Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS JUAN has struck again!


  • Please log in to reply
1 reply to this topic

#1 achi10

achi10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 11 January 2009 - 05:11 PM

Okay, so I got infected by Vundo and have been able to clear the pop-ups, however, when I run MBAM --- MS JUAN key still shows up...

Any help would be appreciated! Thanks


_________________________

ComboFix 09-01-10.02 - CIN3ASTA 2009-01-10 19:41:50.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1796 [GMT -8:00]
Running from: c:\documents and settings\CIN3ASTA\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iidcphlh.dll
c:\windows\system32\xfdznq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-10 19:33 . 2009-01-10 19:33 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-10 18:20 . 2009-01-10 18:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-10 11:48 . 2009-01-10 11:48 <DIR> d-------- c:\program files\Syncplicity
2009-01-10 11:47 . 2009-01-10 11:47 <DIR> d-------- c:\program files\MSBuild
2009-01-10 11:40 . 2009-01-10 11:40 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-10 11:39 . 2009-01-10 11:39 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-10 11:39 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-09 19:56 . 2008-10-05 20:44 <DIR> d-------- c:\documents and settings\Administrator\Bluetooth Software
2009-01-09 19:56 . 2008-10-05 20:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TMP
2009-01-09 19:56 . 2008-10-05 20:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-09 19:56 . 2009-01-09 19:56 <DIR> d-------- c:\documents and settings\Administrator
2009-01-09 01:30 . 2009-01-09 01:30 <DIR> d-------- C:\VundoFix Backups
2009-01-08 22:24 . 2009-01-08 22:24 <DIR> d-------- c:\program files\CCleaner
2009-01-08 22:23 . 2009-01-08 22:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-08 22:22 . 2009-01-08 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-08 22:21 . 2009-01-08 22:21 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-08 22:21 . 2009-01-08 22:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-08 22:21 . 2009-01-08 22:21 <DIR> d-------- c:\documents and settings\CIN3ASTA\Application Data\SUPERAntiSpyware.com
2009-01-08 22:21 . 2009-01-08 22:21 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2009-01-08 22:20 . 2009-01-08 22:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 22:20 . 2009-01-08 22:20 <DIR> d-------- c:\documents and settings\CIN3ASTA\Application Data\Malwarebytes
2009-01-08 22:20 . 2009-01-08 22:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 22:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 22:20 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 18:47 . 2009-01-06 18:47 <DIR> d-------- c:\program files\Alwil Software
2009-01-06 18:47 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-06 18:47 . 2003-03-18 12:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-04 10:42 . 2009-01-04 10:42 <DIR> d-------- c:\program files\Live Mesh
2009-01-04 10:42 . 2009-01-04 10:42 119,752 --a------ c:\windows\system32\rdpdispd.dll
2009-01-04 10:42 . 2009-01-04 10:42 20,424 --a------ c:\windows\system32\drivers\rdpvmp.sys
2009-01-04 10:42 . 2009-01-04 10:42 16,712 --a------ c:\windows\system32\rdpvdd.dll
2009-01-04 10:42 . 2009-01-04 10:42 10,056 --a------ c:\windows\system32\drivers\rdpdispm.sys
2009-01-04 00:38 . 2009-01-04 00:38 <DIR> d-------- c:\windows\CatRoot
2009-01-04 00:38 . 2006-08-10 20:00 921,656 --a------ c:\windows\system32\VGA.RAW
2009-01-04 00:38 . 2006-10-13 18:43 253,952 --a------ c:\windows\system32\vmprp326.ax
2009-01-04 00:38 . 2006-10-13 15:52 219,520 --a------ c:\windows\system32\drivers\usbvm326.sys
2009-01-04 00:38 . 2006-06-05 13:44 192,512 --a------ c:\windows\VimicroCam.exe
2009-01-04 00:38 . 2006-06-08 11:25 73,728 --a------ c:\windows\VMInstNT.exe
2009-01-04 00:38 . 2006-08-21 21:13 40,960 --a------ c:\windows\VM303UninstNT.exe
2009-01-04 00:38 . 2006-08-10 20:00 32,768 --a------ c:\windows\system32\VMCtrl326.ax
2009-01-04 00:38 . 2002-02-26 18:47 15,086 --a------ c:\windows\uninstall.ico
2009-01-04 00:38 . 2005-09-29 16:26 8,990 --a------ c:\windows\Product.ico
2009-01-03 23:37 . 2009-01-03 23:37 <DIR> d-------- c:\windows\system32\xManager
2009-01-03 23:37 . 2009-01-03 23:37 <DIR> d-------- c:\windows\_PrimaxInstallTempDir0
2009-01-03 23:37 . 2007-12-04 15:52 132,900 --a------ c:\windows\system32\PMUNINST.INI
2009-01-03 23:28 . 2006-05-25 11:05 90,112 --a------ c:\windows\system32\hpqnt.dll
2009-01-03 23:28 . 2006-05-25 11:17 45,056 --a------ c:\windows\system32\hpBat.cpl
2008-12-28 21:11 . 2008-12-28 21:11 <DIR> d-------- c:\program files\Synaptics
2008-12-28 21:11 . 2008-01-18 10:49 220,640 --a------ c:\windows\system32\drivers\SynTP.sys
2008-12-28 21:11 . 2008-01-18 10:52 196,608 --a------ c:\windows\system32\SynCtrl.dll
2008-12-28 21:11 . 2008-01-18 10:51 163,840 --a------ c:\windows\system32\SynCOM.dll
2008-12-28 21:11 . 2008-01-18 11:03 147,456 --a------ c:\windows\system32\SynTPAPI.dll
2008-12-28 21:11 . 2008-01-18 11:30 110,592 --a------ c:\windows\system32\SynTPCo4.dll
2008-12-27 21:38 . 2008-12-27 21:38 <DIR> d-------- c:\windows\PrimoPDF4
2008-12-27 21:38 . 2008-12-27 21:38 <DIR> d-------- c:\program files\activePDF
2008-12-27 21:38 . 2006-12-11 13:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2008-12-26 16:06 . 2008-12-26 16:06 <DIR> d-------- c:\program files\PortaShopCS2
2008-12-22 18:53 . 2008-12-22 18:53 <DIR> d-------- c:\program files\GyroTools
2008-12-22 18:53 . 2008-12-22 18:53 <DIR> d-------- c:\documents and settings\CIN3ASTA\Application Data\GyroTools GyroTransport
2008-12-22 18:51 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-20 13:06 . 2007-04-16 17:53 139,264 --a------ c:\windows\system32\vmcoinst_vc0326_hp.dll
2008-12-20 13:05 . 2008-12-20 13:05 <DIR> d-------- c:\program files\HP Webcam
2008-12-20 13:04 . 2008-12-20 13:04 <DIR> d-------- c:\documents and settings\CIN3ASTA\Application Data\WinBatch
2008-12-20 12:54 . 2008-02-15 13:45 172,032 --a------ c:\windows\system32\igfxres.dll
2008-12-20 12:49 . 2008-12-20 12:49 <DIR> d-------- C:\Intel
2008-12-18 20:31 . 2008-12-18 20:31 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-18 20:31 . 2006-08-10 20:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-12-18 20:31 . 2007-09-04 08:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-12-18 20:31 . 2008-07-30 11:09 38 --a------ c:\windows\avisplitter.ini
2008-12-14 12:59 . 2003-03-19 22:23 <DIR> d-------- c:\program files\Resolution Changer
