Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

potential malware attack on pc and dns poisoned


  • This topic is locked This topic is locked
7 replies to this topic

#1 annonymouse

annonymouse

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 16 January 2009 - 06:32 PM

Hi there,

I woke up this morning and my pc had crashed through the night,
on rebooting my pc had an error message that my agnitum outpost security centre and firewall had crashed out,
my browser (firefox) seems to go through www.ecata.info before resolving web pages, and sometimes it wont even load them saying network time out (example www.pcflank.com)
i rebooted into safe mode and ran spybot which came back clean
when rebooting back normally windows would stall and "loading personal settings" 50% having to restart then would login fine
i uninstalled and reinstalled my outpost. windows wouldnt let it update, then i rebooted and would update,
tried to run kerspsky scan and it wouldnt work wouldnt download the database, yet are web pages working 75% of the time, sometimes had to refresh for them to load correctly
i managed to run trends house call which came back clean


dds log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Annonymouse at 22:58:12.09 on 16/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1491 [GMT 0:00]

AV: Outpost Security Suite Pro *On-access scanning disabled* (Updated)
FW: Outpost Security Suite Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Annonymouse\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite pro\feedback.exe" /dump:os_startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\annony~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost security suite pro\ie_bar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {4EF3F792-6E69-42FD-8754-5AB8C8595CBD} = 208.67.220.220,208.67.222.222
TCP: {9C1DB4BF-D6D0-4051-B8C3-9E966AB4521F} = 208.67.220.220,208.67.222.222
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\annony~1\applic~1\mozilla\firefox\profiles\uwraa3u4.default\

============= SERVICES / DRIVERS ===============

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-1-16 703904]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-1-16 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-1-16 257176]
R3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2009-1-16 34080]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2009-1-16 1075154]
R3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2009-1-16 229024]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [2009-1-5 132096]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-1-10 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-1-10 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-1-10 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-1-10 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-1-10 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-1-10 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-1-10 110120]
S4 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-1-16 1604952]

