Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected svnshost, System message popup virus


  • Please log in to reply
8 replies to this topic

#1 neoturner

neoturner

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 08 January 2009 - 06:40 PM

Haven't had a virus like this ever. New breed I guess.

Problems started initially with a program called "Spyware Alert 2009" I believe.

Downloaded Ad-Aware and AVG Antivirus, scanned, removed and I'm now getting a System Message with a red X "Self-restoring Trojan..." message

I also get an occasional popup window prompting me to remove errors.

It also tries to open a website called liveantivirusprotectionscan

I have a svnshost.exe process that I can not End. It goes berserk when I try.

Windows firewall has been on the entire time.

My D.D.S. Below:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Fen at 18:11:06.25 on Thu 01/08/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1258 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\sv˝shost.exe
C:\WINDOWS\system32\svschost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Fen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [sysguard] c:\windows\
uRun: [svschost.exe] c:\windows\system32\svschost.exe -check
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Super Screen Capture] c:\program files\zeallsoft\super screen capture\SSCapture.exe
mRun: [dlcimon.exe] "c:\program files\dell aio printer 946\dlcimon.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCItime.dll,_RunDLLEntry@16
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Shamezuqu] rundll32.exe "c:\windows\Tgekijuduligejop.dll",e
mRun: [Cnenehokonipuco] rundll32.exe "c:\windows\ibayomebufebosuy.dll",e
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fen\applic~1\mozilla\firefox\profiles\5v7eq2is.default\
FF - component: c:\documents and settings\fen\application data\mozilla\firefox\profiles\5v7eq2is.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {6C9BE72C-F951-48D7-BCCF-37E041AA1A09} - c:\documents and settings\fen\local settings\application data\{6C9BE72C-F951-48D7-BCCF-37E041AA1A09}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-7 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-7 26824]
R3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit11\ArcNameService.exe [2007-5-1 157264]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-7 231704]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-7 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-7 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-7 81288]
S3 Planning Sample;TM1 Server - Planning Sample;c:\program files\cognos\tm1\bin\tm1sd.exe [2007-12-17 2830336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-7 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-7 1079176]
S3 tm1admsd;TM1 Admin Server;c:\program files\cognos\tm1\bin\tm1admsd.exe [2007-12-17 249856]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

2009-01-08 15:49 0 a------- c:\windows\system32\system32xp.exe.tmp
2009-01-08 15:49 85,504 a------- c:\windows\system32\svschost.exe
2009-01-08 15:49 85,504 a------- c:\windows\system32\sv˝shost.exe
2009-01-08 14:49 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-08 14:49 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-08 14:49 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-08 14:49 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-08 14:49 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-08 14:49 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-08 14:49 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-08 14:49 <DIR> --d----- C:\0fdfe24cdd4dfe9b00e59f3d36a4218b
2009-01-08 12:40 726,008 a------- c:\documents and settings\fen\gotomypc_438.exe
2009-01-07 11:50 134,144 a------- c:\windows\ibayomebufebosuy.dll
2009-01-07 10:54 40,960 a------- c:\windows\Tgekijuduligejop.dll
2009-01-07 08:34 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-07 08:34 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-07 08:34 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-07 08:34 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-07 08:34 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-07 08:34 <DIR> --d----- c:\docume~1\fen\applic~1\PC Tools
2009-01-07 06:53 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-07 05:28 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-07 05:09 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 05:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 04:57 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-07 04:57 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-07 04:57 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-07 04:57 <DIR> --d----- c:\program files\AVG
2009-01-07 04:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-07 04:23 <DIR> --d----- c:\program files\Microsoft Common

==================== Find3M ====================

2009-01-07 04:44 2,707 a------- c:\windows\system32\TDSSlxcp.dll
2009-01-07 04:24 262,656 a------- c:\windows\sysguard.exe
2009-01-07 04:24 61,440 a------- c:\windows\system32\TDSScfmm.dll
2008-12-16 21:45 183,486 a------- c:\windows\system32\nvModes.dat
2008-10-31 12:03 726,008 a------- c:\documents and settings\fen\gotomypc_437.exe
2008-10-29 16:22 217,088 a------- c:\windows\system32\atasnt40.dll
2008-10-09 09:59 60,744 a------- c:\documents and settings\fen\g2mdlhlpx.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 08:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-02-04 14:26 151,040 ---sh--- c:\windows\system32\VistaUltm.dll

