Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searchinspace


  • This topic is locked This topic is locked
19 replies to this topic

#1 caligula11

caligula11

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 07 January 2009 - 09:44 PM

Hi guys,
This is my first time posting and I've done all I know to do to get rid of my current infection. I'm not really sure what to call it exactly, but one of the symptoms is a hijacking that directs me to a series of "searchinspace" sites. I've read all your prep work tutorials and I hope I'm following all your guideslines appropriately.

My OS is XPsp2 and I think I have it up-to-date with all the necessary patches.

It started on Jan 1st and the first symptom was a system lockup at the the signon page (the one that asks you to pick a user profile.) At that point, I noticed that our Symantic Live Update was not running. Then I noticed that it had put a couple of shortcut links with porn names on my desktop. I had to boot in safe mode to download malwarebytes, and that got rid of the porn icons and did allow for successful bootups out side of safe mode. But since then the lockups continue to occur, along with occasional hijacks to searchinspace. At this point I uninstalled Symantic (because I realized my corporate license for one home pc was no longer valid and my company had asked us to uninstall it from personal pcs.) I then loaded the trial version of Kaspersky. It cleaned up some stuff and pointed out some vulnarbilites (that I think I've now patched), but it hasn't nipped the problem in the bud.

Below is my DDS and Kaspersky scans and I've attached the attach.txt file. In the Kaspersky scan, you will see the results of all the scans I've run over the past few days.

I'll sit tight and not touch anything else until you are able to take a look and advise me.

Thanks so much!
Leann


DDS (Version 1.1.0) - NTFSx86
Run by Larry at 22:29:46.60 on Tue 01/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.529 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\09YJOXE3\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [WinTouch] c:\documents and settings\larry\application data\wintouch\WinTouch.exe
uRun: [MalwareRemovalBot] c:\program files\malwareremovalbot\MalwareRemovalBot.exe -boot
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [hovym] c:\program files\msn gaming zone\hovym22011.exe
mRun: [svhost] "c:\windows\svhost.exe"
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SAV10]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvwmo~1.lnk - c:\program files\nikon\nkview4\NkVwMon.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: bmnet.dll
Trusted Zone: musicmatch.com\online
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll sljnhc.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-3 227344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-10-18 109080]

=============== Created Last 30 ================

2009-01-03 15:38 <DIR> --d----- c:\program files\Bonjour
2009-01-03 15:29 <DIR> --d----- c:\program files\common files\xing shared
2009-01-03 14:13 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-03 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-01-03 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-03 13:23 <DIR> --d----- c:\program files\ACNU
2009-01-03 12:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-03 12:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-02 15:24 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 <DIR> --d----- c:\docume~1\larry\applic~1\Malwarebytes
2009-01-02 00:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 00:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-01 23:59 <DIR> --d----- c:\docume~1\larry\applic~1\MalwareRemovalBot
2009-01-01 22:36 <DIR> --d----- c:\windows\source
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-03 15:29 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-12 12:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-11-11 19:58 25,601 a------- c:\windows\system32\drivers\klopp.dat
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:18 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2006-08-22 19:32 56 ---shr-- c:\windows\system32\17BB216DB4.sys
2006-10-27 21:49 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:30:24.40 ===============