=============== Created Last 30 ================

2009-01-16 19:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Documents
2009-01-16 15:34 <DIR> --d----- c:\documents and settings\annonymouse\.housecall6.6
2009-01-16 15:31 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 15:02 1,075,154 a------- c:\windows\system32\drivers\VBEngNT.sys
2009-01-16 15:02 703,904 a------- c:\windows\system32\drivers\SandBox.sys
2009-01-16 15:02 257,176 a------- c:\windows\system32\drivers\afwcore.sys
2009-01-16 15:02 49 a------- c:\windows\transp.gif
2009-01-16 15:02 30,864 a------- c:\windows\system32\drivers\afw.sys
2009-01-16 15:02 <DIR> --d----- c:\windows\system32\Filt
2009-01-16 15:02 <DIR> --d----- c:\program files\Agnitum
2009-01-16 15:02 <DIR> --d----- c:\docume~1\annony~1\applic~1\Agnitum
2009-01-16 15:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-01-16 13:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 13:48 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-16 11:59 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-15 20:10 <DIR> --d----- c:\program files\Chartcross
2009-01-15 19:36 30,592 ac------ c:\windows\system32\dllcache\rndismpx.sys
2009-01-15 19:36 12,800 ac------ c:\windows\system32\dllcache\usb8023x.sys
2009-01-15 19:36 30,592 a------- c:\windows\system32\drivers\rndismpx.sys
2009-01-15 19:36 12,800 a------- c:\windows\system32\drivers\usb8023x.sys
2009-01-10 17:07 <DIR> --d----- c:\program files\Avanquest update
2009-01-10 17:06 110,120 a------- c:\windows\system32\drivers\s3017unic.sys
2009-01-10 17:06 10,792 a------- c:\windows\system32\drivers\s3017cr.sys
2009-01-10 17:06 104,616 a------- c:\windows\system32\drivers\s3017mgmt.sys
2009-01-10 17:06 100,648 a------- c:\windows\system32\drivers\s3017obex.sys
2009-01-10 17:06 25,512 a------- c:\windows\system32\drivers\s3017nd5.sys
2009-01-10 17:06 110,632 a------- c:\windows\system32\drivers\s3017mdm.sys
2009-01-10 17:06 83,880 a------- c:\windows\system32\drivers\s3017bus.sys
2009-01-10 17:06 15,016 a------- c:\windows\system32\drivers\s3017mdfl.sys
2009-01-10 17:06 12,200 a------- c:\windows\system32\drivers\s3017whnt.sys
2009-01-10 17:06 12,200 a------- c:\windows\system32\drivers\s3017wh.sys
2009-01-10 17:06 12,200 a------- c:\windows\system32\drivers\s3017cmnt.sys
2009-01-10 17:06 12,200 a------- c:\windows\system32\drivers\s3017cm.sys
2009-01-10 17:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2009-01-10 17:01 <DIR> --d----- c:\program files\Sony
2009-01-10 17:00 <DIR> --d----- c:\program files\Sony Ericsson
2009-01-10 14:05 <DIR> --d----- c:\program files\Bonjour
2009-01-10 14:04 <DIR> --d----- c:\program files\iPod
2009-01-10 14:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 14:04 <DIR> --d----- c:\program files\iTunes
2009-01-08 23:57 <DIR> --d----- c:\program files\DVD Decrypter
2009-01-08 22:44 <DIR> --d----- c:\program files\DVD Shrink
2009-01-08 22:33 <DIR> --d----- c:\program files\common files\DirectX
2009-01-08 22:33 28,672 a------- c:\windows\SNVerifyDLL.dll
2009-01-08 22:33 2,646,016 a------- c:\windows\Dolphin.scr
2009-01-08 22:33 <DIR> --d----- c:\program files\Formosoft
2009-01-08 22:07 <DIR> --d----- c:\program files\CCleaner
2009-01-07 12:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2009-01-07 12:11 <DIR> --d----- c:\program files\SoulseekNS
2009-01-06 20:43 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-06 20:43 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-06 20:43 368,640 a------- c:\windows\system32\ReWire.dll
2009-01-06 20:43 348,160 a------- c:\windows\system32\msvcr71.dll
2009-01-06 20:43 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-01-06 20:43 <DIR> --d----- c:\program files\Ableton
2009-01-05 14:58 <DIR> --d----- c:\documents and settings\annonymouse\Contacts
2009-01-05 14:23 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-05 12:40 2,424,066 a------- c:\windows\system32\madiousb.dll
2009-01-05 12:40 356,864 a------- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-01-05 12:40 245,248 a------- c:\windows\system32\M-AudioFastTrackControlPanelApplet.cpl
2009-01-05 12:40 132,096 a------- c:\windows\system32\drivers\mausbft.sys
2009-01-05 12:40 21,504 a------- c:\windows\system32\mausbasio.dll
2009-01-05 12:40 <DIR> --d----- c:\program files\M-Audio
2009-01-05 01:50 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-01-05 01:50 <DIR> --d----- C:\9fbdf4ad871a22e8f0fbfc57796e2c3b
2009-01-05 01:49 <DIR> --d----- C:\bb0c6e86f3984e7bd6e7d055
2009-01-05 01:49 <DIR> --d----- c:\windows\system32\LogFiles
2009-01-05 01:47 <DIR> --d----- c:\program files\Kontiki
2009-01-05 01:47 <DIR> --d----- c:\program files\Channel4
2009-01-05 01:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2009-01-05 01:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Channel4
2009-01-03 00:31 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-01-02 15:37 21,825 a------- c:\windows\system32\OODBS.lor
2009-01-02 01:35 <DIR> --d----- c:\program files\common files\Native Instruments
2009-01-02 01:34 <DIR> --d----- c:\program files\Native Instruments
2009-01-02 01:33 1,700,352 a------- c:\windows\system32\gdiplus.dll
2009-01-02 01:13 <DIR> --d----- c:\docume~1\annony~1\applic~1\Ableton
2009-01-02 01:00 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-01-02 01:00 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-01-02 01:00 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-01-02 01:00 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-01-02 00:40 <DIR> --d----- c:\program files\OO Software
2009-01-02 00:30 <DIR> --d----- c:\program files\uTorrent
2009-01-02 00:30 <DIR> --d----- c:\docume~1\annony~1\applic~1\uTorrent
2009-01-02 00:27 208,744 a------- c:\windows\system32\muweb.dll
2009-01-02 00:27 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-02 00:27 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-02 00:24 <DIR> --d----- c:\program files\VideoLAN
2009-01-02 00:20 376 a------- c:\windows\ODBC.INI
2009-01-02 00:20 28,040 a------- c:\windows\system32\mdimon.dll
2009-01-02 00:19 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-01-02 00:19 <DIR> --d----- c:\windows\SHELLNEW
