Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browser please help


  • This topic is locked This topic is locked
15 replies to this topic

#1 H. W. Cole

H. W. Cole

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 19 January 2009 - 12:39 PM

Hi guys,

Need help with a severly hijacked browser (IE7). I'm getting constant multiple pops ups and security alerts from Windows. I have MS Defender and Ad-Aware and used both to scan to no avail. Here's the dds.txt file:


DDS (Ver_09-01-18.01) - FAT32x86
Run by H. W. Cole at 10:57:54.04 on Mon 01/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.215 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\notes\ntmulti.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\WINDOWS\Explorer.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\GetModule\GetModule34.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\sysguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\H. W. Cole\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {368449b1-4e89-400b-8bb1-e7f600dd0cb0} - c:\windows\system32\fcccabYq.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {6d930667-a6c4-4458-821e-fee421e75cb3} - c:\windows\system32\jkkHWOGY.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [updateMgr] c:\program files\adobe\acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [GetModule34] c:\program files\getmodule\GetModule34.exe
uRun: [sysguard] c:\windows\sysguard.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office 11\programs\QFSCHD110.EXE"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [Workshare3GW] c:\program files\workshare\modules\WPConfigAssistant.exe /userinit
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Gbaqifulor] rundll32.exe "c:\windows\Vramelisuzo.dll",e
mRun: [Lwisafomohuxewot] rundll32.exe "c:\windows\iqeliyojoqoziyi.dll",e
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\cole~1\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\m-audi~1.lnk - c:\program files\m-audio transit usb\TUSBTask.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Filter: text/html - {416e57de-0a89-407c-82da-22fc7fd7c432} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: khfEUoPF - khfEUoPF.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: qoMEVMFx - qoMEVMFx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHWOGY

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2006-2-1 1293345]
R3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2007-6-19 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\naveng.sys [2008-12-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\navex15.sys [2008-12-26 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R4 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2006-2-1 35697]
R4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R4 Transit USBInstallerService;Transit USB Installer;c:\program files\m-audio transit usb\install\TUSBInst.exe [2007-6-19 49152]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2007-6-19 16512]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2007-2-9 14272]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys [2007-2-9 22304]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-19 09:46 134,656 a------- c:\windows\iqeliyojoqoziyi.dll
2009-01-19 09:34 39,424 a------- c:\windows\Vramelisuzo.dll
2009-01-19 09:34 262,656 a------- c:\windows\sysguard.exe
2009-01-19 09:34 <DIR> --dsh--- c:\windows\system32\twain32
2009-01-18 22:17 1,403,021 ---sh--- c:\windows\system32\qtifwhfg.ini
2009-01-18 22:14 1,131 a--sh--- c:\windows\system32\YGOWHkkj.ini2
2009-01-18 22:14 1,131 a--sh--- c:\windows\system32\YGOWHkkj.ini
2009-01-18 22:09 <DIR> --d----- c:\docume~1\cole~1\applic~1\GetModule
2009-01-18 22:08 <DIR> --d----- c:\program files\GetModule
2009-01-18 22:08 <DIR> --d----- c:\program files\iCheck
2009-01-18 22:08 198,687 a------- c:\windows\system32\wpv021232320584.cpx
2009-01-02 12:19 <DIR> --d----- c:\program files\Nick Jr. Arcade
2009-01-01 21:47 256 a------- c:\documents and settings\h. w. cole\pool.bin
2008-12-31 23:32 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 23:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-31 22:03 1,307,356 ---sh--- c:\windows\system32\pnkhsmdr.ini
2008-12-30 20:43 1,307,356 ---sh--- c:\windows\system32\eiyvufwu.ini
2008-12-30 00:28 143 a------- c:\windows\system32\mcrh.tmp
2008-12-29 20:45 1,307,934 ---sh--- c:\windows\system32\oqapwqvx.ini
2008-12-29 20:39 684,424 a--sh--- c:\windows\system32\qYbacccf.ini2
2008-12-29 20:39 684,424 a--sh--- c:\windows\system32\qYbacccf.ini
2008-12-21 14:12 155,648 a------- c:\windows\system32\igfxres.dll

==================== Find3M ====================

2008-12-18 00:29 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-12-29 11:50 630,784 a------- c:\documents and settings\h. w. cole\GoToAssist_chat2way__317_en.exe

============= FINISH: 10:59:39.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 29 January 2009 - 05:53 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 31 January 2009 - 01:17 AM

Hi Panda thanks very much for your time and help.

ComboFix Log:

ComboFix 09-01-21.04 - H W Cole 2009-01-30 23:29:04.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.107 [GMT -5:00]
Running from: c:\documents and settings\H W Cole\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\GetModule
c:\program files\GetModule\GetModule35.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack27.exe
c:\program files\GetPack\GetPack28.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\VirusRemover2008
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack22.exe
c:\windows\system32\crypts.dll
c:\windows\system32\digeste.dll
c:\windows\system32\Drivers\TDSSserv.sys
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdm.exe
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSxfum.dll
c:\windows\Temp\tmp3.tmp
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-30 01:26 . 2009-01-30 01:26 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\Yahoo
2009-01-27 21:43 . 2009-01-27 21:43 24,064 --a------ c:\documents and settings\H W Cole\r.exe
2009-01-25 21:14 . 2009-01-25 21:14 1,434,061 ---hs---- c:\windows\system32\dfculset.ini
2009-01-25 19:10 . 2009-01-25 19:10 48,128 --a------ c:\windows\system32\byXOhEuu.dll
2009-01-24 22:36 . 2009-01-24 22:36 927,744 --a------ c:\windows\system32\rn.tmp
2009-01-24 22:14 . 2009-01-31 00:16 1,104 --a------ c:\windows\zbthkkip
2009-01-24 21:06 . 2009-01-24 21:07 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\Twain
2009-01-24 21:04 . 2009-01-24 21:04 <DIR> d-------- c:\program files\WebShow
2009-01-24 20:43 . 2009-01-24 20:43 1,434,061 ---hs---- c:\windows\system32\jhoaxyvg.ini
2009-01-23 22:14 . 2009-01-24 20:46 1,434,061 ---hs---- c:\windows\system32\htgcrnnj.ini
2009-01-22 23:03 . 2009-01-22 23:03 1,434,638 ---hs---- c:\windows\system32\wmwwbtjc.ini
2009-01-21 23:59 . 2009-01-21 23:59 134,656 --a------ c:\windows\ilurayapeva.dll
2009-01-21 22:53 . 2009-01-21 22:53 133,632 --a------ c:\windows\izecamotig.dll
2009-01-21 21:47 . 2009-01-21 21:47 133,632 --a------ c:\windows\izuhuyagasuti.dll
2009-01-21 20:41 . 2009-01-21 20:41 133,632 --a------ c:\windows\izekamosarevegub.dll
2009-01-21 19:33 . 2009-01-21 19:34 133,632 --a------ c:\windows\ofuxogap.dll
2009-01-21 18:27 . 2009-01-21 18:27 133,632 --a------ c:\windows\ozatetacoy.dll
2009-01-21 17:21 . 2009-01-21 17:21 131,584 --a------ c:\windows\upixugujekafi.dll
2009-01-21 12:42 . 2009-01-21 12:42 133,632 --a------ c:\windows\ohorazoh.dll
2009-01-20 23:08 . 2009-01-20 23:08 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\cogad
2009-01-20 23:00 . 2009-01-22 23:02 1,434,638 ---hs---- c:\windows\system32\duqcjshc.ini
2009-01-20 22:59 . 2009-01-26 13:54 434,306 --ahs---- c:\windows\system32\EgjlmUvw.ini
2009-01-20 22:59 . 2009-01-26 13:41 433,439 --ahs---- c:\windows\system32\EgjlmUvw.ini2
2009-01-20 22:59 . 2009-01-24 20:38 3,636 --a------ c:\windows\mdashelf
2009-01-19 09:46 . 2009-01-19 09:46 134,656 --a------ c:\windows\iqeliyojoqoziyi.dll
2009-01-19 09:34 . 2009-01-19 09:34 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-19 09:34 . 2009-01-19 09:34 39,424 --a------ c:\windows\Vramelisuzo.dll
2009-01-18 22:17 . 2009-01-18 22:17 1,403,021 ---hs---- c:\windows\system32\qtifwhfg.ini
2009-01-18 22:14 . 2009-01-18 23:41 1,131 --ahs---- c:\windows\system32\YGOWHkkj.ini2
2009-01-18 22:14 . 2009-01-18 23:44 1,131 --ahs---- c:\windows\system32\YGOWHkkj.ini
2009-01-18 22:09 . 2009-01-18 22:09 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\GetModule
2009-01-18 22:08 . 2009-01-18 22:08 198,687 --a------ c:\windows\system32\wpv021232320584.cpx
2009-01-02 12:19 . 2009-01-02 12:19 <DIR> d-------- c:\program files\Nick Jr. Arcade
2009-01-02 12:19 . 2009-01-02 12:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 21:47 . 2009-01-05 02:13 256 --a------ c:\documents and settings\H W Cole\pool.bin
2009-01-01 16:30 . 2009-01-01 16:30 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-31 23:32 . 2008-12-31 23:32 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 23:31 . 2008-12-31 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 23:30 . 2008-12-31 23:30 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 22:03 . 2008-12-31 22:04 1,307,356 ---hs---- c:\windows\system32\pnkhsmdr.ini
2008-12-30 20:43 . 2008-12-30 20:44 1,307,356 ---hs---- c:\windows\system32\eiyvufwu.ini
2008-12-29 20:45 . 2008-12-29 20:45 1,307,934 ---hs---- c:\windows\system32\oqapwqvx.ini
2008-12-29 20:39 . 2009-01-01 15:18 684,424 --ahs---- c:\windows\system32\qYbacccf.ini2
2008-12-29 20:39 . 2009-01-01 15:18 684,424 --ahs---- c:\windows\system32\qYbacccf.ini
2008-12-21 14:12 . 2003-11-18 00:09 155,648 --a------ c:\windows\system32\igfxres.dll
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\program files\iTunes
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\program files\iPod
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 17:19 . 2008-12-14 17:19 <DIR> d-------- c:\program files\Bonjour
2008-12-14 17:12 . 2008-12-14 17:12 <DIR> d-------- c:\program files\QuickTime
2008-12-13 22:59 . 2008-12-13 22:59 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-06 18:49 . 2008-12-06 18:49 <DIR> d--hs---- C:\FOUND.002
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\scripting
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\en
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\bits
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\l2schemas
2008-12-06 18:24 . 2008-12-06 18:24 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-06 18:12 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-06 18:12 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-06 18:11 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-06 18:10 . 2008-12-11 05:57 333,952 --------- c:\windows\system32\dllcache\srv.sys
2008-12-06 18:09 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-06 18:05 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-06 18:05 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-06 18:05 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-06 18:05 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-06 18:04 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-06 18:04 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-06 18:03 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-06 17:58 . 2004-08-03 22:41 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2008-12-06 17:58 . 2004-08-03 22:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys
2008-12-06 17:58 . 2004-08-03 22:29 104,960 --------- c:\windows\system32\drivers\atinrvxx.sys
2008-12-06 17:58 . 2004-07-17 11:35 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2008-12-06 17:58 . 2004-08-03 22:29 36,463 --------- c:\windows\system32\drivers\ati1tuxx.sys
2008-12-06 17:58 . 2004-08-03 22:29 31,744 --------- c:\windows\system32\drivers\atinxbxx.sys
2008-12-06 17:58 . 2004-08-03 22:29 28,672 --------- c:\windows\system32\drivers\atinsnxx.sys
2008-12-06 17:58 . 2004-08-03 22:41 13,240 --------- c:\windows\system32\drivers\slwdmsup.sys
2008-12-06 17:58 . 2004-08-03 22:29 11,935 --------- c:\windows\system32\drivers\wadv11nt.sys
2008-12-06 17:58 . 2004-08-03 22:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
2008-12-06 17:55 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-06 17:44 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-06 17:28 . 2008-12-06 17:28 <DIR> d-------- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2007-12-29 16:50 630,784 ----a-w c:\documents and settings\H W Cole\GoToAssist_chat2way__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"updateMgr"="c:\program files\Adobe\Acrobat\AdobeUpdateManager.exe" [2006-03-31 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-07-10 77887]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2005-09-24 483328]
"Workshare3GW"="c:\program files\Workshare\Modules\WPConfigAssistant.exe" [2005-03-31 599056]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-11-15 166304]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
"Gbaqifulor"="c:\windows\Vramelisuzo.dll" [2009-01-19 39424]
"Lwisafomohuxewot"="c:\windows\iqeliyojoqoziyi.dll" [2009-01-19 134656]
"realtecg"="c:\documents and settings\H W Cole\Application Data\Google\xpsdg6420222.exe" [2009-01-30 126976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\H W Cole\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-09-19 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
M-Audio Transit USB Control Panel Launcher.lnk - c:\program files\M-Audio Transit USB\TUSBTask.exe [2003-04-28 61440]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-09-09 6144]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-07-21 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\sorry.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
"midi"= usbmn2x2.dll
"midi4"= usbmn2x2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\H W Cole\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2006-02-01 1293345]
R3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2007-06-19 41216]
R4 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2006-02-01 35697]
R4 Transit USBInstallerService;Transit USB Installer;c:\program files\M-Audio Transit USB\Install\TUSBInst.exe [2007-06-19 49152]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 hbefinxs;hbefinxs;c:\windows\system32\drivers\jlbmoahy.sys --> c:\windows\system32\drivers\jlbmoahy.sys [?]
S0 mdashelf;mdashelf;c:\windows\system32\drivers\oqcsjzvp.sys --> c:\windows\system32\drivers\oqcsjzvp.sys [?]
S0 nugafwsy;nugafwsy;c:\windows\system32\drivers\espdmskz.sys --> c:\windows\system32\drivers\espdmskz.sys [?]
S0 nzijrcyq;nzijrcyq;c:\windows\system32\drivers\nncxiazv.sys --> c:\windows\system32\drivers\nncxiazv.sys [?]
S0 zbthkkip;zbthkkip;c:\windows\system32\drivers\kylqufuq.sys []
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2007-06-19 16512]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2007-02-09 14272]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys [2007-02-09 22304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##NYMOBILE01#MOBILE#HOMEDVD]
\Shell\AutoRun\command - Z:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e0cfee-7543-11db-bd1a-000475eb6250}]
\Shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{749e1a06-9b17-11dc-bed4-00059a3c7800}]
\Shell\AutoRun\command - F:\slacker.synclauncher.exe
\Shell\slacker\command - F:\slacker.synclauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9176290-18de-11db-ba99-000475a048da}]
\Shell\AutoRun\command - E:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\User_Feed_Synchronization-{4FB81AF2-478C-4F4E-9EE6-CD8E8259844A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-01-31 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-08 00:55]

