Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis is not a valid win32...


  • Please log in to reply
46 replies to this topic

#1 delta6

delta6

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 02 February 2009 - 04:28 PM

Hello. I tried to load a copy of nero last week and ended up with a grip of trojans and malware. I ran spybot and ad aware in safe mode to cure everything but a fake alert issue pop-up from the toolbar. Spybot runs ok in safe mode requires a restart. restarts on its own and SD runs at first but then get BSOD before it completes scan. I tried the same with ad aware and get same result. Alot of problems were fixed such as a run-time issue upon shutdown but now IE7 crashes upon start-up and Firefox acts up such as not allowing google maps or mapquest roads and satellite images to load. In fact I have to run in safe-mode to write in this log because Bleeping forums reset the login as soon as I navigate. When I load hijackthis I get "not valid win32 application" and when I try to run Combo-Fix I get "c:\32788r22fwjfw\swreg.exe". Thanks in advance, Joel


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by user at 14:37:29.16 on Mon 02/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.238 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\windows\system32\zonelabs\avsys\scanningprocess.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\ctfmon.exe
c:\program files\mozilla firefox\firefox.exe
c:\documents and settings\user\desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://nbaxa265c.ccs.com/iNotes6W.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203433603400
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203433568470
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1213292055_3c237ef92ac36cfcb61f5728b1152e8b&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\jjtcusn5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - HiddenExtension: XUL Cache: {91E027AA-5499-4EE9-B00E-470FAD3D1150} - c:\documents and settings\user\local settings\application data\{91E027AA-5499-4EE9-B00E-470FAD3D1150}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 107272]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-8 353680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2002-4-1 96256]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 325128]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-31 27656]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-8 147984]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-8-22 16384]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 298264]
S2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2007-11-8 35616]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\user\locals~1\temp\cdiskdun.sys --> c:\docume~1\user\locals~1\temp\cdiskdun.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2008-6-6 22136]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-8-22 69692]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [2008-7-11 385536]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2002-6-19 22568]