Kaspersky scans:
Full Scan: completed 1/7/2009 8:42:20 PM (events: 12, objects: 350492, time: 00:45:54)
1/3/2009 2:20:09 PM Task completed
1/3/2009 2:18:29 PM Task started
Full Scan: completed 1/7/2009 8:42:20 PM (events: 12, objects: 350492, time: 00:45:54)
1/3/2009 2:27:28 PM Task started
1/3/2009 2:28:07 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\acrord32.exe
1/3/2009 2:28:14 PM Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
1/3/2009 2:31:48 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\20\57b210d4-25d47ad7/OP.class
1/3/2009 2:31:48 PM Untreated: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\20\57b210d4-25d47ad7/OP.class Postponed
1/3/2009 2:31:49 PM Detected: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\43\2f3e9deb-50c6ff06/vlocal.class
1/3/2009 2:31:49 PM Untreated: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\43\2f3e9deb-50c6ff06/vlocal.class Postponed
1/3/2009 2:33:06 PM Detected: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-79774e65.zip/vlocal.class
1/3/2009 2:33:06 PM Untreated: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-79774e65.zip/vlocal.class Postponed
1/3/2009 2:33:09 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-19c20b67-7c25341c.zip/OP.class
1/3/2009 2:33:09 PM Untreated: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-19c20b67-7c25341c.zip/OP.class Postponed
1/3/2009 2:44:37 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\Flash.ocx
1/3/2009 2:46:23 PM Detected: http://www.viruslist.com/en/advisories/29293 c:\i386\QuickTime.qts
1/3/2009 2:46:43 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\swflash.ocx
1/3/2009 2:48:02 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\acrord32.exe
1/3/2009 2:48:11 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\AcroRd32.bak
1/3/2009 2:49:06 PM Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
1/3/2009 2:52:40 PM Detected: http://www.viruslist.com/en/advisories/20001 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
1/3/2009 2:54:18 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\j2re1.4.2_03\bin\eula.dll
1/3/2009 2:57:12 PM Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
1/3/2009 2:57:47 PM Detected: http://www.viruslist.com/en/advisories/30336 c:\program files\Trillian\trillian.exe
1/3/2009 3:07:01 PM Detected: http://www.viruslist.com/en/advisories/26027 c:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\flash.ocx
1/3/2009 3:08:26 PM Detected: not-a-virus:AdWare.Win32.SuperJuan.fqb c:\WINDOWS\system32\cterurim.dll
1/3/2009 3:08:31 PM Untreated: not-a-virus:AdWare.Win32.SuperJuan.fqb c:\WINDOWS\system32\cterurim.dll Postponed
1/3/2009 3:08:33 PM Detected: Packed.Win32.PolyCrypt.d c:\WINDOWS\system32\fcccyXRk.dll/UPX
1/3/2009 3:08:33 PM Untreated: Packed.Win32.PolyCrypt.d c:\WINDOWS\system32\fcccyXRk.dll/UPX Postponed
1/3/2009 3:09:50 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\WINDOWS\system32\Macromed\Flash\swflash.ocx
1/3/2009 3:10:27 PM Detected: not-a-virus:AdWare.Win32.SuperJuan.fqb c:\WINDOWS\system32\cterurim.dll
1/3/2009 3:10:27 PM Untreated: not-a-virus:AdWare.Win32.SuperJuan.fqb c:\WINDOWS\system32\cterurim.dll Skipped by user
1/3/2009 3:10:27 PM Detected: Packed.Win32.PolyCrypt.d c:\WINDOWS\system32\fcccyXRk.dll/UPX
1/3/2009 3:10:31 PM Deleted: Packed.Win32.PolyCrypt.d c:\WINDOWS\system32\fcccyxrk.dll
1/3/2009 3:10:31 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\20\57b210d4-25d47ad7/OP.class
1/3/2009 3:10:31 PM Deleted: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\20\57b210d4-25d47ad7/OP.class
1/3/2009 3:10:31 PM Detected: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\43\2f3e9deb-50c6ff06/vlocal.class
1/3/2009 3:10:31 PM Deleted: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\6.0\43\2f3e9deb-50c6ff06/vlocal.class
1/3/2009 3:10:31 PM Detected: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-79774e65.zip/vlocal.class
1/3/2009 3:10:31 PM Deleted: Trojan-Downloader.Java.Agent.f c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-79774e65.zip/vlocal.class
1/3/2009 3:10:31 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-19c20b67-7c25341c.zip/OP.class
1/3/2009 3:10:31 PM Deleted: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-19c20b67-7c25341c.zip/OP.class
1/3/2009 3:10:32 PM Task completed
Full Scan: completed 1/7/2009 8:42:20 PM (events: 12, objects: 350492, time: 00:45:54)
1/3/2009 11:07:20 PM Task completed
1/3/2009 11:06:39 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\WINDOWS\system32\Macromed\Flash\swflash.ocx
1/3/2009 11:03:49 PM Detected: http://www.viruslist.com/en/advisories/26027 c:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\flash.ocx
1/3/2009 10:50:19 PM Detected: http://www.viruslist.com/en/advisories/31010 c:\program files\Java\j2re1.4.2_03\bin\eula.dll
1/3/2009 10:48:43 PM Detected: http://www.viruslist.com/en/advisories/20001 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
1/3/2009 10:44:35 PM Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
1/3/2009 10:43:05 PM Detected: http://www.viruslist.com/en/advisories/30832 c:\program files\adobe\Acrobat 7.0\Reader\AcroRd32.dll
1/3/2009 10:42:51 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\AcroRd32.bak
1/3/2009 10:41:53 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\swflash.ocx
1/3/2009 10:41:28 PM Detected: http://www.viruslist.com/en/advisories/29293 c:\i386\QuickTime.qts
1/3/2009 10:39:56 PM Detected: http://www.viruslist.com/en/advisories/28083 c:\i386\Flash.ocx
1/3/2009 10:19:12 PM Task started
Full Scan: completed 1/7/2009 8:42:20 PM (events: 12, objects: 350492, time: 00:45:54)
1/6/2009 11:23:13 PM Task completed
1/6/2009 11:22:35 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\WINDOWS\system32\Macromed\Flash\swflash.ocx
1/6/2009 11:19:49 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\flash.ocx
1/6/2009 11:07:09 PM Detected: http://www.viruslist.com/en/advisories/31010 C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
1/6/2009 11:05:37 PM Detected: http://www.viruslist.com/en/advisories/20001 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
1/6/2009 11:01:38 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\Program Files\Common Files\AOL\Flasha.ocx
1/6/2009 11:00:17 PM Detected: http://www.viruslist.com/en/advisories/30832 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
1/6/2009 11:00:16 PM Detected: http://www.viruslist.com/en/advisories/26201 C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
1/6/2009 10:58:51 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\i386\swflash.ocx
1/6/2009 10:58:30 PM Detected: http://www.viruslist.com/en/advisories/29293 C:\i386\QuickTime.qts
1/6/2009 10:56:47 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\i386\Flash.ocx
1/6/2009 10:37:34 PM Task started
Full Scan: completed 1/7/2009 8:42:20 PM (events: 12, objects: 350492, time: 00:45:54)
1/7/2009 7:56:26 PM Task started
1/7/2009 8:15:14 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\i386\Flash.ocx
1/7/2009 8:16:52 PM Detected: http://www.viruslist.com/en/advisories/29293 C:\i386\QuickTime.qts
1/7/2009 8:17:18 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\i386\swflash.ocx
1/7/2009 8:18:35 PM Detected: http://www.viruslist.com/en/advisories/26201 C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
1/7/2009 8:18:37 PM Detected: http://www.viruslist.com/en/advisories/30832 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
1/7/2009 8:20:08 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\Program Files\Common Files\AOL\Flasha.ocx
1/7/2009 8:24:15 PM Detected: http://www.viruslist.com/en/advisories/20001 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
1/7/2009 8:25:59 PM Detected: http://www.viruslist.com/en/advisories/31010 C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
1/7/2009 8:38:57 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\flash.ocx
1/7/2009 8:41:41 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\WINDOWS\system32\Macromed\Flash\swflash.ocx
1/7/2009 8:42:20 PM Task completed

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 14 January 2009 - 03:17 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 14 January 2009 - 08:33 PM

Hi Panda,
I am experiencing a couple of new symptoms to tell you about. I haven't made ANY other changes since my post, but over the past week the pc is really going haywire. I get frequent blue screens (I haven't kept track of the exact wording, but it is something along the lines of an error has occurred which is requiring the system to shut down.) Also, I now have this flashing warning message on my desktop, which seems like malware to me (see the attachment for a screenshot.)

Here is the new results of DDS:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Larry at 20:12:33.65 on Wed 01/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.600 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\N9C9NFRD\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBtQijH.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {d058dfe3-4ec6-0bb8-ec64-04cea29ea26b}: {b62ae92a-ec40-46ce-8bb0-6ce43efd850d} - c:\windows\system32\rlhtdf.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [WinTouch] c:\documents and settings\larry\application data\wintouch\WinTouch.exe
uRun: [MalwareRemovalBot] c:\program files\malwareremovalbot\MalwareRemovalBot.exe -boot
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [hovym] c:\program files\msn gaming zone\hovym22011.exe
mRun: [svhost] "c:\windows\svhost.exe"
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SAV10]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Framework Windows] frmwrk32.exe
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvwmo~1.lnk - c:\program files\nikon\nkview4\NkVwMon.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: bmnet.dll
Trusted Zone: musicmatch.com\online
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: geBtQijH - geBtQijH.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll sljnhc.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll rlhtdf.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBtQijH.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-3 227344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-10-18 109080]