2009-01-02 00:14 3,932,214 a------- c:\windows\AW_XenoMorph1280.bmp
2009-01-02 00:13 36,864 a------- c:\windows\system32\wbsys.dll
2009-01-02 00:13 56 a------- c:\windows\wb.ini
2009-01-02 00:13 <DIR> --d----- c:\program files\common files\Stardock
2009-01-02 00:13 <DIR> --d----- c:\program files\AlienGUIse
2009-01-02 00:10 <DIR> --d----- c:\documents and settings\annonymouse\Tracing
2009-01-02 00:07 <DIR> --d----- c:\documents and settings\Annonymouse
2009-01-01 23:57 <DIR> --d----- c:\program files\common files\Windows Live
2009-01-01 23:56 96,896 a------- c:\windows\system32\drivers\mcdbus.sys
2009-01-01 23:56 <DIR> --d----- c:\program files\MagicDisc
2009-01-01 23:55 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-01-01 23:53 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-01-01 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sports Interactive
2009-01-01 23:50 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-01-01 23:50 <DIR> --d----- c:\windows\Logs
2009-01-01 23:47 <DIR> --d----- c:\windows\system32\AGEIA
2009-01-01 23:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-01 23:47 203,520 a------- c:\windows\system32\nvapps.xml
2009-01-01 23:46 453,152 a------- c:\windows\system32\nvudisp.exe
2009-01-01 23:46 18,537 a------- c:\windows\system32\nvdisp.nvu
2009-01-01 23:46 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-01 23:46 <DIR> --d----- C:\NVIDIA
2009-01-01 23:36 <DIR> --d----- c:\windows\pss
2009-01-01 23:34 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-01-01 23:34 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-01-01 23:34 <DIR> --d----- c:\windows\system32\Lang
2009-01-01 23:22 <DIR> --d----- C:\Football Manager 2009
2009-01-01 23:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-01 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-01 23:05 533 a------- c:\windows\eReg.dat
2009-01-01 23:05 <DIR> --d----- c:\program files\Maxis
2009-01-01 23:02 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-01 23:01 101,136 a------- c:\windows\KHALMNPR.Exe
2009-01-01 23:01 78,864 a------- c:\windows\system32\drivers\LMouKE.Sys
2009-01-01 23:01 62,992 a------- c:\windows\system32\drivers\L8042mou.Sys
2009-01-01 23:01 20,496 a------- c:\windows\system32\drivers\L8042Kbd.sys
2009-01-01 23:01 163,840 a------- c:\windows\system32\kemutb.dll
2009-01-01 23:01 135,168 a------- c:\windows\system32\KemUtil.dll
2009-01-01 23:01 110,592 a------- c:\windows\system32\KemWnd.dll
2009-01-01 23:01 69,632 a------- c:\windows\system32\KemXML.dll
2009-01-01 23:00 <DIR> --d----- c:\program files\common files\Logitech
2009-01-01 22:54 <DIR> --d----- c:\program files\AVG
2009-01-01 22:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-01 22:42 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-01 22:42 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-01 22:42 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-01 22:42 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-01 22:42 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-01 22:42 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-01 22:42 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-01 22:42 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-01 22:42 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-01 22:33 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-01 22:33 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-01 22:33 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-01 22:33 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-01 22:33 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-01 22:31 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-01 22:31 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-01-01 22:30 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-01 22:30 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-01-01 22:30 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-01 22:29 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-01-01 22:29 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-01-01 22:29 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-01 22:29 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-01-01 22:29 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-01 22:28 592 a------- c:\windows\chgkey.vbs
2009-01-01 22:24 83,072 ac------ c:\windows\system32\dllcache\wdmaud.sys
2009-01-01 22:24 6,272 ac------ c:\windows\system32\dllcache\splitter.sys
2009-01-01 22:24 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-01-01 22:24 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-01-01 22:24 52,864 ac------ c:\windows\system32\dllcache\dmusic.sys
2009-01-01 22:24 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-01-01 22:24 56,576 ac------ c:\windows\system32\dllcache\swmidi.sys
2009-01-01 22:24 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-01-01 22:24 172,416 ac------ c:\windows\system32\dllcache\kmixer.sys
2009-01-01 22:24 142,592 ac------ c:\windows\system32\dllcache\aec.sys
2009-01-01 22:24 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-01-01 22:24 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-01-01 22:21 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-01 22:20 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-01 22:17 145,408 ac------ c:\windows\system32\dllcache\iische51.dll
2009-01-01 22:16 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-01 22:16 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-01 22:15 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-01 22:14 <DIR> --d----- c:\program files\Online Services
2009-01-01 22:14 <DIR> --d----- c:\program files\Messenger
2009-01-01 22:14 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-01 22:14 <DIR> --d----- c:\program files\Windows NT
2009-01-01 22:10 <DIR> --d----- c:\program files\common files\ODBC
2009-01-01 22:10 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-01 22:10 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-03 01:36 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-01 22:14 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll

============= FINISH: 22:58:39.60 ===============


i cant seem to find whats wrong
thank you so much for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:31 PM

Posted 21 January 2009 - 05:07 AM

Hello Annonymouse,

Can you please go to http://www.bleepingcomputer.com/submit-malware.php?channel=8
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=1957672
2. In the second window (Browse to the file you want to submit: ) copy and paste this :c:\windows\system32\dllcache\wdmaud.sys
3. Click the Send file button :thumbup2:
[/list]Then, please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder

Edited by Thunder, 21 January 2009 - 05:08 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 annonymouse

annonymouse
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 21 January 2009 - 07:11 AM

hi there
sent file,
ran scan
log :

ComboFix 09-01-19.05 - Annonymouse 2009-01-20 15:17:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1597 [GMT 0:00]
Running from: c:\documents and settings\Annonymouse\Desktop\ComboFix.exe
AV: Outpost Security Suite Pro *On-access scanning disabled* (Updated)
FW: Outpost Security Suite Pro *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-20 15:05 . 2009-01-20 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 00:05 . 2009-01-20 00:05 <DIR> dr-h----- c:\documents and settings\Annonymouse\Application Data\SecuROM
2009-01-20 00:05 . 2009-01-20 00:05 108,144 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-19 23:06 . 2009-01-19 23:06 <DIR> d-------- c:\program files\River Past
2009-01-19 23:06 . 2009-01-19 23:06 <DIR> d-------- c:\program files\Common Files\River Past
2009-01-19 23:06 . 2009-01-19 23:06 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\River Past G5
2009-01-19 23:06 . 2009-01-19 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\River Past G5
2009-01-19 23:06 . 2009-01-19 23:06 164,832 --a------ c:\windows\Screen Recorder Pro Uninstaller.exe
2009-01-17 21:45 . 2004-01-08 11:38 208,896 --a------ c:\windows\system32\lame_enc.dll
2009-01-17 21:29 . 2009-01-17 21:46 <DIR> d-------- c:\temp\E--
2009-01-17 21:29 . 2009-01-17 21:29 <DIR> d-------- C:\Temp
2009-01-17 21:14 . 2009-01-17 21:24 <DIR> d-------- c:\program files\ImTOO
2009-01-17 21:14 . 2005-11-21 05:48 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-01-17 21:14 . 2005-11-21 05:48 16,512 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-01-17 21:07 . 2009-01-17 21:07 <DIR> d-------- c:\program files\VSTplugins
2009-01-17 21:07 . 2009-01-17 21:07 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Sony
2009-01-17 21:07 . 2009-01-17 21:07 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Publish Providers
2009-01-17 21:04 . 2009-01-17 21:04 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-17 20:55 . 2009-01-17 20:55 <DIR> d-------- c:\program files\Audacity
2009-01-16 23:49 . 2009-01-16 23:49 61,440 --a------ c:\windows\system32\drivers\ypiu.sys
2009-01-16 23:45 . 2009-01-16 23:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 23:45 . 2009-01-16 23:45 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Malwarebytes
2009-01-16 23:45 . 2009-01-16 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 23:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 23:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 19:05 . 2009-01-16 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Documents
2009-01-16 15:34 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\Annonymouse\.housecall6.6
2009-01-16 15:31 . 2009-01-16 15:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 15:02 . 2009-01-20 11:35 <DIR> d-------- c:\windows\system32\Filt
2009-01-16 15:02 . 2009-01-16 15:02 <DIR> d-------- c:\program files\Agnitum
2009-01-16 15:02 . 2009-01-16 15:02 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Agnitum
2009-01-16 15:02 . 2009-01-16 15:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Agnitum
2009-01-16 15:02 . 2008-09-19 16:36 1,075,154 --a------ c:\windows\system32\drivers\VBEngNT.sys
2009-01-16 15:02 . 2008-12-24 17:24 703,904 --a------ c:\windows\system32\drivers\SandBox.sys
2009-01-16 15:02 . 2008-12-17 11:07 257,176 --a------ c:\windows\system32\drivers\afwcore.sys
