha\ftp\PollCheck.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\showme.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Aloha Delivery-FB Interface.lnk = C:\Aloha\BackOffice\DS\Dsoli08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210267200109
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CtlSvr - Radiant Systems, Inc. - C:\Aloha\bin\Ctlsvr.EXE
O23 - Service: EdcSvr - Radiant Systems, Inc. - C:\Aloha\bin\Edcsvr.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Fastech Security Server (FSSecurityServer) - Aloha Technologies, LTD. - C:\Aloha\BACKOF~1\License\FSSecS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Radiant Heartbeat (PollCheck) - Radiant Systems - C:\Aloha\ftp\PollCheck.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - http://gallery.photo.net/photo/5293282-lg.jpg

--
End of file - 7582 bytes


Well, I now have a live connection. I believe everything is clean. The pc has not caused any issues. Thank you very much! I uploaded the sample you requested. I suspect this not common malware? Do you know of this or what family of malware it is? I would like to know. Thanks for your help, Thunder! I'll check back to see if there is anything else I should know but it appears to be clean! :thumbsup:

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:32 AM

Posted 09 January 2009 - 06:46 PM

Hello Oxygenetc,

You were infected by one of the newest malware combinations.

Your logs look fine now. :thumbsup:

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 oxygenetc

oxygenetc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 12 January 2009 - 10:28 AM

No more issues...thanks a million, Thunder!

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:32 AM

Posted 12 January 2009 - 10:44 AM

Glad we could help, Oxygenetc :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users