=============== Created Last 30 ================

2009-01-14 20:12 124,928 a------- c:\windows\system32\rlhtdf.dll
2009-01-14 20:12 124,928 a------- c:\windows\system32\rqRIyVLb.dll
2009-01-14 19:06 124,928 a------- c:\windows\system32\kordmj.dll
2009-01-14 19:06 124,928 a------- c:\windows\system32\xxyxWNDU.dll
2009-01-14 19:01 35,328 a------- c:\windows\system32\geBtQijH.dll
2009-01-14 19:01 45,568 -------- c:\windows\system32\log.exe
2009-01-14 18:47 4,785 a------- c:\windows\system32\warning.gif
2009-01-14 18:47 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-14 18:47 111,616 a------- c:\windows\system32\ntdll64.exe
2009-01-14 18:47 1 a------- c:\windows\system32\uniq.tll
2009-01-14 18:47 1 a------- c:\windows\system32\test.ttt
2009-01-13 04:11 31,232 a------- c:\windows\system32\frmwrk32.exe
2009-01-13 04:11 31,232 a------- c:\windows\system32\pcload.exe
2009-01-07 20:35 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-03 15:38 <DIR> --d----- c:\program files\Bonjour
2009-01-03 15:29 <DIR> --d----- c:\program files\common files\xing shared
2009-01-03 14:13 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-03 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-01-03 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-03 13:23 <DIR> --d----- c:\program files\ACNU
2009-01-03 12:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-03 12:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-02 15:24 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 <DIR> --d----- c:\docume~1\larry\applic~1\Malwarebytes
2009-01-02 00:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 00:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-01 23:59 <DIR> --d----- c:\docume~1\larry\applic~1\MalwareRemovalBot
2009-01-01 22:36 <DIR> --d----- c:\windows\source

==================== Find3M ====================

2009-01-03 15:29 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-12 12:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2006-08-22 19:32 56 ---shr-- c:\windows\system32\17BB216DB4.sys
2006-10-27 21:49 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 20:13:24.71 ===============

I've attached the "attach" doc. too

I tried to run the GMER scan, but I get an error after it's been running for 20 seconds or so. Also in the attachment is a screenshot of that error.

Thanks so much for your help!
Leann

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 15 January 2009 - 08:24 AM

Hello.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Kaspersky Antivirus:
  • Navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right click it-> select Pause Protection.
  • click on -> By User Request
  • a popup will claim that protection is now disabled and a sign like this: Posted Image will now be shown.
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :processes
    explorer.exe
    iexplore.exe
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d058dfe3-4ec6-0bb8-ec64-04cea29ea26b}]
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinTouch"=-
    "MalwareRemovalBot"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "svhost"=-
    "SAV10"=-
    "Framework Windows"=-
    
    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msiexec.exe"=-
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBtQijH]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="c:\progra~1\google\google~1\goec62~1.dll ,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll"
    
    :files
    c:\windows\system32\rlhtdf.dll
    c:\windows\system32\rqRIyVLb.dll
    c:\windows\system32\kordmj.dll
    c:\windows\system32\xxyxWNDU.dll
    c:\windows\system32\geBtQijH.dll
    c:\windows\system32\log.exe
    c:\windows\system32\warning.gif
    c:\windows\system32\ahtn.htm
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\uniq.tll
    c:\windows\system32\test.ttt
    c:\windows\system32\frmwrk32.exe
    c:\windows\system32\pcload.exe
    c:\windows\system32\ffkuz.dll
    c:\program files\malwareremovalbot\
    c:\program files\msn gaming zone\hovym22011.exe
    c:\documents and settings\larry\application data\wintouch\
    c:\windows\svhost.exe
    c:\windows\msiconf.exe
    c:\windows\system32\msiconf.exe
    
    :commands
    [emptytemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and Run SmitFraudFix
You can find complete instructions for running SmitFraudFix in the link below:
http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Boot your computer into Safe Mode before we can run this tool. Do not use the MsConfig method.
  • Double click the icon to run it.
  • Select Option 2 by typing 2 and hitting Enter.
  • The scan will progress. Answer Yes to any prompts you receive. This will include running disk cleanup and removing infected files.
  • The tool will restart your computer.
  • Upon reboot, a log file located at C:\rapport.txt will open. Copy its contents into your next reply.
Download and Run Avira AntiRootkit
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Do not choose to rename any items found yet. There may be false positives.

Please post back with:
-the OTMoveIt log
-the SmitFraudFix log
-the Avira Antirootkit log

How is your computer running now?

With Regards,
The Panda

#5 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 16 January 2009 - 03:55 PM

Thanks Panda! I was able to complete all of your suggested steps and below are the results you asked me to attach. So far, so good. The flashing warning is now gone, at least. I'll continue to surf around a bit and see if it is behaving properly. I turned Kaspersky back on, since you said to only disable it temporarily...was that ok?

Let me know if things look good to you and whether you think there is something else I need to do. I'll reply back if I start to see any weird symptoms.

Thanks a ton!
Leann

Here is the OTMoveIt3 log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: iexplore.exe
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinTouch deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MalwareRemovalBot deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\svhost deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SAV10 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Framework Windows deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msiexec.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBtQijH\\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"c:\progra~1\google\google~1\goec62~1.dll ,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll" /E : value set successfully!
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\rlhtdf.dll
c:\windows\system32\rlhtdf.dll NOT unregistered.
c:\windows\system32\rlhtdf.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\rqRIyVLb.dll
c:\windows\system32\rqRIyVLb.dll NOT unregistered.
c:\windows\system32\rqRIyVLb.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kordmj.dll
c:\windows\system32\kordmj.dll NOT unregistered.
c:\windows\system32\kordmj.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\xxyxWNDU.dll
c:\windows\system32\xxyxWNDU.dll NOT unregistered.
c:\windows\system32\xxyxWNDU.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\geBtQijH.dll
c:\windows\system32\geBtQijH.dll NOT unregistered.
File move failed. c:\windows\system32\geBtQijH.dll scheduled to be moved on reboot.
c:\windows\system32\log.exe moved successfully.
c:\windows\system32\warning.gif moved successfully.
c:\windows\system32\ahtn.htm moved successfully.
c:\windows\system32\ntdll64.exe moved successfully.
c:\windows\system32\uniq.tll moved successfully.
c:\windows\system32\test.ttt moved successfully.
c:\windows\system32\frmwrk32.exe moved successfully.
c:\windows\system32\pcload.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ffkuz.dll
c:\windows\system32\ffkuz.dll NOT unregistered.
c:\windows\system32\ffkuz.dll moved successfully.
Folder c:\program files\malwareremovalbot not found.
File/Folder c:\program files\msn gaming zone\hovym22011.exe not found.
Folder c:\documents and settings\larry\application data\wintouch not found.
File/Folder c:\windows\svhost.exe not found.
File/Folder c:\windows\msiconf.exe not found.
File/Folder c:\windows\system32\msiconf.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_32c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01162009_143219

Files moved on Reboot...
DllUnregisterServer procedure not found in c:\windows\system32\geBtQijH.dll
c:\windows\system32\geBtQijH.dll NOT unregistered.
File move failed. c:\windows\system32\geBtQijH.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_32c.dat not found!