=============== Created Last 30 ================

2009-02-02 14:28 406,016 a------- c:\windows\system32\CF7358.exe
2009-02-02 13:46 4 a------- c:\windows\system32\srvblck.tmp
2009-02-02 13:46 406,016 a------- c:\windows\system32\CF31907.exe
2009-02-02 13:45 <DIR> --d----- C:\Combo-Fix
2009-02-02 13:33 0 a------- c:\windows\system32\61.tmp
2009-02-02 13:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-02 13:21 102,411 a------- c:\windows\system32\126_av.exe
2009-02-02 13:20 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 13:11 <DIR> --d----- c:\windows\system32\dtw5d
2009-02-02 13:11 <DIR> --d----- c:\windows\system32\cks
2009-02-02 13:07 <DIR> --d----- c:\windows\system32\UAs
2009-02-02 12:04 21,504 a------- c:\windows\system32\dllcache\powrprof.dll
2009-02-02 12:04 992,768 a------- c:\windows\system32\nwklr.ini
2009-02-02 12:04 984,576 a------- c:\windows\system32\korlg.ini
2009-02-02 12:04 850,944 a------- c:\windows\system32\nwwlnt.ini
2009-02-02 12:04 826,368 a------- c:\windows\system32\worlg.ini
2009-02-02 12:04 21,504 a------- c:\windows\system32\nwpp.ini
2009-02-02 12:04 17,408 a------- c:\windows\system32\pporlg.ini
2009-02-02 12:04 21,568 a------- c:\windows\system32\ldshyr.old
2009-02-02 11:50 1 a------- c:\windows\system32\uniq.tll
2009-02-02 03:36 0 a------- c:\windows\system32\13.tmp
2009-02-02 02:12 0 a------- c:\windows\system32\11.tmp
2009-02-02 01:29 0 a------- c:\windows\system32\E.tmp
2009-02-02 00:31 0 a------- c:\windows\system32\C.tmp
2009-02-01 23:38 142,848 a------- c:\windows\system32\ntdll64.exe
2009-02-01 23:08 43,520 -------- c:\windows\system32\frmwrk32.exe
2009-02-01 23:04 114,688 a------- c:\windows\system32\winlogon2.exe
2009-02-01 21:30 52,310 a------- c:\windows\system32\57.tmp
2009-02-01 18:18 0 a------- c:\windows\system32\73.tmp
2009-02-01 10:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-01 10:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-01 10:34 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-01 10:34 <DIR> --d----- c:\program files\Lavasoft
2009-01-31 22:56 26,112 a------- c:\windows\system32\60.tmp
2009-01-31 16:53 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-01-31 16:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 16:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 16:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 15:48 <DIR> --d----- c:\program files\IObit
2009-01-31 15:48 <DIR> --d----- c:\docume~1\user\applic~1\IObit
2009-01-31 10:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-31 09:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-31 09:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-31 09:21 43,520 a------- c:\windows\system32\303374.exe
2009-01-31 09:19 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 09:19 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 09:19 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 09:19 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-31 09:18 <DIR> --d----- c:\program files\AVG
2009-01-31 09:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-31 08:37 0 a------- c:\windows\system32\30.tmp
2009-01-31 08:36 <DIR> --d----- C:\4e663f683fad3a93df568d1bfd2d8c
2009-01-31 07:53 527 a------- c:\windows\system32\win32hlp.cnf
2009-01-31 07:52 142,848 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-31 07:52 1 a------- c:\windows\system32\test.ttt
2009-01-30 18:07 57,856 a------- c:\windows\system32\chert13-303374.exe
2009-01-30 18:05 134,656 a------- c:\windows\ukugedeyo.dll
2009-01-30 17:51 380,424 a------- C:\ldlmnpqk.exe
2009-01-30 17:51 37,376 a------- C:\urridkab.exe
2009-01-30 17:51 99,840 a------- C:\dnpqil.exe
2009-01-30 17:51 2 a------- C:\2025186937
2009-01-29 22:52 <DIR> --d----- c:\program files\Nero
2009-01-29 22:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-01-28 22:31 815,104 a------- c:\windows\system32\xvidcore.dll
2009-01-28 22:31 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-01-28 22:31 77,824 a------- c:\windows\system32\xvid.ax
2009-01-28 22:31 <DIR> --d----- c:\program files\Xvid
2009-01-18 19:06 <DIR> --d----- c:\program files\Yahoo!
2009-01-08 23:26 2,864 a------- C:\rollback.ini
2009-01-08 23:18 <DIR> --d----- c:\docume~1\user\applic~1\MailFrontier
2009-01-08 22:55 65,356,064 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-08 22:55 876,380 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-08 22:48 <DIR> --d----- c:\program files\Zone Labs
2009-01-08 22:47 <DIR> --d----- c:\windows\Internet Logs
2009-01-08 22:28 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-02-02 13:25 992,768 a------- c:\windows\system32\dllcache\kernel32.dll
2009-02-02 13:25 850,944 a------- c:\windows\system32\wininet.dll
2009-02-02 13:25 850,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-02 13:25 21,504 a------- c:\windows\system32\powrprof.dll
2009-01-31 07:52 142,848 a------- c:\windows\system32\userinit.exe
2009-01-30 17:52 0 a------- c:\windows\system32\drivers\Dot4Prt.sys
2009-01-28 17:59 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-23 17:32 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-12-23 10:46 34,056 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2008-11-29 13:30 43,520 a------- c:\windows\system32\CmdLineExt03.dll

============= FINISH: 14:38:53.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 02 February 2009 - 04:51 PM

Hello delta6

Welcome to Bleeping Computer.
======================
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or ZoneAlarm Security Suite Antivirus .
============================================================
Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\ldlmnpqk.exe
C:\urridkab.exe
C:\dnpqil.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab

Then Click Here to upload the file please.
==============================
Download GMER from Here :
Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 02 February 2009 - 05:57 PM

Ok thanks kahdah, I will give this a shot. BTW 311's best album fer sher

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 02 February 2009 - 07:46 PM

No problem, I like From Chaos too. :thumbup2:

Edited by kahdah, 02 February 2009 - 07:47 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 02 February 2009 - 09:30 PM

Change your logo then silly, that's the "blue album" :thumbup2: So, I can download but not unpack, I get: "sfp is not a valid win32 application". I added a hyphen in the file name like combo-fix and still unable to open.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 02 February 2009 - 10:08 PM

No I meant I like both albums.

Either way please manually upload those files then:
I will need to you show hidden files\folders so we can find one of the files.
To Set:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to these locations and upload the following files.