2009-01-16 15:02 . 2008-06-20 09:45 30,864 --a------ c:\windows\system32\drivers\afw.sys
2009-01-16 15:02 . 2008-12-04 12:13 49 --a------ c:\windows\transp.gif
2009-01-16 14:00 . 2009-01-16 14:00 <DIR> d-------- c:\windows\Sun
2009-01-16 14:00 . 2009-01-16 14:55 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2009-01-16 13:48 . 2009-01-16 13:48 <DIR> d-------- c:\program files\Java
2009-01-16 13:48 . 2009-01-16 13:48 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 13:48 . 2009-01-16 13:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-16 11:59 . 2009-01-16 14:00 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-15 20:10 . 2009-01-15 20:10 <DIR> d-------- c:\program files\Chartcross
2009-01-15 19:36 . 2008-04-13 23:26 30,592 --a------ c:\windows\system32\drivers\rndismpx.sys
2009-01-15 19:36 . 2008-04-13 23:26 30,592 --a--c--- c:\windows\system32\dllcache\rndismpx.sys
2009-01-15 19:36 . 2008-04-13 23:26 12,800 --a------ c:\windows\system32\drivers\usb8023x.sys
2009-01-15 19:36 . 2008-04-13 23:26 12,800 --a--c--- c:\windows\system32\dllcache\usb8023x.sys
2009-01-12 17:26 . 2009-01-12 17:26 <DIR> d-------- c:\documents and settings\Tracy\Contacts
2009-01-10 17:10 . 2009-01-10 17:10 <DIR> d-------- c:\documents and settings\Tracy\Application Data\Sony
2009-01-10 17:10 . 2009-01-10 17:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-10 17:07 . 2009-01-11 18:22 <DIR> d-------- c:\program files\Avanquest update
2009-01-10 17:07 . 2009-01-10 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-10 17:06 . 2007-12-10 13:22 110,632 --a------ c:\windows\system32\drivers\s3017mdm.sys
2009-01-10 17:06 . 2007-12-10 13:22 110,120 --a------ c:\windows\system32\drivers\s3017unic.sys
2009-01-10 17:06 . 2007-12-10 13:22 104,616 --a------ c:\windows\system32\drivers\s3017mgmt.sys
2009-01-10 17:06 . 2007-12-10 13:22 100,648 --a------ c:\windows\system32\drivers\s3017obex.sys
2009-01-10 17:06 . 2007-12-10 13:22 83,880 --a------ c:\windows\system32\drivers\s3017bus.sys
2009-01-10 17:06 . 2007-12-10 13:22 25,512 --a------ c:\windows\system32\drivers\s3017nd5.sys
2009-01-10 17:06 . 2007-12-10 13:22 15,016 --a------ c:\windows\system32\drivers\s3017mdfl.sys
2009-01-10 17:06 . 2007-12-10 13:22 12,200 --a------ c:\windows\system32\drivers\s3017whnt.sys
2009-01-10 17:06 . 2007-12-10 13:22 12,200 --a------ c:\windows\system32\drivers\s3017wh.sys
2009-01-10 17:06 . 2007-12-10 13:22 12,200 --a------ c:\windows\system32\drivers\s3017cmnt.sys
2009-01-10 17:06 . 2007-12-10 13:22 12,200 --a------ c:\windows\system32\drivers\s3017cm.sys
2009-01-10 17:06 . 2007-12-10 13:22 10,792 --a------ c:\windows\system32\drivers\s3017cr.sys
2009-01-10 17:05 . 2009-01-10 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-10 17:01 . 2009-01-17 21:06 <DIR> d-------- c:\program files\Sony
2009-01-10 17:00 . 2009-01-10 17:05 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-10 17:00 . 2009-01-10 17:00 <DIR> d-------- c:\documents and settings\Tracy\Application Data\InstallShield
2009-01-10 14:05 . 2009-01-10 14:05 <DIR> d-------- c:\program files\Bonjour
2009-01-10 14:04 . 2009-01-10 14:04 <DIR> d-------- c:\program files\iTunes
2009-01-10 14:04 . 2009-01-10 14:04 <DIR> d-------- c:\program files\iPod
2009-01-10 14:04 . 2009-01-10 14:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 14:03 . 2009-01-10 17:05 <DIR> d-------- c:\program files\QuickTime
2009-01-08 23:57 . 2009-01-08 23:57 <DIR> d-------- c:\program files\DVD Decrypter
2009-01-08 23:50 . 2009-01-17 21:25 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\dvdcss
2009-01-08 22:44 . 2009-01-08 22:44 <DIR> d-------- c:\program files\DVD Shrink
2009-01-08 22:44 . 2009-01-08 22:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-08 22:33 . 2009-01-08 22:33 <DIR> d-------- c:\program files\Formosoft
2009-01-08 22:33 . 2009-01-08 22:33 <DIR> d-------- c:\program files\Common Files\DirectX
2009-01-08 22:33 . 2007-12-12 17:39 2,646,016 --a------ c:\windows\Dolphin.scr
2009-01-08 22:33 . 2002-10-21 12:47 28,672 --a------ c:\windows\SNVerifyDLL.dll
2009-01-08 22:07 . 2009-01-08 22:07 <DIR> d-------- c:\program files\CCleaner