Here is the rapport.txt from SmitfraudFix

SmitFraudFix v2.391

Scan done at 14:48:48.60, Fri 01/16/2009
Run from C:\Documents and Settings\Larry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Google\googletoolbar1.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9489EC3A-E9E6-4F61-8857-BD3314997DC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9489EC3A-E9E6-4F61-8857-BD3314997DC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2309660F-28A4-45E2-9E55-10C7A052874A}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9489EC3A-E9E6-4F61-8857-BD3314997DC0}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.182.32.35 65.182.32.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Here is the Avira AntiRootKit Report:

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Friday, January 16, 2009 - 15:32:22
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 107.09 GB
- Working disk free size : 76.47 GB (71 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden file : c:\avenger\senekaeuirkpsr.dll
Hidden file : c:\windows\system32\senekabobrnsac.dll
Hidden file : c:\windows\system32\senekadf.dat
Hidden file : c:\windows\system32\senekalog.dat
Hidden file : c:\windows\system32\senekavkftbvkl.dll
Hidden file : c:\windows\system32\senekaylypibmq.dat
Hidden file : c:\windows\system32\drivers\seneka.sys
Hidden file : c:\windows\system32\drivers\senekattomltxr.sys
Hidden service/driver : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka => \systemroot\system32\drivers\senekattomltxr.sys
Hidden key : HKEY_LOCAL_MACHINE\Software\seneka
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seneka

--------------------------------------------------------------------------------------------------------
Files: 8/78822
Registry items: 4/291384
Processes: 0/36
Scan time: 00:05:16
--------------------------------------------------------------------------------------------------------
Active processes:
- hmyxnnya.exe (PID 2360) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 1260)
- csrss.exe (PID 1308)
- winlogon.exe (PID 1332)
- services.exe (PID 1376)
- lsass.exe (PID 1388)
- svchost.exe (PID 1560)
- svchost.exe (PID 1664)
- svchost.exe (PID 1744)
- EvtEng.exe (PID 1788)
- S24EvMon.exe (PID 1888)
- WLKEEPER.exe (PID 1908)
- svchost.exe (PID 152)
- spoolsv.exe (PID 536)
- AppleMobileDeviceService.exe (PID 656)
- avp.exe (PID 668)
- bmwebcfg.exe (PID 684)
- mDNSResponder.exe (PID 716)
- jqs.exe (PID 800)
- NicConfigSvc.exe (PID 844)
- RegSrvc.exe (PID 880)
- svchost.exe (PID 980)
- wdfmgr.exe (PID 1192)
- explorer.exe (PID 2000)
- CALMAIN.exe (PID 2060)
- alg.exe (PID 2840)
- wmiprvse.exe (PID 2932)
- stsystra.exe (PID 3932)
- iTunesHelper.exe (PID 3988)
- jusched.exe (PID 4000)
- rundll32.exe (PID 4008)
- iPodService.exe (PID 248)
- wuauclt.exe (PID 2228)
- IEXPLORE.EXE (PID 2400)
- avirarkd.exe (PID 2340)
========================================================================================================
- Scan finished Friday, January 16, 2009 - 15:37:38
========================================================================================================

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 16 January 2009 - 04:21 PM

Hello.

There seems to be a rootkit infection.

Please make sure your protection is disabled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    seneka
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\Software\seneka
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seneka
    
    Registry values to delete:
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks | {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
    
    Files to delete:
    c:\windows\system32\geBtQijH.dll
    c:\avenger\senekaeuirkpsr.dll
    c:\windows\system32\senekabobrnsac.dll
    c:\windows\system32\senekadf.dat
    c:\windows\system32\senekalog.dat
    c:\windows\system32\senekavkftbvkl.dll
    c:\windows\system32\senekaylypibmq.dat
    c:\windows\system32\drivers\seneka.sys
    c:\windows\system32\drivers\senekattomltxr.sys
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Please also include a fresh DDS log.

With Regards,
The Panda



#7 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 17 January 2009 - 04:34 PM

Hi Panda,
A couple of hours after I posted last, I got the attached error message. Everything still seemed ok after this from what I could tell. The pc didn't shut down or anything like that. Then I got the same message again today when I started doing your next suggestions. Just thought I should show you this in case it's a good clue of some sort.

Here is the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekattomltxr.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "seneka" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seneka" deleted successfully.
File "c:\windows\system32\geBtQijH.dll" deleted successfully.
File "c:\avenger\senekaeuirkpsr.dll" deleted successfully.
File "c:\windows\system32\senekabobrnsac.dll" deleted successfully.
File "c:\windows\system32\senekadf.dat" deleted successfully.
File "c:\windows\system32\senekalog.dat" deleted successfully.
File "c:\windows\system32\senekavkftbvkl.dll" deleted successfully.
File "c:\windows\system32\senekaylypibmq.dat" deleted successfully.
File "c:\windows\system32\drivers\seneka.sys" deleted successfully.
File "c:\windows\system32\drivers\senekattomltxr.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\Software\seneka" deleted successfully.
Registry value "hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks|{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here is the gmer log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 16:22:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA452224]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA4527F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA454234]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA453BE6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA45199A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA455BC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA4525F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA451DDC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA451FDC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA453EF6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA4560CE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA4520F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA45215A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA453DA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA45566A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA453A42]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA451AFC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA4523FC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA455BF0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA452348]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA4521C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA451EC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA451CA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA4558D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA45161C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA454ABE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA45177E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA455FA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA45141A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA4540D6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA4526F6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA455764]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA455C1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA451B52]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA455CFE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA455E2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA455596]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA4524C8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA45253A]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF8C 5 Bytes JMP AA469874 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF90C 5 Bytes JMP AA469C2E \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB0 8050481C 12 Bytes [ FE, 5C, 45, AA, 2A, 5E, 45, ... ]
? baxf.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[676] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[676] USER32.dll!VRipOutput + FFFA4DE7 7E412A78 4 Bytes [ 70, 11, 41, 6D ]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2640] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2640] USER32.dll!VRipOutput + FFFA4DE7 7E412A78 4 Bytes [ 70, 11, 41, 6D ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D0EDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D0EDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A8334C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----