2009-01-31 c:\windows\Tasks\akhzckhl.job
- c:\windows\system32\yayxuvwv.dll []

2009-01-31 c:\windows\Tasks\yvnfpvnt.job
- c:\windows\system32\byXOhEuu.dll [2009-01-25 19:10]

2009-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9D167817-395F-46C3-9572-14E8AAF2561E} - c:\windows\system32\wvUmljgE.dll
HKCU-Run-cogad - c:\documents and settings\H W Cole\Application Data\cogad\cogad.exe
HKCU-Run-GetModule35 - c:\program files\GetModule\GetModule35.exe
HKCU-Run-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe
HKCU-Run-GetPack28 - c:\program files\GetPack\GetPack28.exe
Notify-ckpNotify - (no file)
Notify-khfEUoPF - khfEUoPF.dll
Notify-pmnnLDSM - pmnnLDSM.dll
Notify-qoMEVMFx - qoMEVMFx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxps://matters.amicillc.com/pf7/filecabinet/extdotnet/setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 00:20:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSmqlt.sys"
"group"="file system"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\npnotes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\NSLSVICE.EXE
c:\windows\SYSTEM32\NSL.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\notes\NTMULTI.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\ZuneWlanCfgSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\HPZipm12.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Adobe\Acrobat\acrobat_sl.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-01-31 0:26:47 - machine was rebooted [H W Cole]
ComboFix-quarantined-files.txt 2009-01-31 05:26:40

Pre-Run: 21,141,422,080 bytes free
Post-Run: 21,900,099,584 bytes free

324 --- E O F --- 2009-01-20 07:00:16


GMER Log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 00:56:20
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT E1A842C8 ZwConnectPort

Code F8559F92 ZwCreateDirectoryObject
Code F8559D47 ZwCreateFile
Code F855A0E2 ZwCreateKey
Code F855A24A ZwCreateSection
Code F855AD62 ZwEnumerateKey
Code F855A9FB ZwEnumerateValueKey
Code F855B5D5 ZwLoadDriver
Code F855A03A ZwOpenDirectoryObject
Code F8559ED8 ZwOpenFile
Code F855A1A2 ZwOpenKey
Code F855A30A ZwOpenSection
Code F855A3B2 ZwOpenSymbolicLinkObject
Code F855B6B8 ZwQueryDirectoryFile
Code F855A680 ZwQueryDirectoryObject
Code F855B091 ZwQueryValueKey
Code F8559E12 IoCreateFile
Code F8559E88 IoCreateStreamFileObject
Code F8559D46 NtCreateFile
Code F855A249 NtCreateSection
Code F8559ED7 NtOpenFile
Code F855B6B7 NtQueryDirectoryFile
Code F8559FE4 ZwCreateDirectoryObject
Code F8559DA5 ZwCreateFile
Code F855A140 ZwCreateKey
Code F855A2A8 ZwCreateSection
Code F855AEF6 ZwEnumerateKey
Code F855ABA9 ZwEnumerateValueKey
Code F855B643 ZwLoadDriver
Code F855A08C ZwOpenDirectoryObject
Code F8559F33 ZwOpenFile
Code F855A1F4 ZwOpenKey
Code F855A35C ZwOpenSection
Code F855A404 ZwOpenSymbolicLinkObject
Code F855B764 ZwQueryDirectoryFile
Code F855A83A ZwQueryDirectoryObject
Code F855B212 ZwQueryValueKey