2009-01-07 12:12 . 2009-01-07 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Soulseek
2009-01-07 12:11 . 2009-01-07 12:11 <DIR> d-------- c:\program files\SoulseekNS
2009-01-06 20:43 . 2009-01-06 20:43 <DIR> d-------- c:\program files\Ableton
2009-01-06 20:43 . 2008-03-14 13:22 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-06 20:43 . 2008-03-14 13:22 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-06 20:43 . 2008-03-14 13:22 368,640 --a------ c:\windows\system32\ReWire.dll
2009-01-06 20:43 . 2008-03-14 13:22 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-06 20:43 . 2008-03-14 13:22 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2009-01-06 18:20 . 2009-01-06 18:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-06 18:19 . 2009-01-06 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-06 18:18 . 2009-01-06 20:41 <DIR> d-------- c:\program files\NOS
2009-01-06 18:18 . 2009-01-06 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-05 15:04 . 2009-01-05 15:04 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\vlc
2009-01-05 14:58 . 2009-01-05 14:58 <DIR> d-------- c:\documents and settings\Annonymouse\Contacts
2009-01-05 14:43 . 2009-01-05 14:45 <DIR> d-------- c:\program files\Windows Live
2009-01-05 12:40 . 2009-01-05 12:40 <DIR> d-------- c:\program files\M-Audio
2009-01-05 12:40 . 2007-08-30 10:34 2,424,066 --a------ c:\windows\system32\madiousb.dll
2009-01-05 12:40 . 2008-05-15 17:45 356,864 --a------ c:\windows\system32\M-AudioTaskBarIcon.exe
2009-01-05 12:40 . 2007-11-13 15:24 245,248 --a------ c:\windows\system32\M-AudioFastTrackControlPanelApplet.cpl
2009-01-05 12:40 . 2007-11-13 15:24 132,096 --a------ c:\windows\system32\drivers\mausbft.sys
2009-01-05 12:40 . 2007-11-13 15:25 21,504 --a------ c:\windows\system32\mausbasio.dll
2009-01-05 12:39 . 2009-01-05 12:39 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\InstallShield
2009-01-05 01:50 . 2009-01-05 01:50 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 01:50 . 2009-01-05 01:50 <DIR> d-------- C:\9fbdf4ad871a22e8f0fbfc57796e2c3b
2009-01-05 01:49 . 2009-01-08 22:09 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-05 01:49 . 2009-01-10 16:58 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-05 01:49 . 2009-01-05 01:50 <DIR> d-------- C:\bb0c6e86f3984e7bd6e7d055
2009-01-05 01:47 . 2009-01-05 01:47 <DIR> d-------- c:\program files\Kontiki
2009-01-05 01:47 . 2009-01-05 01:47 <DIR> d-------- c:\program files\Channel4
2009-01-05 01:47 . 2009-01-20 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kontiki
2009-01-05 01:47 . 2009-01-05 01:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Channel4
2009-01-03 00:31 . 2008-04-13 23:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-01-02 19:11 . 2009-01-04 23:25 <DIR> d-------- c:\documents and settings\Tracy\Tracing
2009-01-02 15:37 . 2009-01-20 15:20 27,063 --a------ c:\windows\system32\OODBS.lor
2009-01-02 01:51 . 2009-01-02 01:51 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Apple Computer
2009-01-02 01:35 . 2009-01-02 01:35 <DIR> d-------- c:\program files\Common Files\Native Instruments
2009-01-02 01:34 . 2009-01-05 15:07 <DIR> d-------- c:\program files\Native Instruments
2009-01-02 01:33 . 2009-01-02 01:33 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-01-02 01:13 . 2009-01-02 01:14 <DIR> d-------- c:\documents and settings\Annonymouse\Application Data\Ableton
2009-01-02 01:00 . 2008-04-13 23:15 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-01-02 01:00 . 2008-04-13 23:15 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-01-02 01:00 . 2008-04-13 23:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 15:02 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-01 22:54 --------- d-----w c:\program files\AVG
2009-01-01 22:17 --------- d-----w c:\program files\microsoft frontpage
2008-12-12 11:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-27 10:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-12-25 1292120]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Pro\feedback.exe" [2008-12-25 432984]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-01-01 547840]