============= FINISH: 18:11:40.10 ===============

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:09 PM

Posted 09 January 2009 - 06:32 PM

Hello Neoturner and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 neoturner

neoturner
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 09 January 2009 - 10:17 PM

I impatiently ran malwarebytes after making this post, however it did resolve the system alert bug from what I can tell after several reboots and installs (visual studio express) XP Sp3, security updates

I am noticing that I have adware when I click on google searches in explorer so I was going to ask what tool I should go to next. Sorry bout jumping the gun. I think I am good for the time being so I'll hold off on doing anything till you respond.

After the Malware bytes ran I got the following log. The two files it marked for delete on reboot were successfully done so on the next pass. and a full scan didn't pick up anything new.

MWB log below:

Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 2

1/8/2009 7:04:40 PM
mbam-log-2009-01-08 (19-04-40).txt

Scan type: Quick Scan
Objects scanned: 63228
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 46

Memory Processes Infected:
C:\WINDOWS\system32\svschost.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\sv˝shost.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shamezuqu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnenehokonipuco (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\TDSScfmm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\aazalirt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dkekkrkska.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dkewiizkjdks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iddqdops.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ienotas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iqmcnoeqz.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\irprokwks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jikglond.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jiklagka.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jrjakdsd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jungertab.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kitiiwhaas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkwknrbsggeg.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\klopnidret.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\krkdkdkee.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\krkmahejdk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\krtawefg.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\krujmmwlrra.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ktknamwerr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kuruhccdsdd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ooorjaas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\oranerkka.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\oropbbsee.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\otnnbektre.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\otowjdseww.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\otpeppggq.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rkaskssd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ronitfst.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salrtybek.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\seeukluba.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\skaaanret.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\tobmygers.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\tobykke.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zibaglertz.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Tgekijuduligejop.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ibayomebufebosuy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sv˝shost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS519d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS2bb6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc323.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:09 PM

Posted 10 January 2009 - 10:33 AM

Hello Neoturner,

Running MBAM was fine. :thumbsup:

To start cleaning up the rest, please run GooredFix and ComboFix as expained in my previous post.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 neoturner

neoturner
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 11 January 2009 - 02:31 AM

AntivirusAlert2009 started doing it's thing today. New system alerts. Did another MWB sweep and then ran the gooredfix lob below:

GooredFix v1.8 by jpshortstuff
Log created at 02:27 on 11/01/2009 running Option #2 (Fen)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{6C9BE72C-F951-48D7-BCCF-37E041AA1A09}"="C:\Documents and Settings\Fen\Local Settings\Application Data\{6C9BE72C-F951-48D7-BCCF-37E041AA1A09}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Fen\Local Settings\Application Data\{6C9BE72C-F951-48D7-BCCF-37E041AA1A09}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"

#6 neoturner

neoturner
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 11 January 2009 - 03:01 AM

Ran combofix and the log is below:

ComboFix 09-01-10.02 - Fen 2009-01-11 2:44:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -5:00]
Running from: c:\documents and settings\Fen\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\Cache
c:\windows\system32\msrdo20.dll
c:\windows\system32\npuqruil.ini
c:\windows\system32\rdocurs.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\wFNooUtv.ini
c:\windows\system32\wFNooUtv.ini2