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwCreateDirectoryObject 804DC964 5 Bytes JMP F8559FE9
.text ntoskrnl.exe!ZwCreateFile 804DC9A0 5 Bytes JMP F8559DAA
.text ntoskrnl.exe!ZwCreateKey 804DC9F0 5 Bytes JMP F855A145
.text ntoskrnl.exe!ZwCreateSection 804DCAA4 5 Bytes JMP F855A2AD
.text ntoskrnl.exe!ZwEnumerateKey 804DCC48 5 Bytes JMP F855AEFB
.text ntoskrnl.exe!ZwEnumerateValueKey 804DCC70 5 Bytes JMP F855ABAE
.text ntoskrnl.exe!ZwLoadDriver 804DCE50 5 Bytes JMP F855B648
.text ntoskrnl.exe!ZwOpenDirectoryObject 804DCF90 5 Bytes JMP F855A091
.text ntoskrnl.exe!ZwOpenFile 804DCFCC 5 Bytes JMP F8559F38
.text ntoskrnl.exe!ZwOpenKey 804DD008 5 Bytes JMP F855A1F9
.text ntoskrnl.exe!ZwOpenSection 804DD080 5 Bytes JMP F855A361
.text ntoskrnl.exe!ZwOpenSymbolicLinkObject 804DD0A8 5 Bytes JMP F855A409
.text ntoskrnl.exe!ZwQueryDirectoryFile 804DD210 5 Bytes JMP F855B769
.text ntoskrnl.exe!ZwQueryDirectoryObject 804DD224 5 Bytes JMP F855A83F
.text ntoskrnl.exe!ZwQueryValueKey 804DD490 5 Bytes JMP F855B217
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP F855A24E
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F855A1A6
PAGE ntoskrnl.exe!ZwOpenKey + 7 80568D60 1 Byte [ F5 ]
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP F855B095
PAGE ntoskrnl.exe!IoCreateFile 8056CC6B 5 Bytes JMP F8559E17
PAGE ntoskrnl.exe!NtOpenFile 8056CD5B 5 Bytes JMP F8559EDC
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F8559D4B
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F855A0E6
PAGE ntoskrnl.exe!ZwCreateKey + 7 80570664 1 Byte [ 57 ]
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP F855AD66
PAGE ntoskrnl.exe!ZwOpenSection 80570FD7 7 Bytes JMP F855A30E
PAGE ntoskrnl.exe!NtQueryDirectoryFile 80572111 5 Bytes JMP F855B6BC
PAGE ntoskrnl.exe!ZwQueryDirectoryObject 805843AD 7 Bytes JMP F855A684
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP F855A9FF
PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject 8059090E 7 Bytes JMP F855A3B6
PAGE ntoskrnl.exe!ZwOpenDirectoryObject 80590A42 7 Bytes JMP F855A03E
PAGE ntoskrnl.exe!ZwCreateDirectoryObject 805A2892 7 Bytes JMP F8559F96
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B01 7 Bytes JMP F855B5D9
PAGE ntoskrnl.exe!IoCreateStreamFileObject 80616463 5 Bytes JMP F8559E8D
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01044FF2
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01044F3E
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01044ED9
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01044EA7
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 010452AB
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 01045560
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 01045560
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01044FF2
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 01045560
IAT c:\Program Files\Zune\ZuneNss.exe[580] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 010452AB
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00B54FF2
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B54FF2
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B54F3E
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B54ED9
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B54EA7
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B54FF2
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00B55560
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 00B552AB
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B55560
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B552AB
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B55560
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B84FF2
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B84F3E
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B84ED9
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B84EA7
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00B84F3E
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B84FF2
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00B84F3E
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00B84ED9
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B852AB
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B85560
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B85560
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B852AB
IAT C:\WINDOWS\system32\lsass.exe[816] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B85560
IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00A54EA7
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B94FF2
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B94F3E
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B94ED9
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B94EA7
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B952AB
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B95560
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B95560
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B952AB
IAT C:\WINDOWS\system32\svchost.exe[1112] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B95560
IAT C:\WINDOWS\system32\svchost.exe[1112] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B94FF2
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00824FF2
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00824F3E
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00824ED9
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00824EA7
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00825560
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 008252AB
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00825560
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 008252AB
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00825560
IAT C:\Program Files\Windows Defender\MsMpEng.exe[1208] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00824FF2
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 04F64FF2
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 04F64F3E
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 04F64ED9
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 04F64EA7
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 04F652AB
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 04F65560
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 04F65560
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 04F652AB
IAT C:\WINDOWS\System32\svchost.exe[1248] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 04F65560
IAT C:\WINDOWS\System32\svchost.exe[1248] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 04F64FF2
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00634FF2
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00634F3E
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00634ED9
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00634EA7
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 006352AB
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00635560
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00635560
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 006352AB
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00635560
IAT C:\WINDOWS\system32\svchost.exe[1328] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00634FF2
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00F04FF2
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00F04F3E
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00F04ED9
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00F04EA7
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00F052AB
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00F05560
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00F05560
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00F052AB
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00F05560
IAT C:\WINDOWS\System32\svchost.exe[1428] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00F04FF2
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 010D4FF2
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 010D4F3E
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 010D4ED9
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 010D4EA7
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 010D52AB
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 010D5560
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 010D5560
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 010D52AB
IAT C:\WINDOWS\system32\svchost.exe[1616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 010D5560
IAT C:\WINDOWS\system32\svchost.exe[1616] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 010D4FF2
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 017A4FF2
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 017A4F3E
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 017A4ED9
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 017A4EA7
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 017A52AB
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 017A5560
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 017A5560
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 017A4FF2
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 017A5560
IAT C:\Program Files\Windows Media Player\WMPNetwk.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 017A52AB
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00084FF2
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00084F3E
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00084ED9
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00084EA7
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 000852AB
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00085560
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00085560
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00085560
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 000852AB
IAT C:\WINDOWS\system32\wuauclt.exe[2548] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00084FF2
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00404FF2
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00404F3E
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00404ED9
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00404EA7
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004052AB
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405560
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00404FF2
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405560
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004052AB
IAT C:\WINDOWS\System32\alg.exe[2636] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405560
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2772] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00134FF2
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00134F3E
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00134ED9
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134EA7
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001352AB
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135560
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135560
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001352AB
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135560
IAT C:\Program Files\iPod\bin\iPodService.exe[3756] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00134FF2
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00134FF2
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00134F3E
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00134ED9
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134EA7
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00134FF2
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135560
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001352AB
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135560
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001352AB
IAT C:\WINDOWS\system32\HPZipm12.exe[3916] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135560

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\zbthkkip \Device\SAMPLEDEV35 F8559416

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Modules - GMER 1.0.14 ----

Module kylqufuq.sys (*** hidden *** ) F8558000-F8561000 (36864 bytes)

---- Threads - GMER 1.0.14 ----

Thread 972:1756 00364E2F
Thread 972:3080 00394E2F
Thread 972:4040 003C4E2F
Thread 1492:2492 00364E2F
Thread 1492:3312 00394E2F
Thread 1492:180 003C4E2F

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@Authentication Packages msv1_0?C:\WINDOWS\system32\wvUmljgE?
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\ControlSet003\Control\Lsa@Authentication Packages msv1_0?C:\WINDOWS\system32\wvUmljgE?
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log

---- EOF - GMER 1.0.14 ----


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:08 AM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\notes\ntmulti.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\H W Cole\Desktop\gmer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\H W Cole\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Workshare3GW] C:\Program Files\Workshare\Modules\WPConfigAssistant.exe /userinit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Gbaqifulor] rundll32.exe "C:\WINDOWS\Vramelisuzo.dll",e
O4 - HKLM\..\Run: [Lwisafomohuxewot] rundll32.exe "C:\WINDOWS\iqeliyojoqoziyi.dll",e
O4 - HKLM\..\Run: [realtecg] "C:\Documents and Settings\H W Cole\Application Data\Google\xpsdg6420222.exe" 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - https://matters.amicillc.com/pf7/filecabine...otnet/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) - http://javadl-esd.sun.com/update/1.4.1/jin...indows-i586.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 12735 bytes

Changes made since topic creation:

Prior to these logs - I tried to run combo fix at least twice, both times it got hung up on the auto scan. Re-started and deleted my copies of the program and re-downloaded for this log. Also tried Ad-aware and the Microsoft's online malware scanner.