2008-12-14 12:46 . 2008-12-14 12:46 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-12-14 12:46 . 2008-12-14 12:46 <DIR> d-------- c:\documents and settings\CIN3ASTA\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 03:45 --------- d-----w c:\program files\Hot Keyboard
2009-01-11 02:19 --------- d-----w c:\program files\Java
2009-01-07 02:44 --------- d-----w c:\program files\Microsoft Works
2009-01-04 08:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 08:38 --------- d-----w c:\program files\DIFX
2009-01-04 07:28 --------- d-----w c:\program files\Hewlett-Packard
2009-01-04 07:21 --------- d-----w c:\program files\Steam
2009-01-03 08:27 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\.purple
2008-12-20 22:02 --------- d-----w c:\program files\CyberLink
2008-12-10 08:44 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\Launchy
2008-12-10 08:43 --------- d-----w c:\program files\Launchy
2008-12-10 08:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 08:26 --------- d-----w c:\program files\Microsoft.NET
2008-12-10 08:11 --------- d-----w c:\program files\TightVNC
2008-12-10 08:03 --------- d-----w c:\program files\VS Revo Group
2008-12-09 10:38 0 ----a-w c:\documents and settings\CIN3ASTA\Application Data\wklnhst.dat
2008-12-09 10:38 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\Template
2008-12-09 10:31 --------- d-----w c:\program files\HPQ
2008-12-09 07:02 --------- d-----w c:\program files\Microsoft
2008-12-09 06:55 --------- d-----w c:\program files\Winamp
2008-12-09 06:55 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\Winamp
2008-12-09 06:55 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\Hot Keyboard
2008-12-09 06:53 --------- d-----w c:\program files\Orbis Software
2008-12-09 06:27 --------- d-----w c:\program files\Pidgin
2008-12-09 06:26 --------- d-----w c:\program files\Common Files\GTK
2008-12-09 05:30 --------- d-----w c:\documents and settings\CIN3ASTA\Application Data\Apple Computer
2008-12-09 05:19 --------- d-----w c:\program files\QuickTime
2008-12-09 05:18 --------- d-----w c:\program files\Common Files\Apple
2008-12-09 05:18 --------- d-----w c:\program files\Apple Software Update
2008-12-09 05:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 05:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-09 04:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-06-24 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]
@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"
[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]
2008-12-18 00:07 38400 --a------ c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]
@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"
[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]
2008-12-18 00:07 38400 --a------ c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]
@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"
[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]
2008-12-18 00:07 38400 --a------ c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]
@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"
[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]
2008-12-18 00:07 38400 --a------ c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="c:\program files\Hot Keyboard\HotKeyb.exe" [2008-02-14 996008]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"Syncplicity"="c:\program files\Syncplicity\Syncplicity.exe" [2008-12-18 658944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-12-10 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-01-04 10:41 22856 c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xfdznq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GyroTools GyroTransport.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GyroTools GyroTransport.lnk
backup=c:\windows\pss\GyroTools GyroTransport.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
--a------ 2008-08-28 07:16 471040 c:\windows\system32\AESTFltr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-14 16:28 133104 c:\documents and settings\CIN3ASTA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Mobile Broadband]
--a------ 2008-07-08 13:30 439600 c:\swsetup\HPQWWAN\HPMobileBroadband.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-02-15 13:46 135168 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 13:46 131072 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-08 18:50 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 03:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
--a------ 2008-08-29 16:03 442477 c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
--a------ 2008-08-29 16:03 442477 c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"WebClient"=2 (0x2)
"UPS"=3 (0x3)
"LmHosts"=2 (0x2)
"seclogon"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"xmlprov"=3 (0x3)
"Nla"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Netlogon"=3 (0x3)
"CiSvc"=3 (0x3)
"AppMgmt"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\achi10\\counter-strike\\hl.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\Steam\\steamapps\\achi10\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\CIN3ASTA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\CIN3ASTA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-06 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-10-05 112128]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-01-04 10056]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-01-04 20424]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-06 20560]
R4 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [2009-01-04 42824]
S3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\DRIVERS\DisplayLinkGAport.sys --> c:\windows\system32\DRIVERS\DisplayLinkGAport.sys [?]
S3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\DRIVERS\DisplayLinkmirrorport.sys --> c:\windows\system32\DRIVERS\DisplayLinkmirrorport.sys [?]
S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort.sys --> c:\windows\system32\DRIVERS\DisplayLinkUsbPort.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-08 38496]
S3 SS1PALHWA;Wireless USB Host Wire-Adapter;c:\windows\system32\DRIVERS\SS1PALHWA.SYS --> c:\windows\system32\DRIVERS\SS1PALHWA.SYS [?]
S3 SS1USBPAL;Radio Controller Interface;c:\windows\system32\DRIVERS\SS1USBPAL.SYS --> c:\windows\system32\DRIVERS\SS1USBPAL.SYS [?]
S3 UCORESYS;UCORESYS;\??\c:\documents and settings\CIN3ASTA\Desktop\sp41906\UCORESYS.SYS --> c:\documents and settings\CIN3ASTA\Desktop\sp41906\UCORESYS.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\bhkiwfqj.job
- c:\windows\system32\rundll32.exe [2008-04-14 20:00]