Here is the new DDS:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Larry at 16:24:26.21 on Sat 01/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.590 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Larry\Desktop\gmer\gmer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\UTWV2HIX\dds[1].com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBtQijH.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {6fb8c435-0333-147a-3be4-2c77501c7929}: {9297c105-77c2-4eb3-a741-3330534c8bf6} - c:\windows\system32\cckdwp.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [hovym] c:\program files\msn gaming zone\hovym22011.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Sjilocu] rundll32.exe "c:\windows\Jgurazucocal.dll",e
mRun: [Eyoki] rundll32.exe "c:\windows\eceqeziw.dll",e
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
StartupFolder: c:\docume~1\larry\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvwmo~1.lnk - c:\program files\nikon\nkview4\NkVwMon.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: bmnet.dll
Trusted Zone: musicmatch.com\online
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: geBtQijH - geBtQijH.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll ,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-3 227344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-10-18 109080]

=============== Created Last 30 ================

2009-01-17 16:03 155,680 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-01-17 16:03 1,584 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-01-17 16:03 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-17 16:03 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-17 16:01 129,024 a------- c:\windows\system32\tleayv.dll
2009-01-17 16:01 129,024 a------- c:\windows\system32\efcBQged.dll
2009-01-16 17:20 129,024 a------- c:\windows\system32\spttdt.dll
2009-01-16 17:20 129,024 a------- c:\windows\system32\khfDstSm.dll
2009-01-16 16:19 129,024 a------- c:\windows\system32\jgnjxr.dll
2009-01-16 16:19 129,024 a------- c:\windows\system32\yaywuuVn.dll
2009-01-16 15:31 <DIR> --d----- c:\program files\Avira GmbH
2009-01-16 14:49 5,350 a------- c:\windows\system32\tmp.reg
2009-01-16 14:32 <DIR> --d----- C:\_OTMoveIt
2009-01-16 14:26 129,024 a------- c:\windows\system32\cckdwp.dll
2009-01-16 14:26 129,024 a------- c:\windows\system32\geBRjJca.dll
2009-01-16 10:03 124,928 a------- c:\windows\system32\uymdji.dll
2009-01-16 10:03 124,928 a------- c:\windows\system32\pmnkHXqQ.dll
2009-01-16 09:02 124,928 a------- c:\windows\system32\aumvvd.dll
2009-01-16 09:02 124,928 a------- c:\windows\system32\rqRIyXnm.dll
2009-01-16 08:16 131,584 a------- c:\windows\eceqeziw.dll
2009-01-16 08:04 41,984 a------- c:\windows\Jgurazucocal.dll
2009-01-16 08:04 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-16 08:02 124,928 a------- c:\windows\system32\jkilan.dll
2009-01-16 08:02 124,928 a------- c:\windows\system32\xxywUMGw.dll
2009-01-16 07:02 124,928 a------- c:\windows\system32\ddgzyr.dll
2009-01-16 07:02 124,928 a------- c:\windows\system32\vtUomjJB.dll
2009-01-16 06:01 124,928 a------- c:\windows\system32\morwiq.dll
2009-01-16 06:01 124,928 a------- c:\windows\system32\khfeecdb.dll
2009-01-16 05:01 124,928 a------- c:\windows\system32\mjgqxb.dll
2009-01-16 05:01 124,928 a------- c:\windows\system32\vtUlMgfE.dll
2009-01-16 04:00 124,928 a------- c:\windows\system32\riqqbt.dll
2009-01-16 04:00 124,928 a------- c:\windows\system32\ljJBtssQ.dll
2009-01-16 02:59 124,928 a------- c:\windows\system32\paracj.dll
2009-01-16 02:59 124,928 a------- c:\windows\system32\cbXnMdee.dll
2009-01-16 01:58 124,928 a------- c:\windows\system32\fkiwkr.dll
2009-01-16 01:58 124,928 a------- c:\windows\system32\ssqRHxUo.dll
2009-01-16 00:58 124,928 a------- c:\windows\system32\fqjecp.dll
2009-01-16 00:58 124,928 a------- c:\windows\system32\vtUlLEVn.dll
2009-01-15 23:57 124,928 a------- c:\windows\system32\dhjodw.dll
2009-01-15 23:57 124,928 a------- c:\windows\system32\yayYopnl.dll
2009-01-15 22:56 124,928 a------- c:\windows\system32\akjdug.dll
2009-01-15 22:56 124,928 a------- c:\windows\system32\ssqPfdCS.dll
2009-01-15 21:56 124,928 a------- c:\windows\system32\zollyi.dll
2009-01-15 21:56 124,928 a------- c:\windows\system32\cbXOICVL.dll
2009-01-15 20:56 124,928 a------- c:\windows\system32\gxceaa.dll
2009-01-15 20:55 124,928 a------- c:\windows\system32\geBSlmJA.dll
2009-01-15 19:55 124,928 a------- c:\windows\system32\ubrtvb.dll
2009-01-15 19:55 124,928 a------- c:\windows\system32\urqQIBqr.dll
2009-01-14 20:17 250 a------- c:\windows\gmer.ini
2009-01-03 15:38 <DIR> --d----- c:\program files\Bonjour
2009-01-03 15:29 <DIR> --d----- c:\program files\common files\xing shared
2009-01-03 14:13 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-03 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-01-03 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-03 13:23 <DIR> --d----- c:\program files\ACNU
2009-01-03 12:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-03 12:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-02 15:24 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 <DIR> --d----- c:\docume~1\larry\applic~1\Malwarebytes
2009-01-02 00:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 00:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-01 23:59 <DIR> --d----- c:\docume~1\larry\applic~1\MalwareRemovalBot
2009-01-01 22:36 <DIR> --d----- c:\windows\source

==================== Find3M ====================

2009-01-03 15:29 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-12 12:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2006-08-22 19:32 56 ---shr-- c:\windows\system32\17BB216DB4.sys
2006-10-27 21:49 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:24:45.51 ===============


Thanks, as always,
Leann

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 17 January 2009 - 05:10 PM

Hello Leann.

Once again , please disable protection.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

#9 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 17 January 2009 - 05:16 PM

Hi Panda,
When you say to disable the protection, is this only while I'm performing your suggested steps? I turned it back on again after my last post and soon after got the attached warning. I clicked the ok (recommended) button, it did some sort of scan and reboot.

Please let me know if I should be leaving the protection off until you tell me to turn it back on. I'll do your latest suggestions now.