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_seneka
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-09 04:30 . 2008-07-10 19:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-01-09 04:30 . 2008-07-10 19:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-01-09 04:28 . 2009-01-09 04:28 <DIR> d-------- c:\windows\system32\RsFx
2009-01-09 04:13 . 2009-01-09 04:13 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2009-01-09 04:13 . 2009-01-09 04:13 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-01-09 04:13 . 2009-01-09 04:29 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-01-09 04:07 . 2009-01-09 04:10 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-01-09 04:07 . 2009-01-09 04:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 04:06 . 2009-01-09 04:06 <DIR> d-------- c:\program files\Microsoft SDKs
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\program files\MSBuild
2009-01-09 01:24 . 2009-01-09 01:24 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-09 01:19 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-09 01:19 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-09 01:19 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-09 01:19 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-09 01:19 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-09 01:19 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-09 01:19 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-09 01:19 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-09 01:19 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-09 01:06 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2009-01-09 01:06 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-09 01:06 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-01-09 01:06 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2009-01-09 01:05 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-09 01:05 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-09 01:05 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-09 01:05 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-09 01:05 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-01-09 01:05 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2009-01-09 01:05 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2009-01-09 01:04 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2009-01-09 01:03 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-09 01:03 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\scripting
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\en
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\bits
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\l2schemas
2009-01-09 00:22 . 2009-01-09 00:22 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-09 00:07 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2009-01-08 23:55 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-08 22:10 . 2009-01-08 22:11 <DIR> d-------- c:\program files\Unlocker
2009-01-08 21:22 . 2009-01-09 00:46 <DIR> d-------- c:\documents and settings\Fen\Application Data\wsInspector
2009-01-08 20:48 . 2009-01-08 20:51 <DIR> d-------- c:\program files\Startup Inspector for Windows
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\documents and settings\Fen\Application Data\Malwarebytes
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 18:50 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 18:50 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:49 . 2009-01-08 14:50 <DIR> d-------- C:\0fdfe24cdd4dfe9b00e59f3d36a4218b
2009-01-08 14:49 . 2008-07-06 07:06 1,676,288 --a------ c:\windows\system32\xpssvcs.dll
2009-01-08 14:49 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-08 14:49 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-08 14:49 . 2008-07-06 07:06 575,488 --a------ c:\windows\system32\xpsshhdr.dll
2009-01-08 14:49 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-08 14:49 . 2008-07-06 07:06 117,760 --a------ c:\windows\system32\prntvpt.dll
2009-01-08 14:49 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-08 12:40 . 2009-01-08 12:40 726,008 --a------ c:\documents and settings\Fen\gotomypc_438.exe
2009-01-07 08:35 . 2009-01-08 20:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 06:53 . 2009-01-08 20:23 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-07 05:28 . 2009-01-07 14:41 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 05:09 . 2009-01-08 21:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 04:57 . 2009-01-08 08:48 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-07 04:57 . 2009-01-07 04:57 <DIR> d-------- c:\program files\AVG
2009-01-07 04:57 . 2009-01-07 05:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-07 04:57 . 2009-01-07 04:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-07 04:57 . 2009-01-07 04:57 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 09:26 --------- d-----w c:\program files\Microsoft.NET
2009-01-09 02:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 20:25 --------- d-----w c:\documents and settings\Fen\Application Data\Skype
2009-01-08 17:04 --------- d-----w c:\documents and settings\Fen\Application Data\skypePM
2009-01-07 11:40 --------- d-----w c:\program files\Conference
2009-01-02 02:40 --------- d-----w c:\documents and settings\Fen\Application Data\CoreFTP
2008-12-21 19:52 --------- d-----w c:\program files\Dl_cats
2008-12-11 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-09 03:21 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-09 03:20 --------- d-----w c:\documents and settings\Fen\Application Data\SystemRequirementsLab
2008-12-09 02:37 --------- d-----w c:\program files\Firaxis Games
2008-12-09 02:34 --------- d-----w c:\documents and settings\Fen\Application Data\IGN_DLM
2008-12-09 01:15 --------- d-----w c:\program files\Download Manager
2008-10-31 17:03 726,008 ----a-w c:\documents and settings\Fen\gotomypc_437.exe
2008-10-09 14:59 60,744 ----a-w c:\documents and settings\Fen\g2mdlhlpx.exe
2008-12-23 20:08 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-23 20:08 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-11 19:30 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-29 21:22 32,768 ----a-w c:\program files\mozilla firefox\plugins\atsc3cls.dll
2008-12-23 20:12 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-12-23 20:09 32,768 ----a-w c:\program files\mozilla firefox\plugins\ptexmeet.dll
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sha-w c:\windows\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-02-13 430080]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1261336]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=aejmbf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Cognos\\TM1\\bin\\tm1s.exe"=
"c:\\Program Files\\Cognos\\TM1\\bin\\tm1admsrv.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-07 97928]
R3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-05-01 157264]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-07 231704]
S3 Planning Sample;TM1 Server - Planning Sample;c:\program files\Cognos\TM1\bin\tm1sd.exe [2007-12-17 2830336]
S3 tm1admsd;TM1 Admin Server;c:\program files\Cognos\TM1\bin\tm1admsd.exe [2007-12-17 249856]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{117c0dc8-79f0-11dd-9e2b-0015c5b8fff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3c58fc7-eafd-11db-9db1-0015c5b8fff6}]
\Shell\AutoRun\command - E:\WINUPDATE.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\dcxntkut.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F4F35C6E-ADB4-4049-AF38-98D3D7D1ED28} - c:\windows\system32\vtUooNFw.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Fen\Application Data\Mozilla\Firefox\Profiles\5v7eq2is.default\
FF - component: c:\documents and settings\Fen\Application Data\Mozilla\Firefox\Profiles\5v7eq2is.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 02:51:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1736)
c:\windows\system32\CSGina.dll