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 31 January 2009 - 10:39 AM

Hello.

Let's see what we can do.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    file::
    c:\documents and settings\H W Cole\r.exe
    c:\windows\system32\dfculset.ini
    c:\windows\system32\byXOhEuu.dll
    c:\windows\system32\rn.tmp
    c:\windows\zbthkkip
    c:\windows\system32\jhoaxyvg.ini
    c:\windows\system32\htgcrnnj.ini
    c:\windows\system32\wmwwbtjc.ini
    c:\windows\ilurayapeva.dll
    c:\windows\izecamotig.dll
    c:\windows\izuhuyagasuti.dll
    c:\windows\izekamosarevegub.dll
    c:\windows\ofuxogap.dll
    c:\windows\ozatetacoy.dll
    c:\windows\upixugujekafi.dll
    c:\windows\ohorazoh.dll
    c:\windows\system32\pnkhsmdr.ini
    c:\windows\system32\eiyvufwu.ini
    c:\windows\system32\oqapwqvx.ini
    c:\windows\system32\qYbacccf.ini2
    c:\windows\system32\qYbacccf.ini
    c:\documents and settings\H W Cole\Application Data\Google\xpsdg6420222.exe
    c:\windows\sorry.exe
    c:\windows\system32\twex.exe
    c:\windows\Tasks\akhzckhl.job
    c:\windows\Tasks\yvnfpvnt.job
    
    Folder::
    c:\windows\system32\twain32
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gbaqifulor"=-
    "Lwisafomohuxewot"=-
    "realtecg"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe"
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    
    Driver::
    TDSSserv.sys
    aylnlfdx
    hbefinxs
    mdashelf
    nugafwsy
    nzijrcyq
    zbthkkip
    
    Rootkit::
    c:\windows\system32\drivers\phqghume.sys
    c:\windows\system32\drivers\jlbmoahy.sys
    c:\windows\system32\drivers\oqcsjzvp.sys
    c:\windows\system32\drivers\espdmskz.sys
    c:\windows\system32\drivers\nncxiazv.sys
    c:\windows\system32\drivers\kylqufuq.sys
    c:\windows\system32\drivers\TDSSmqlt.sys
    c:\windows\system32\TDSSoiqh.dll
    c:\windows\system32\TDSSorvd.dat
    c:\windows\system32\TDSShrsr.dll
    c:\windows\system32\TDSSrtqp.dll
    c:\windows\system32\TDSSxfum.dll
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSsihc.dll
    c:\windows\system32\TDSSrhyp.log
    c:\windows\system32\TDSSkkbi.log
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Please post back with:
-the ComboFix log
-the MalwareBytes log
-a new GMER log

With Regards,
The Panda

#5 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 31 January 2009 - 03:03 PM

Thanks again for the quick reply. I instructed MalwareBytes to delete what it found and rebooted windows.

ComboFix Log:

ComboFix 09-01-21.04 - H W Cole 2009-01-31 12:30:47.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.153 [GMT -5:00]
Running from: c:\documents and settings\H W Cole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\H W Cole\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\H W Cole\Application Data\Google\xpsdg6420222.exe
c:\documents and settings\H W Cole\r.exe
c:\windows\ilurayapeva.dll
c:\windows\izecamotig.dll
c:\windows\izekamosarevegub.dll
c:\windows\izuhuyagasuti.dll
c:\windows\ofuxogap.dll
c:\windows\ohorazoh.dll
c:\windows\ozatetacoy.dll
c:\windows\sorry.exe
c:\windows\system32\byXOhEuu.dll
c:\windows\system32\dfculset.ini
c:\windows\system32\eiyvufwu.ini
c:\windows\system32\htgcrnnj.ini
c:\windows\system32\jhoaxyvg.ini
c:\windows\system32\oqapwqvx.ini
c:\windows\system32\pnkhsmdr.ini
c:\windows\system32\qYbacccf.ini
c:\windows\system32\qYbacccf.ini2
c:\windows\system32\rn.tmp
c:\windows\system32\twex.exe
c:\windows\system32\wmwwbtjc.ini
c:\windows\Tasks\akhzckhl.job
c:\windows\Tasks\yvnfpvnt.job
c:\windows\upixugujekafi.dll
c:\windows\zbthkkip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\H W Cole\Application Data\Google\xpsdg6420222.exe
c:\documents and settings\H W Cole\r.exe
c:\windows\ilurayapeva.dll
c:\windows\izecamotig.dll
c:\windows\izekamosarevegub.dll
c:\windows\izuhuyagasuti.dll
c:\windows\ofuxogap.dll
c:\windows\ohorazoh.dll
c:\windows\ozatetacoy.dll
c:\windows\system32\byXOhEuu.dll
c:\windows\system32\dfculset.ini
c:\windows\system32\drivers\kylqufuq.sys
c:\windows\system32\eiyvufwu.ini
c:\windows\system32\htgcrnnj.ini
c:\windows\system32\jhoaxyvg.ini
c:\windows\system32\oqapwqvx.ini
c:\windows\system32\pnkhsmdr.ini
c:\windows\system32\qYbacccf.ini
c:\windows\system32\qYbacccf.ini2
c:\windows\system32\rn.tmp
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe
c:\windows\system32\wmwwbtjc.ini
c:\windows\Tasks\akhzckhl.job
c:\windows\Tasks\yvnfpvnt.job
c:\windows\upixugujekafi.dll
c:\windows\zbthkkip