Thanks,
Leann

#10 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 17 January 2009 - 05:34 PM

Hi Panda,
Here's my combofix log.

Thanks!
Leann

ComboFix 09-01-17.03 - Larry 2009-01-17 17:24:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.621 [GMT -5:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap35.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap37.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap39.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap3B.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap3E.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap40.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap42.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap45.tmp
c:\documents and settings\Larry\Local Settings\Temporary Internet Files\zap47.tmp
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\temp\gbRve12
c:\windows\IE4 Error Log.txt
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\akjdug.dll
c:\windows\system32\aumvvd.dll
c:\windows\system32\cbXnMdee.dll
c:\windows\system32\cbXOICVL.dll
c:\windows\system32\cckdwp.dll
c:\windows\system32\ddgzyr.dll
c:\windows\system32\dhjodw.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\efcBQged.dll
c:\windows\system32\fkiwkr.dll
c:\windows\system32\fqjecp.dll
c:\windows\system32\geBRjJca.dll
c:\windows\system32\geBSlmJA.dll
c:\windows\system32\gxceaa.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\jgnjxr.dll
c:\windows\system32\jkilan.dll
c:\windows\system32\khfDstSm.dll
c:\windows\system32\khfeecdb.dll
c:\windows\system32\ljJBtssQ.dll
c:\windows\system32\mjgqxb.dll
c:\windows\system32\morwiq.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\paracj.dll
c:\windows\system32\pmnkHXqQ.dll
c:\windows\system32\Process.exe
c:\windows\system32\riqqbt.dll
c:\windows\system32\rqRIyXnm.dll
c:\windows\system32\spttdt.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\ssqPfdCS.dll
c:\windows\system32\ssqRHxUo.dll
c:\windows\system32\tleayv.dll
c:\windows\system32\tmp.reg
c:\windows\system32\ubrtvb.dll
c:\windows\system32\urqQIBqr.dll
c:\windows\system32\uymdji.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vtUlLEVn.dll
c:\windows\system32\vtUlMgfE.dll
c:\windows\system32\vtUomjJB.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\X1
c:\windows\system32\xxywUMGw.dll
c:\windows\system32\yaywuuVn.dll
c:\windows\system32\yayYopnl.dll
c:\windows\system32\zollyi.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 16:03 . 2009-01-17 17:27 1,186,336 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-17 16:03 . 2009-01-17 17:27 311,328 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-17 16:03 . 2009-01-17 17:27 10,348 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-17 16:03 . 2009-01-17 17:27 2,144 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-16 15:31 . 2009-01-16 15:31 <DIR> d-------- c:\program files\Avira GmbH
2009-01-16 14:32 . 2009-01-16 14:32 <DIR> d-------- C:\_OTMoveIt
2009-01-16 14:26 . 2009-01-16 14:26 <DIR> d-------- c:\program files\ERUNT
2009-01-16 08:16 . 2009-01-16 08:16 131,584 --a------ c:\windows\eceqeziw.dll
2009-01-16 08:04 . 2009-01-16 08:04 41,984 --a------ c:\windows\system32\chert5-998.exe
2009-01-14 20:17 . 2009-01-17 16:09 250 --a------ c:\windows\gmer.ini
2009-01-03 15:38 . 2009-01-03 15:38 <DIR> d-------- c:\program files\Bonjour
2009-01-03 15:29 . 2009-01-03 15:29 <DIR> d-------- c:\program files\Common Files\xing shared
2009-01-03 14:13 . 2009-01-03 14:13 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 . 2009-01-03 14:13 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 . 2009-01-03 14:12 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-03 14:12 . 2009-01-17 17:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-03 14:09 . 2009-01-03 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-03 13:23 . 2009-01-03 13:23 <DIR> d-------- c:\program files\ACNU
2009-01-03 12:27 . 2009-01-03 12:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 12:27 . 2009-01-03 12:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 00:13 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 23:59 . 2009-01-02 00:00 <DIR> d-------- c:\documents and settings\Larry\Application Data\MalwareRemovalBot
2009-01-01 22:36 . 2009-01-01 22:36 <DIR> d-------- c:\windows\source

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 19:49 --------- d-----w c:\program files\Google
2009-01-14 03:00 --------- d-----w c:\program files\Dl_cats
2009-01-03 20:48 --------- d-----w c:\program files\Trillian
2009-01-03 20:37 --------- d-----w c:\documents and settings\Larry\Application Data\AdobeUM
2009-01-03 20:29 --------- d-----w c:\program files\Common Files\Real
2009-01-03 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 18:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-03 18:55 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-03 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 17:26 --------- d-----w c:\program files\Java
2009-01-02 20:07 --------- d-----w c:\program files\Trend Micro
2008-12-19 12:51 --------- d-----w c:\documents and settings\Larry\Application Data\Skype
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 13:03 --------- d-----w c:\documents and settings\Larry\Application Data\skypePM
2008-12-06 23:27 --------- d-----w c:\program files\iTunes
2008-12-06 23:27 --------- d-----w c:\program files\iPod
2008-12-06 23:27 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 23:18 --------- d-----w c:\program files\QuickTime
2008-12-01 04:42 --------- d-----w c:\program files\Skype
2008-12-01 04:42 --------- d-----w c:\program files\Common Files\Skype
2008-12-01 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2006-08-23 00:32 56 --sh--r c:\windows\system32\17BB216DB4.sys
2006-10-28 02:49 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 81,920 2005-06-10 15:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 249,856 2005-06-10 15:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 48,752 2005-10-04 16:42:40 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 49,152 2005-12-10 01:29:52 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 86,016 2005-01-27 06:02:00 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 1,032,192 2006-04-06 19:58:52 c:\program files\Dell\QuickSet\bak\quickset.exe

----a-w 169,984 2006-08-08 05:52:08 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe

----a-w 49,152 2003-12-05 19:41:44 c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 49,152 2004-04-01 04:34:44 c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe

----a-w 241,664 2003-12-22 12:38:42 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 602,182 2005-12-28 16:56:16 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

----a-w 667,718 2005-12-28 16:55:40 c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe

----a-w 267,064 2007-09-14 14:00:06 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 20,480 2003-09-10 07:24:00 c:\program files\NetWaiting\bak\netWaiting.exe

----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 85,744 2005-11-15 17:28:04 c:\program files\Symantec AntiVirus\bak\vptray.exe

----a-w 761,947 2006-03-08 16:48:02 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 77,824 2005-12-13 07:41:08 c:\windows\system32\bak\hkcmd.exe