- - - - - - - > 'lsass.exe'(1792)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\dlcicoms.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-01-11 2:56:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 07:56:41

Pre-Run: 29,652,889,600 bytes free
Post-Run: 40,722,403,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

275

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:09 PM

Posted 11 January 2009 - 06:39 AM

Hello Neoturner,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\Tasks\dcxntkut.job
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 neoturner

neoturner
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 11 January 2009 - 07:07 PM

Combofix log:

ComboFix 09-01-10.03 - Fen 2009-01-11 18:46:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1567 [GMT -5:00]
Running from: c:\documents and settings\Fen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fen\Desktop\CFScript .txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\dcxntkut.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\dcxntkut.job

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-09 04:30 . 2008-07-10 19:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-01-09 04:30 . 2008-07-10 19:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-01-09 04:28 . 2009-01-09 04:28 <DIR> d-------- c:\windows\system32\RsFx
2009-01-09 04:13 . 2009-01-09 04:13 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2009-01-09 04:13 . 2009-01-09 04:13 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-01-09 04:13 . 2009-01-09 04:29 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-01-09 04:07 . 2009-01-09 04:10 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-01-09 04:07 . 2009-01-09 04:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 04:06 . 2009-01-09 04:06 <DIR> d-------- c:\program files\Microsoft SDKs
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-09 04:04 . 2009-01-09 04:04 <DIR> d-------- c:\program files\MSBuild
2009-01-09 01:24 . 2009-01-09 01:24 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-09 01:19 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-09 01:19 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-09 01:19 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-09 01:19 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-09 01:19 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-09 01:19 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-09 01:19 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-09 01:19 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-09 01:19 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-09 01:06 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2009-01-09 01:06 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-09 01:06 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-01-09 01:06 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2009-01-09 01:05 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-09 01:05 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-09 01:05 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-09 01:05 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-09 01:05 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-01-09 01:05 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2009-01-09 01:05 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2009-01-09 01:04 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2009-01-09 01:03 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-09 01:03 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\scripting
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\en
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\system32\bits
2009-01-09 00:24 . 2009-01-09 00:24 <DIR> d-------- c:\windows\l2schemas
2009-01-09 00:22 . 2009-01-09 00:22 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-09 00:07 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2009-01-08 23:55 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-08 22:10 . 2009-01-08 22:11 <DIR> d-------- c:\program files\Unlocker
2009-01-08 21:22 . 2009-01-09 00:46 <DIR> d-------- c:\documents and settings\Fen\Application Data\wsInspector
2009-01-08 20:48 . 2009-01-08 20:51 <DIR> d-------- c:\program files\Startup Inspector for Windows
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\documents and settings\Fen\Application Data\Malwarebytes
2009-01-08 18:50 . 2009-01-08 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 18:50 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 18:50 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:49 . 2009-01-08 14:50 <DIR> d-------- C:\0fdfe24cdd4dfe9b00e59f3d36a4218b
2009-01-08 14:49 . 2008-07-06 07:06 1,676,288 --a------ c:\windows\system32\xpssvcs.dll