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-31 00:47 . 2009-01-31 00:47 250 --a------ c:\windows\gmer.ini
2009-01-30 01:26 . 2009-01-30 01:26 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\Yahoo
2009-01-24 21:06 . 2009-01-24 21:07 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\Twain
2009-01-24 21:04 . 2009-01-24 21:04 <DIR> d-------- c:\program files\WebShow
2009-01-20 23:08 . 2009-01-20 23:08 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\cogad
2009-01-20 23:00 . 2009-01-22 23:02 1,434,638 ---hs---- c:\windows\system32\duqcjshc.ini
2009-01-20 22:59 . 2009-01-26 13:54 434,306 --ahs---- c:\windows\system32\EgjlmUvw.ini
2009-01-20 22:59 . 2009-01-26 13:41 433,439 --ahs---- c:\windows\system32\EgjlmUvw.ini2
2009-01-20 22:59 . 2009-01-24 20:38 3,636 --a------ c:\windows\mdashelf
2009-01-19 09:46 . 2009-01-19 09:46 134,656 --a------ c:\windows\iqeliyojoqoziyi.dll
2009-01-19 09:34 . 2009-01-19 09:34 39,424 --a------ c:\windows\Vramelisuzo.dll
2009-01-18 22:17 . 2009-01-18 22:17 1,403,021 ---hs---- c:\windows\system32\qtifwhfg.ini
2009-01-18 22:14 . 2009-01-18 23:41 1,131 --ahs---- c:\windows\system32\YGOWHkkj.ini2
2009-01-18 22:14 . 2009-01-18 23:44 1,131 --ahs---- c:\windows\system32\YGOWHkkj.ini
2009-01-18 22:09 . 2009-01-18 22:09 <DIR> d-------- c:\documents and settings\H W Cole\Application Data\GetModule
2009-01-18 22:08 . 2009-01-18 22:08 198,687 --a------ c:\windows\system32\wpv021232320584.cpx
2009-01-02 12:19 . 2009-01-02 12:19 <DIR> d-------- c:\program files\Nick Jr. Arcade
2009-01-02 12:19 . 2009-01-02 12:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 21:47 . 2009-01-05 02:13 256 --a------ c:\documents and settings\H W Cole\pool.bin
2009-01-01 16:30 . 2009-01-01 16:30 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-31 23:32 . 2008-12-31 23:32 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 23:31 . 2008-12-31 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 23:30 . 2008-12-31 23:30 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 14:12 . 2003-11-18 00:09 155,648 --a------ c:\windows\system32\igfxres.dll
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\program files\iTunes
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\program files\iPod
2008-12-14 17:20 . 2008-12-14 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 17:19 . 2008-12-14 17:19 <DIR> d-------- c:\program files\Bonjour
2008-12-14 17:12 . 2008-12-14 17:12 <DIR> d-------- c:\program files\QuickTime
2008-12-13 22:59 . 2008-12-13 22:59 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-06 18:49 . 2008-12-06 18:49 <DIR> d--hs---- C:\FOUND.002
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\scripting
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\en
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\system32\bits
2008-12-06 18:27 . 2008-12-06 18:27 <DIR> d-------- c:\windows\l2schemas
2008-12-06 18:24 . 2008-12-06 18:24 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-06 18:12 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-06 18:12 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-06 18:11 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-06 18:10 . 2008-12-11 05:57 333,952 --------- c:\windows\system32\dllcache\srv.sys
2008-12-06 18:09 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-06 18:05 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-06 18:05 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-06 18:05 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-06 18:05 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-06 18:04 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-06 18:04 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-06 18:03 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-06 17:58 . 2004-08-03 22:41 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2008-12-06 17:58 . 2004-08-03 22:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys
2008-12-06 17:58 . 2004-08-03 22:29 104,960 --------- c:\windows\system32\drivers\atinrvxx.sys
2008-12-06 17:58 . 2004-07-17 11:35 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2008-12-06 17:58 . 2004-08-03 22:29 36,463 --------- c:\windows\system32\drivers\ati1tuxx.sys
2008-12-06 17:58 . 2004-08-03 22:29 31,744 --------- c:\windows\system32\drivers\atinxbxx.sys
2008-12-06 17:58 . 2004-08-03 22:29 28,672 --------- c:\windows\system32\drivers\atinsnxx.sys
2008-12-06 17:58 . 2004-08-03 22:41 13,240 --------- c:\windows\system32\drivers\slwdmsup.sys
2008-12-06 17:58 . 2004-08-03 22:29 11,935 --------- c:\windows\system32\drivers\wadv11nt.sys
2008-12-06 17:58 . 2004-08-03 22:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
2008-12-06 17:55 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-06 17:44 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-06 17:28 . 2008-12-06 17:28 <DIR> d-------- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-29 16:50 630,784 ----a-w c:\documents and settings\H W Cole\GoToAssist_chat2way__317_en.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_ 0.24.01.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-31 05:47:16 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2009-01-31 05:18:40 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-31 17:30:08 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-31 05:47:16 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"updateMgr"="c:\program files\Adobe\Acrobat\AdobeUpdateManager.exe" [2006-03-31 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-07-10 77887]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2005-09-24 483328]
"Workshare3GW"="c:\program files\Workshare\Modules\WPConfigAssistant.exe" [2005-03-31 599056]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-11-15 166304]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\H W Cole\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-09-19 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
M-Audio Transit USB Control Panel Launcher.lnk - c:\program files\M-Audio Transit USB\TUSBTask.exe [2003-04-28 61440]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-09-09 6144]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-07-21 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\sorry.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_g729a"= sl_g729a.acm
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
"midi"= usbmn2x2.dll
"midi4"= usbmn2x2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\wvUmljgE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\H W Cole\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2006-02-01 1293345]
R3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2007-06-19 41216]
R4 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2006-02-01 35697]
R4 Transit USBInstallerService;Transit USB Installer;c:\program files\M-Audio Transit USB\Install\TUSBInst.exe [2007-06-19 49152]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 hbefinxs;hbefinxs;c:\windows\system32\drivers\jlbmoahy.sys --> c:\windows\system32\drivers\jlbmoahy.sys [?]
S0 mdashelf;mdashelf;c:\windows\system32\drivers\oqcsjzvp.sys --> c:\windows\system32\drivers\oqcsjzvp.sys [?]
S0 nugafwsy;nugafwsy;c:\windows\system32\drivers\espdmskz.sys --> c:\windows\system32\drivers\espdmskz.sys [?]
S0 nzijrcyq;nzijrcyq;c:\windows\system32\drivers\nncxiazv.sys --> c:\windows\system32\drivers\nncxiazv.sys [?]
S0 zbthkkip;zbthkkip;c:\windows\system32\drivers\kylqufuq.sys --> c:\windows\system32\drivers\kylqufuq.sys [?]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2007-06-19 16512]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2007-02-09 14272]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys [2007-02-09 22304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##NYMOBILE01#MOBILE#HOMEDVD]
\Shell\AutoRun\command - Z:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e0cfee-7543-11db-bd1a-000475eb6250}]
\Shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{749e1a06-9b17-11dc-bed4-00059a3c7800}]
\Shell\AutoRun\command - F:\slacker.synclauncher.exe
\Shell\slacker\command - F:\slacker.synclauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9176290-18de-11db-ba99-000475a048da}]
\Shell\AutoRun\command - E:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\User_Feed_Synchronization-{4FB81AF2-478C-4F4E-9EE6-CD8E8259844A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-01-31 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2005-07-08 00:55]