----a-w 491,520 2004-05-04 22:17:06 c:\windows\system32\bak\hphmon05.exe

----a-w 118,784 2005-12-13 07:45:00 c:\windows\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 07:44:18 c:\windows\system32\bak\igfxtray.exe

----a-w 127,035 2004-12-06 06:05:00 c:\windows\system32\dla\bak\tfswctrl.exe

----a-w 176,128 2004-05-04 07:21:22 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [N/A]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [N/A]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [N/A]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [N/A]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 73728]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [N/A]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [N/A]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [N/A]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [N/A]
"hovym"="c:\program files\MSN Gaming Zone\hovym22011.exe" [N/A]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 33280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"Eyoki"="c:\windows\eceqeziw.dll" [2009-01-16 131584]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\Larry\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-08 24576]
NkVwMon.exe.lnk - c:\program files\Nikon\NkView4\NkVwMon.exe [2006-10-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcfpswx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-10-18 109080]
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 23:35]

2009-01-16 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-01-16 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []

2009-01-17 c:\windows\Tasks\qlsdtzkg.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9297c105-77c2-4eb3-a741-3330534c8bf6} - c:\windows\system32\cckdwp.dll
Notify-geBtQijH - geBtQijH.dll
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: online.musicmatch.com
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://preview.evite.com/js/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 17:29:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1412)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-17 17:32:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 22:32:32

Pre-Run: 81,826,095,104 bytes free
Post-Run: 81,905,967,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

320 --- E O F --- 2009-01-14 04:23:42

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 17 January 2009 - 07:10 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
    c:\windows\system32\chert5-998.exe
    c:\windows\eceqeziw.dll
    c:\windows\Tasks\qlsdtzkg.job
    c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
    
    AWF::
    c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
    c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
    c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
    c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
    c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
    c:\program files\Dell\QuickSet\bak\quickset.exe
    c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe
    c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
    c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe
    c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe
    c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
    c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
    c:\program files\NetWaiting\bak\netWaiting.exe
    c:\program files\Symantec AntiVirus\bak\vptray.exe
    c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
    c:\windows\system32\bak\hkcmd.exe
    c:\windows\system32\bak\hphmon05.exe
    c:\windows\system32\bak\igfxpers.exe
    c:\windows\system32\bak\igfxtray.exe
    c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eyoki"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#12 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 18 January 2009 - 11:06 AM

Hi Panda,
Here's the new combofix log.

Thanks,
Leann

ComboFix 09-01-17.04 - Larry 2009-01-18 11:00:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.637 [GMT -5:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\eceqeziw.dll
c:\windows\system32\chert5-998.exe
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\qlsdtzkg.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eceqeziw.dll
c:\windows\system32\chert5-998.exe
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\qlsdtzkg.job

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 16:03 . 2009-01-17 18:49 1,322,528 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-17 16:03 . 2009-01-18 11:02 327,712 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-17 16:03 . 2009-01-17 18:49 11,412 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-17 16:03 . 2009-01-18 11:02 2,228 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-16 15:31 . 2009-01-16 15:31 <DIR> d-------- c:\program files\Avira GmbH
2009-01-16 14:32 . 2009-01-16 14:32 <DIR> d-------- C:\_OTMoveIt
2009-01-16 14:26 . 2009-01-16 14:26 <DIR> d-------- c:\program files\ERUNT
2009-01-14 20:17 . 2009-01-17 16:09 250 --a------ c:\windows\gmer.ini
2009-01-03 15:38 . 2009-01-03 15:38 <DIR> d-------- c:\program files\Bonjour
2009-01-03 15:29 . 2009-01-03 15:29 <DIR> d-------- c:\program files\Common Files\xing shared
2009-01-03 14:13 . 2009-01-03 14:13 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 . 2009-01-03 14:13 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 . 2009-01-03 14:12 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-03 14:12 . 2009-01-17 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-03 14:09 . 2009-01-03 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-03 13:23 . 2009-01-03 13:23 <DIR> d-------- c:\program files\ACNU
2009-01-03 12:27 . 2009-01-03 12:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 12:27 . 2009-01-03 12:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 00:13 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 23:59 . 2009-01-02 00:00 <DIR> d-------- c:\documents and settings\Larry\Application Data\MalwareRemovalBot
2009-01-01 22:36 . 2009-01-01 22:36 <DIR> d-------- c:\windows\source

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 16:00 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-18 16:00 --------- d-----w c:\program files\NetWaiting
2009-01-18 16:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-17 22:36 --------- d-----w c:\program files\Nikon
2009-01-16 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 19:49 --------- d-----w c:\program files\Google
2009-01-14 03:00 --------- d-----w c:\program files\Dl_cats
2009-01-03 20:48 --------- d-----w c:\program files\Trillian
2009-01-03 20:37 --------- d-----w c:\documents and settings\Larry\Application Data\AdobeUM
2009-01-03 20:29 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-03 20:29 --------- d-----w c:\program files\Common Files\Real
2009-01-03 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 17:26 --------- d-----w c:\program files\Java
2009-01-02 20:07 --------- d-----w c:\program files\Trend Micro
2008-12-19 12:51 --------- d-----w c:\documents and settings\Larry\Application Data\Skype
2008-12-12 17:27 3,067,392 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-07 13:03 --------- d-----w c:\documents and settings\Larry\Application Data\skypePM
2008-12-06 23:27 --------- d-----w c:\program files\iTunes
2008-12-06 23:27 --------- d-----w c:\program files\iPod
2008-12-06 23:27 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 23:18 --------- d-----w c:\program files\QuickTime
2008-12-01 04:42 --------- d-----w c:\program files\Skype
2008-12-01 04:42 --------- d-----w c:\program files\Common Files\Skype
2008-12-01 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-12 01:00 218,376 ----a-w c:\windows\system32\klogon.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2006-08-23 00:32 56 --sh--r c:\windows\system32\17BB216DB4.sys
2006-10-28 02:49 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_17.31.18.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-13 07:41:08 77,824 ----a-w c:\windows\system32\hkcmd.exe
+ 2004-05-04 22:17:06 491,520 ----a-w c:\windows\system32\hphmon05.exe
+ 2005-12-13 07:45:00 118,784 ----a-w c:\windows\system32\igfxpers.exe
+ 2005-12-13 07:44:18 98,304 ----a-w c:\windows\system32\igfxtray.exe
+ 2004-05-04 07:21:22 176,128 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
+ 2009-01-17 22:39:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_33c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 267,064 2007-09-14 14:00:06 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 127,035 2004-12-06 06:05:00 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-08 169984]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 73728]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-05-04 491520]
"hovym"="c:\program files\MSN Gaming Zone\hovym22011.exe" [N/A]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 33280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\Larry\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcfpswx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-10-18 109080]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 23:35]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://preview.evite.com/js/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 11:02:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1416)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-01-18 11:04:20
ComboFix-quarantined-files.txt 2009-01-18 16:04:18
ComboFix2.txt 2009-01-17 22:32:36

Pre-Run: 81,896,677,376 bytes free
Post-Run: 81,881,825,280 bytes free

228 --- E O F --- 2009-01-14 04:23:42

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 18 January 2009 - 11:11 AM

Hello.