2009-01-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\CIN3ASTA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-14 16:28]
.
- - - - ORPHANS REMOVED - - - -

Notify-ljJBsPgg - ljJBsPgg.dll
MSConfigStartUp-Keyboard Suite Daemon - c:\windows\system32\xManager\PELKBD.EXE
MSConfigStartUp-MoeMonitor - c:\documents and settings\CIN3ASTA\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.5\MoeMonitor.exe
MSConfigStartUp-WUSBManager - c:\program files\Wireless USB Manager\Wireless USB Manager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\CIN3ASTA\Application Data\Mozilla\Firefox\Profiles\sm0clzfk.default\
FF - component: c:\documents and settings\CIN3ASTA\Application Data\Mozilla\Firefox\Profiles\sm0clzfk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\CIN3ASTA\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 19:45:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:30,04,3f,a2,ac,72,c9,01
"CDY"=hex:30,e4,82,e3,ab,72,c9,01
"CNT"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:02,7b,02,5d,d6,72,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\IDT\WDM\stacsv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-10 19:50:46 - machine was rebooted [CIN3ASTA]
ComboFix-quarantined-files.txt 2009-01-11 03:50:42

Pre-Run: 41,822,081,024 bytes free
Post-Run: 39,674,642,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

338 --- E O F --- 2008-12-19 16:26:12

__________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:42 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hot Keyboard\HotKeyb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Syncplicity\Syncplicity.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Syncplicity] C:\Program Files\Syncplicity\Syncplicity.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: xfdznq.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe

--
End of file - 6331 bytes

Edit: Moved topic from XP to the more appropriate forum although there is a combofix log included. ~ Animal

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:04 PM

Posted 11 January 2009 - 05:58 PM

Please note the message text in blue at the top of this forum.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please be patient while one of our first responders determine if it is possible to assist you.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users