2009-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxps://matters.amicillc.com/pf7/filecabinet/extdotnet/setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 12:36:54
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSmqlt.sys"
"group"="file system"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\npnotes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\NSLSVICE.EXE
c:\windows\SYSTEM32\NSL.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\notes\NTMULTI.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\ZuneWlanCfgSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Adobe\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-01-31 12:41:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-31 17:41:24
ComboFix2.txt 2009-01-31 05:26:52

Pre-Run: 21,539,553,280 bytes free
Post-Run: 21,702,148,096 bytes free

319 --- E O F --- 2009-01-31 05:54:37


MalwareBytes Log:

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

1/31/2009 1:04:22 PM
mbam-log-2009-01-31 (13-04-12).txt

Scan type: Quick Scan
Objects scanned: 58764
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:
C:\Documents and Settings\H W Cole\Application Data\cogad (Trojan.Agent) -> No action taken.
C:\Documents and Settings\H W Cole\Application Data\GetModule (Trojan.Agent) -> No action taken.

Files Infected:
C:\Documents and Settings\H W Cole\Application Data\GetModule\dicik.gz (Trojan.Agent) -> No action taken.
C:\Documents and Settings\H W Cole\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> No action taken.
C:\Documents and Settings\H W Cole\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wpv021232320584.cpx (Trojan.Agent) -> No action taken.
C:\Documents and Settings\H W Cole\Application Data\Twain\Twain.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\H W Cole\Application Data\Google\kpldpl.dll (Trojan.FakeAlert) -> No action taken.

GMER Log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 13:18:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT E1AB0FC0 ZwConnectPort

---- Kernel code sections - GMER 1.0.14 ----

? qkcmv.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1900] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log

---- EOF - GMER 1.0.14 ----

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 31 January 2009 - 06:42 PM

Woah that is a mess :thumbup2: . Let's clean up some more.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    TDSSserv.sys
    aylnlfdx
    hbefinxs
    mdashelf
    nugafwsy
    nzijrcyq
    zbthkkip
    
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
    
    Files to delete:
    c:\windows\mdashelf
    c:\windows\system32\duqcjshc.ini
    c:\windows\system32\EgjlmUvw.ini
    c:\windows\system32\EgjlmUvw.ini2
    c:\windows\iqeliyojoqoziyi.dll
    c:\windows\Vramelisuzo.dll
    c:\windows\system32\qtifwhfg.ini
    c:\windows\system32\YGOWHkkj.ini2
    c:\windows\system32\YGOWHkkj.ini
    c:\windows\system32\wpv021232320584.cpx
    
    Folders to delete:
    c:\documents and settings\H W Cole\Application Data\Twain
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Re-run scan with MalwareBytes Anti-Malware
Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

After all that, take a fresh DDS log.

With Regards,
The Panda

#7 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 31 January 2009 - 11:21 PM

I see where I didn't ask MalwareBytes to delete what if found initially, sorry about that. I rescanned and then deleted what it had found previously.

Avenger Log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "TDSSserv.sys" deleted successfully.
Driver "aylnlfdx" deleted successfully.
Driver "hbefinxs" deleted successfully.
Driver "mdashelf" deleted successfully.
Driver "nugafwsy" deleted successfully.
Driver "nzijrcyq" deleted successfully.
Driver "zbthkkip" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys" deleted successfully.
File "c:\windows\mdashelf" deleted successfully.
File "c:\windows\system32\duqcjshc.ini" deleted successfully.
File "c:\windows\system32\EgjlmUvw.ini" deleted successfully.
File "c:\windows\system32\EgjlmUvw.ini2" deleted successfully.
File "c:\windows\iqeliyojoqoziyi.dll" deleted successfully.
File "c:\windows\Vramelisuzo.dll" deleted successfully.
File "c:\windows\system32\qtifwhfg.ini" deleted successfully.
File "c:\windows\system32\YGOWHkkj.ini2" deleted successfully.
File "c:\windows\system32\YGOWHkkj.ini" deleted successfully.

Error: file "c:\windows\system32\wpv021232320584.cpx" not found!
Deletion of file "c:\windows\system32\wpv021232320584.cpx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\documents and settings\H W Cole\Application Data\Twain" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


MalwareBytes Log

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

1/31/2009 11:00:04 PM
mbam-log-2009-01-31 (23-00-04).txt

Scan type: Quick Scan
Objects scanned: 62408
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS Log


DDS (Ver_09-01-18.01) - FAT32x86
Run by H W Cole at 23:13:18.71 on Sat 01/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.123 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\notes\ntmulti.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\H W Cole\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] c:\program files\adobe\acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office 11\programs\QFSCHD110.EXE"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [Workshare3GW] c:\program files\workshare\modules\WPConfigAssistant.exe /userinit
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\m-audi~1.lnk - c:\program files\m-audio transit usb\TUSBTask.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvUmljgE

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2006-2-1 1293345]
R3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2007-6-19 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\naveng.sys [2008-12-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\navex15.sys [2008-12-26 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R4 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2006-2-1 35697]
R4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R4 Transit USBInstallerService;Transit USB Installer;c:\program files\m-audio transit usb\install\TUSBInst.exe [2007-6-19 49152]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2007-6-19 16512]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2007-2-9 14272]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys [2007-2-9 22304]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-31 12:48 <DIR> --d----- c:\docume~1\h w~1\applic~1\Malwarebytes
2009-01-31 12:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 12:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 12:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 12:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 00:47 250 a------- c:\windows\gmer.ini
2009-01-30 01:26 <DIR> --d----- c:\docume~1\h w~1\applic~1\Yahoo
2009-01-29 21:42 <DIR> a-dshr-- C:\cmdcons
2009-01-29 21:39 161,792 a------- c:\windows\SWREG.exe
2009-01-29 21:39 98,816 a------- c:\windows\sed.exe
2009-01-24 21:04 <DIR> --d----- c:\program files\WebShow
2009-01-02 12:19 <DIR> --d----- c:\program files\Nick Jr. Arcade

==================== Find3M ====================

2009-01-05 02:13 256 a------- c:\documents and settings\H W Cole\pool.bin
2008-12-18 00:29 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-12-29 11:50 630,784 a------- c:\documents and settings\H W Cole\GoToAssist_chat2way__317_en.exe

============= FINISH: 23:14:04.87 ===============

Edited by H. W. Cole, 31 January 2009 - 11:22 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 01 February 2009 - 12:05 PM

Hello H. W. Cole.

Looks much better.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you use Opera browser also...
    [list]
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please post back with:
-the Kaspersky log
-a fresh DDS.txt log

Any issues at the moment?