There are a few left.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\program files\MSN Gaming Zone\hovym22011.exe
    
    AWF::
    c:\windows\system32\dla\bak\tfswctrl.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hovym"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#14 caligula11

caligula11
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 18 January 2009 - 11:29 AM

Hi Panda,
Here's the new combofix log and malwarebytes log.

Thanks,
Leann

ComboFix 09-01-17.04 - Larry 2009-01-18 11:16:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.617 [GMT -5:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\program files\MSN Gaming Zone\hovym22011.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 16:03 . 2009-01-17 18:49 1,322,528 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-17 16:03 . 2009-01-18 11:02 335,904 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-17 16:03 . 2009-01-17 18:49 11,412 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-17 16:03 . 2009-01-18 11:02 2,228 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-16 15:31 . 2009-01-16 15:31 <DIR> d-------- c:\program files\Avira GmbH
2009-01-16 14:32 . 2009-01-16 14:32 <DIR> d-------- C:\_OTMoveIt
2009-01-16 14:26 . 2009-01-16 14:26 <DIR> d-------- c:\program files\ERUNT
2009-01-14 20:17 . 2009-01-17 16:09 250 --a------ c:\windows\gmer.ini
2009-01-03 15:38 . 2009-01-03 15:38 <DIR> d-------- c:\program files\Bonjour
2009-01-03 15:29 . 2009-01-03 15:29 <DIR> d-------- c:\program files\Common Files\xing shared
2009-01-03 14:13 . 2009-01-03 14:13 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-03 14:13 . 2009-01-03 14:13 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-03 14:12 . 2009-01-03 14:12 <DIR> d-------- c:\program files\Kaspersky Lab
2009-01-03 14:12 . 2009-01-17 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-03 14:09 . 2009-01-03 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-03 13:23 . 2009-01-03 13:23 <DIR> d-------- c:\program files\ACNU
2009-01-03 12:27 . 2009-01-03 12:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 12:27 . 2009-01-03 12:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 15:24 . 2009-01-02 15:24 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-01-02 00:13 . 2009-01-02 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 00:13 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 00:13 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 23:59 . 2009-01-02 00:00 <DIR> d-------- c:\documents and settings\Larry\Application Data\MalwareRemovalBot
2009-01-01 22:36 . 2009-01-01 22:36 <DIR> d-------- c:\windows\source

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 16:02 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-18 16:02 --------- d-----w c:\program files\NetWaiting
2009-01-18 16:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-17 22:36 --------- d-----w c:\program files\Nikon
2009-01-16 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 19:49 --------- d-----w c:\program files\Google
2009-01-14 03:00 --------- d-----w c:\program files\Dl_cats
2009-01-03 20:48 --------- d-----w c:\program files\Trillian
2009-01-03 20:37 --------- d-----w c:\documents and settings\Larry\Application Data\AdobeUM
2009-01-03 20:29 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-03 20:29 --------- d-----w c:\program files\Common Files\Real
2009-01-03 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 17:26 --------- d-----w c:\program files\Java
2009-01-02 20:07 --------- d-----w c:\program files\Trend Micro
2008-12-19 12:51 --------- d-----w c:\documents and settings\Larry\Application Data\Skype
2008-12-12 17:27 3,067,392 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-07 13:03 --------- d-----w c:\documents and settings\Larry\Application Data\skypePM
2008-12-06 23:27 --------- d-----w c:\program files\iTunes
2008-12-06 23:27 --------- d-----w c:\program files\iPod
2008-12-06 23:27 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 23:18 --------- d-----w c:\program files\QuickTime
2008-12-01 04:42 --------- d-----w c:\program files\Skype
2008-12-01 04:42 --------- d-----w c:\program files\Common Files\Skype
2008-12-01 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-12 01:00 218,376 ----a-w c:\windows\system32\klogon.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2006-08-23 00:32 56 --sh--r c:\windows\system32\17BB216DB4.sys
2006-10-28 02:49 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_17.31.18.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-12-06 06:05:00 127,035 ----a-w c:\windows\system32\dla\tfswctrl.exe
+ 2005-12-13 07:41:08 77,824 ----a-w c:\windows\system32\hkcmd.exe
+ 2004-05-04 22:17:06 491,520 ----a-w c:\windows\system32\hphmon05.exe
+ 2005-12-13 07:45:00 118,784 ----a-w c:\windows\system32\igfxpers.exe
+ 2005-12-13 07:44:18 98,304 ----a-w c:\windows\system32\igfxtray.exe
+ 2004-05-04 07:21:22 176,128 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
+ 2009-01-17 22:39:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_33c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 267,064 2007-09-14 14:00:06 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-08 169984]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-07 73728]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-05-04 491520]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 33280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\Larry\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcfpswx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-10-18 109080]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 23:35]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {2309660F-28A4-45E2-9E55-10C7A052874A} = 208.67.220.220,208.67.222.222
TCP: {9489EC3A-E9E6-4F61-8857-BD3314997DC0} = 208.67.220.220,208.67.222.222

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://preview.evite.com/js/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 11:17:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1416)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-01-18 11:18:58
ComboFix-quarantined-files.txt 2009-01-18 16:18:56
ComboFix2.txt 2009-01-18 16:04:21
ComboFix3.txt 2009-01-17 22:32:36

Pre-Run: 81,869,434,880 bytes free
Post-Run: 81,855,496,192 bytes free

218 --- E O F --- 2009-01-14 04:23:42



MalwareBytes:
Malwarebytes' Anti-Malware 1.33
Database version: 1665
Windows 5.1.2600 Service Pack 2

1/18/2009 11:26:44 AM
mbam-log-2009-01-18 (11-26-44).txt

Scan type: Quick Scan
Objects scanned: 54391
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 18 January 2009 - 12:00 PM

Hello.

Let's get an online scan.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Post back a new DDS.txt or HijackThis log as well.

Any symptoms of infection at this point?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users