c:\documents and settings\Tracy\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-01-01 547840]

c:\documents and settings\Annonymouse\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-01-01 547840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-01 688128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-01-16 703904]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-01-16 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-01-16 257176]
R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2009-01-16 34080]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2009-01-16 1075154]
R3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [2009-01-16 229024]
R4 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2009-01-16 1604952]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [2009-01-05 132096]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-01-10 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-01-10 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-01-10 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-01-10 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-01-10 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-01-10 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-01-10 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - d:\resycled\boot.com d:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {4EF3F792-6E69-42FD-8754-5AB8C8595CBD} = 208.67.220.220,208.67.222.222
TCP: {9C1DB4BF-D6D0-4051-B8C3-9E966AB4521F} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Annonymouse\Application Data\Mozilla\Firefox\Profiles\uwraa3u4.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 15:21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1767777339-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="CABF85AA7351B1026AD06A027F30FC981F2608692C7E9550E99E992BBA24BB621F2F6AEBABDA1CDF66E54AD0C79282FBC63D10FDB431AB30C842AB5620211D2D9F09C99EEC2A0E1AEC7205DC841F64230C3B271526FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79335D575E7D6A3B9808FEBC9E127BECC74CE7CC8A52E27B93A8FEEFD7E6C912C8062CD4A92079B7E770A39E5543542B7DF1BFCCAEEAD14060FC2FB097511024EEC67200E3B4B9B1142A246804C2B9CE211E183F0D154063773DC8B6824598D8FDDB112C7986492FECB0BA838AD68D9EE4875B0C8E3998C7D50B0082350BA8F9BA1828165EDE6A831E291582CE69B193F645E5413181F9304F8FFEBAE1AFBC33BAD54F9998CB1762233DD79D4DAA3A0ED9F1840C815E35450BF562A7CD020517ECF111B9421D7BE7CB1A18AE150B72D162AB7E422701D11483ED3A355217E39B0F4B691B096877933EF161B549C256053B168B5B59E20B0C06AB0D755CC6719835C6CB89B007A045F2FA3454A04998B3E056D4F163BD4D0238E6539C6C2D794D474E9DF18E163EC537ED80D1E7DE9DCDA5987DC7A6113EAE8ED9F9831AA9FA59804E3A668CF5CD3E2A8931997C040126AF0B18BF9720B1AD54C461A70C6129C3F1B6ED1BA9CC003CC28D1E3A53010DF3F85F2EE1BD71330029EB5FA901BC6DF4FDFC7BEC78843834C7C11866F2DD46D24FCCB95A3551010AFD17BDCDC9E661BA5D1999D79D48907B57EE61767669E043D20EABF8AF4D0E151C11B8FE4B5154C51C08EF7E548AD34C6262B0E20D364627FAE26731EF3A01CB9C2A80C780AECAAC194B1FA7EB7F84C5AB6D32CB7A1B94C6128C461BCEAEB3406E36BAD9F4F7FC67086539BA45A15569CE6684F417301D4C335293F2B885B4E4D40C010B4AE8D4D47160C247D7AC309D36A7B9C3CAD5644953FD10992D5DC714E687DF52B6027335B1C8367E2D23B0AD240E5A44982C26AEB65FED90421AE1098D88584F8108AB2E75AF0138E2C8A747ACFA6025129A4ED5F649D6011EE32EE38973DFC08A0204C9C429076B2CA7197E3955BA38DDCAFDF98190E6B77E250CAAEC2EDD8B413DB875F4CD9C384F8DBEC68505CDF538AB8B399911ACA2338A0C449E26B23A2B483A81B13A0C5FA60A04FBA3F7EE78F06F0118D3AAADD7A08B77FDD9C9AB7862782BA37B1094C79FF30ADD7721E97EE98A1C7D993DE10E3E5CC587AC8D10971465E2F6A573E67ABD62A58CB9757D6B1C394CB4AAB2B3201978A7F5F9E7180C00EB6D76D80C292516B45E10F6ED5DC590F7B86D1772051052A07EC07856F1EE7DAC8A859008759AD30A71D1118930B8E70ABA3BC46DA8011DD5624533D73DFC7489AC681B965AD035494F213CC8919255"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-20 15:23:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 15:23:04