With Regards,
The Panda



#9 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 03 February 2009 - 12:13 AM

Panda,

The only issue that I can see is that on restarting windows I get a folder at C:\Program Files\Common opening up. Otherwise it seems to be running well though Kaspersky found the following:


Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 03, 2009 01:41:57
Records in database: 1738758
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 92938
Threat name: 14
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 02:33:43


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D6C0000.VBN Infected: Trojan-Downloader.HTML.Agent.is 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940000.VBN Infected: Trojan.Win32.BHO.hxl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06100000.VBN Infected: Trojan-Downloader.Win32.DlKroha.e 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF80000.VBN Infected: Exploit.JS.Pdfka.w 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP773\A0045056.exe Infected: Trojan.Win32.Agent.bgbt 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP774\A0045080.dll Infected: Trojan.Win32.Monder.aree 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0045318.dll Infected: Trojan.Win32.Inject.nwz 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0045332.dll Infected: Trojan.Win32.Inject.nwz 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046331.dll Infected: Trojan.Win32.Inject.nwz 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046383.exe Infected: not-a-virus:AdWare.Win32.Agent.jok 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046384.exe Infected: not-a-virus:AdWare.Win32.Agent.kea 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046387.dll Infected: Trojan-Downloader.Win32.Injecter.caa 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046392.dll Infected: Rootkit.Win32.TDSS.dbg 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP778\A0046411.dll Infected: Trojan.Win32.Inject.nwz 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP780\A0046532.exe Infected: Trojan.Win32.FraudPack.aoo 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP780\A0046535.dll Infected: Trojan-Downloader.Win32.Agent.betb 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP780\A0046538.dll Infected: Trojan-Downloader.Win32.Agent.betb 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP780\A0046541.dll Infected: Trojan.Win32.Agent.bknt 1
C:\System Volume Information\_restore{70AA9722-9635-4FAC-A9E7-EBBEE36C5F26}\RP780\A0046618.DLL Infected: Trojan.Win32.Inject.nwz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir Infected: Trojan-Downloader.Win32.Injecter.caa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXOhEuu.dll.vir Infected: Trojan.Win32.Agent.bknt 1
C:\Qoobox\Quarantine\C\WINDOWS\izecamotig.dll.vir Infected: Trojan-Downloader.Win32.Agent.betb 1
C:\Qoobox\Quarantine\C\WINDOWS\ofuxogap.dll.vir Infected: Trojan-Downloader.Win32.Agent.betb 1
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack27.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.jok 1
C:\Qoobox\Quarantine\C\Program Files\GetPack\GetPack28.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.kea 1
C:\Qoobox\Quarantine\C\Documents and Settings\H W Cole\Application Data\Google\xpsdg6420222.exe.vir Infected: Trojan.Win32.FraudPack.aoo 1

The selected area was scanned.


DDS log


DDS (Ver_09-01-18.01) - FAT32x86
Run by H W Cole at 0:07:05.45 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.216 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\notes\ntmulti.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\H W Cole\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] c:\program files\adobe\acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office 11\programs\QFSCHD110.EXE"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [Workshare3GW] c:\program files\workshare\modules\WPConfigAssistant.exe /userinit
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\m-audi~1.lnk - c:\program files\m-audio transit usb\TUSBTask.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2006-2-1 1293345]
R3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2007-6-19 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\naveng.sys [2008-12-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081226.002\navex15.sys [2008-12-26 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R4 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2006-2-1 35697]
R4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R4 Transit USBInstallerService;Transit USB Installer;c:\program files\m-audio transit usb\install\TUSBInst.exe [2007-6-19 49152]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 MADFU006;MADFU006;c:\windows\system32\drivers\MADFU006.sys [2007-6-19 16512]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [2007-2-9 14272]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys [2007-2-9 22304]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-02-02 20:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-02 20:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-31 12:48 <DIR> --d----- c:\docume~1\albert~1\applic~1\Malwarebytes
2009-01-31 12:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 12:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 12:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 12:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 00:47 250 a------- c:\windows\gmer.ini
2009-01-30 01:26 <DIR> --d----- c:\docume~1\albert~1\applic~1\Yahoo
2009-01-29 21:42 <DIR> a-dshr-- C:\cmdcons
2009-01-29 21:39 161,792 a------- c:\windows\SWREG.exe
2009-01-29 21:39 98,816 a------- c:\windows\sed.exe
2009-01-24 21:04 <DIR> --d----- c:\program files\WebShow

==================== Find3M ====================

2009-01-05 02:13 256 a------- c:\documents and settings\H W Cole\pool.bin
2008-12-18 00:29 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-12-29 11:50 630,784 a------- c:\documents and settings\H W Cole\GoToAssist_chat2way__317_en.exe

============= FINISH: 0:07:41.06 ===============

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 03 February 2009 - 08:22 AM

Hello.

Kaspersky only found items in quarentine, and some in the system restore cache, which we will clear.

The only issue that I can see is that on restarting windows I get a folder at C:\Program Files\Common opening up.

Looks like an autorun value wasn't written properly.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BlackBerryAutoUpdate"="\"c:\\program files\\common files\\research in motion\\auto update\\RIMAutoUpdate.exe\" /background"
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Reboot. Is it gone now?

With Regards,
The Panda

#11 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 03 February 2009 - 09:38 PM

That worked like a charm and everything seems to be working great! What's next?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 04 February 2009 - 08:17 AM

Hello.

Unless there are any issues at the moment, we can wrap up.

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Remove ERUNT Backups
You should remove all the backups that ERUNT has made. Those backups may contain old registry keys, possibly those created by malware.

Delete everything under:
C:\WINDOWS\erdnt\

ERUNT will automatically remove backups older than 30 days, so there is no need to clear that folder manually in the future.

It is a good idea to have ERUNT installed, even when you are not infected. Tasks like installing programs and changing settings, which involve working with the registry, can cause problems that can be quickly undone by reverting to a backup. However, if you wish to uninstall the program, do so using Add/Remove Programs.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

Edited by PropagandaPanda, 04 February 2009 - 08:21 AM.


#13 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 04 February 2009 - 11:36 PM

Last thing - A window just popped up saying symantec anti-virus autoprotect is disabled even though I have it set to autoprotect...other than that I've followed your last set of instructions and am beyond grateful for your help, thanks again.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 05 February 2009 - 08:13 AM

Hello.

Let's try this..:

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.
---
Reboot. Is that gone?

With Regards,
The Panda

#15 H. W. Cole

H. W. Cole
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 05 February 2009 - 07:25 PM

Gone, thanks Panda. Everything seems to be working great, again many thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users