2009-01-08 14:49 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-08 14:49 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-08 14:49 . 2008-07-06 07:06 575,488 --a------ c:\windows\system32\xpsshhdr.dll
2009-01-08 14:49 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-08 14:49 . 2008-07-06 07:06 117,760 --a------ c:\windows\system32\prntvpt.dll
2009-01-08 14:49 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-08 12:40 . 2009-01-08 12:40 726,008 --a------ c:\documents and settings\Fen\gotomypc_438.exe
2009-01-07 08:35 . 2009-01-08 20:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 06:53 . 2009-01-08 20:23 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-07 05:28 . 2009-01-07 14:41 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 05:09 . 2009-01-08 21:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 04:57 . 2009-01-08 08:48 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-07 04:57 . 2009-01-07 04:57 <DIR> d-------- c:\program files\AVG
2009-01-07 04:57 . 2009-01-07 05:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-07 04:57 . 2009-01-07 04:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-07 04:57 . 2009-01-07 04:57 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 09:26 --------- d-----w c:\program files\Microsoft.NET
2009-01-09 02:51 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 20:25 --------- d-----w c:\documents and settings\Fen\Application Data\Skype
2009-01-08 17:04 --------- d-----w c:\documents and settings\Fen\Application Data\skypePM
2009-01-07 11:40 --------- d-----w c:\program files\Conference
2009-01-02 02:40 --------- d-----w c:\documents and settings\Fen\Application Data\CoreFTP
2008-12-21 19:52 --------- d-----w c:\program files\Dl_cats
2008-12-11 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-09 03:21 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-09 03:20 --------- d-----w c:\documents and settings\Fen\Application Data\SystemRequirementsLab
2008-12-09 02:37 --------- d-----w c:\program files\Firaxis Games
2008-12-09 02:34 --------- d-----w c:\documents and settings\Fen\Application Data\IGN_DLM
2008-12-09 01:15 --------- d-----w c:\program files\Download Manager
2008-10-31 17:03 726,008 ----a-w c:\documents and settings\Fen\gotomypc_437.exe
2008-10-09 14:59 60,744 ----a-w c:\documents and settings\Fen\g2mdlhlpx.exe
2008-12-23 20:08 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-23 20:08 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-11 19:30 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-29 21:22 32,768 ----a-w c:\program files\mozilla firefox\plugins\atsc3cls.dll
2008-12-23 20:12 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-12-23 20:09 32,768 ----a-w c:\program files\mozilla firefox\plugins\ptexmeet.dll
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sha-w c:\windows\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_ 2.54.36.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-11 07:50:55 219,262 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-11 23:54:17 219,256 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-02-13 430080]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1261336]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Cognos\\TM1\\bin\\tm1s.exe"=
"c:\\Program Files\\Cognos\\TM1\\bin\\tm1admsrv.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-07 97928]
R3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
R4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-05-01 157264]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-07 231704]
S3 Planning Sample;TM1 Server - Planning Sample;c:\program files\Cognos\TM1\bin\tm1sd.exe [2007-12-17 2830336]
S3 tm1admsd;TM1 Admin Server;c:\program files\Cognos\TM1\bin\tm1admsd.exe [2007-12-17 249856]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{117c0dc8-79f0-11dd-9e2b-0015c5b8fff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3c58fc7-eafd-11db-9db1-0015c5b8fff6}]
\Shell\AutoRun\command - E:\WINUPDATE.EXE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Fen\Application Data\Mozilla\Firefox\Profiles\5v7eq2is.default\
FF - component: c:\documents and settings\Fen\Application Data\Mozilla\Firefox\Profiles\5v7eq2is.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 18:56:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1724)
c:\windows\system32\CSGina.dll

- - - - - - - > 'lsass.exe'(1792)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcicoms.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-01-11 19:01:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 00:00:58
ComboFix2.txt 2009-01-11 07:56:46

Pre-Run: 40,710,877,184 bytes free
Post-Run: 40,693,424,128 bytes free

256

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:09 PM

Posted 12 January 2009 - 05:33 AM

Looks good, Neoturner :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users