Pre-Run: 241,983,836,160 bytes free
Post-Run: 242,025,861,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

321 --- E O F --- 2009-01-18 11:55:56


thanks allot :thumbup2:

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:31 PM

Posted 21 January 2009 - 04:29 PM

Hello Annonymouse,

Please go to http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button, browse to (or copy/paste the next line) :
c:\windows\system32\drivers\ypiu.sys
Then click on 'Send File'.
Post the results into your next reply.

Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Still having problems ?

Greetings,
Thunder

Edited by Thunder, 21 January 2009 - 04:30 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 annonymouse

annonymouse
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 22 January 2009 - 12:26 PM

hi sorry for the delay

is the output

MD5: 589312a3b46721c5a751e4d5222a89be
First received: 09.13.2008 14:30:26 (CET)
Date: 01.22.2009 04:26:45 (CET) [<1D]
Results: 10/38
Permalink: analisis/7f2c797db0a7a6a58655c8f600511086

added reg key into registry

so far thinks seems to be allo better

can i ask what did you think was the problem

thank you so so much for your help

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:31 PM

Posted 22 January 2009 - 01:07 PM

Hello Annonymouse,

The main problem you were facing was a nasty malware worm.

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"c:\windows\system32\drivers\ypiu.sys") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Save this as del.bat Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and post the content of the log fole that opens in your next reply.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 annonymouse

annonymouse
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 22 January 2009 - 04:53 PM

hi Thunder

log:
Deleting files
"c:\windows\system32\drivers\ypiu.sys" deleted

thank you so much for your help, i get paid in 6 days so i shall buy you a few beers :thumbup2:
your help and effeciancy is awesome just wish the school was open so i could learn a few things,
what really annoys me is i do IT for a living for a mobile phone operator and pride and come from an IT background so like to think im fairly savy when it comes to machines and security but i guess this caught me with my pants down, I think I might have been infected from a works computer so have alerted them to a possible infection

thank you once again

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:31 PM

Posted 23 January 2009 - 07:30 AM

Glad we could help, Annonymouse :)

I think I might have been infected from a works computer so have alerted them to a possible infection

That's a very good initiative. :thumbup2:

And as for getting caught : nowadays malware evolves so fast that even we, being around every single day, sometimes have to scratch our heads.
Luckily, we're backed up by a tight, large community, including some great developers,
so new problems get dealt with rather swiftly.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users