C:\ldlmnpqk.exe
C:\urridkab.exe
C:\dnpqil.exe
c:\windows\system32\303374.exe

Click Here to upload the files please.
================
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\srvblck.tmp
    c:\windows\system32\61.tmp
    c:\windows\system32\126_av.exe
    c:\windows\system32\dtw5d
    c:\windows\system32\cks
    c:\windows\system32\UAs
    C:\windows\system32\nwklr.ini
    c:\windows\system32\korlg.ini
    c:\windows\system32\nwwlnt.ini
    c:\windows\system32\worlg.ini
    c:\windows\system32\nwpp.ini
    c:\windows\system32\pporlg.ini
    c:\windows\system32\ldshyr.old
    c:\windows\system32\uniq.tll
    c:\windows\system32\13.tmp
    c:\windows\system32\11.tmp
    c:\windows\system32\E.tmp
    c:\windows\system32\C.tmp
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\frmwrk32.exe
    c:\windows\system32\winlogon2.exe
    c:\windows\system32\57.tmp
    c:\windows\system32\73.tmp
    c:\windows\system32\303374.exe
    c:\windows\system32\30.tmp
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\test.ttt
    c:\windows\system32\chert13-303374.exe
    c:\windows\ukugedeyo.dll
    C:\ldlmnpqk.exe
    C:\urridkab.exe
    C:\dnpqil.exe
    C:\2025186937
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New dds log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 03 February 2009 - 11:37 AM

Ok, I thought you were tryin to trick me...will try this procedure soon as I get back to the house. Again, thanks for your help, I really appreciate it

#8 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 February 2009 - 11:37 AM

Ok, completed all above tasks. MBytes had to run several times but finally removed all. Logs were generated in DSS, MBytes and OT move it but now have connectivity issue that I'm not sure if related. I am running a T40 Think Pad and the interenal adapter will not respond now. Tried an outboard adapter but will not load drivers. Is this related? I can copy logs to a flash drive and send from work if you like. Thanks!

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 04 February 2009 - 01:23 PM

From another computer download the following to a flash drive then do the following:

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of ntdll64.dll.
  • Select every instance of ntdll64.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
=====
Post the other logs and did you ever upload the files I requested?

Edited by kahdah, 04 February 2009 - 01:26 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 February 2009 - 09:24 PM

Ok LSP fix has the same "win32 error": I'm on another machine now uploading logs from a flash drive. Here are the logs you requested:


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by user at 19:50:16.51 on Tue 02/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.349 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\documents and settings\user\desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [services] c:\windows\services.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [services] c:\windows\services.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1
dPolicies-system: DisableRegistryTools = 1
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://nbaxa265c.ccs.com/iNotes6W.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203433603400
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203433568470
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1213292055_3c237ef92ac36cfcb61f5728b1152e8b&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\jjtcusn5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - HiddenExtension: XUL Cache: {91E027AA-5499-4EE9-B00E-470FAD3D1150} - c:\documents and settings\user\local settings\application data\{91E027AA-5499-4EE9-B00E-470FAD3D1150}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R0 zadawvot;zadawvot;c:\windows\system32\drivers\zadawvot.sys [2009-2-3 33920]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 107272]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2002-4-1 96256]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 325128]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-31 27656]
S1 ethlkubd;ethlkubd;c:\windows\system32\drivers\ethlkubd.sys [2009-2-2 138496]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-8-22 16384]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 298264]
S2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2007-11-8 35616]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\user\locals~1\temp\cdiskdun.sys --> c:\docume~1\user\locals~1\temp\cdiskdun.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2008-6-6 22136]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-8-22 69692]
S3 jznbsbmu;jznbsbmu;\??\c:\windows\system32\drivers\jznbsbmu.sys --> c:\windows\system32\drivers\jznbsbmu.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [2008-7-11 385536]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2002-6-19 22568]

=============== Created Last 30 ================

2009-02-03 19:36 <DIR> --d----- c:\windows\system32\cks
2009-02-03 19:29 4 a------- c:\windows\system32\srvblck.tmp
2009-02-03 19:29 <DIR> --d----- c:\windows\system32\UAs
2009-02-03 19:29 <DIR> --d----- c:\windows\system32\dtw5d
2009-02-03 19:26 29,184 a---h--- c:\documents and settings\user\bhcl.exe
2009-02-03 19:19 29,184 a---h--- c:\documents and settings\user\jen.exe
2009-02-03 19:02 <DIR> --d----- C:\_OTMoveIt
2009-02-03 18:55 29,184 a---h--- c:\documents and settings\user\ydx.exe
2009-02-03 18:48 33,920 a------- c:\windows\system32\drivers\zadawvot.sys
2009-02-03 17:42 29,184 a---h--- c:\documents and settings\user\iqcj.exe
2009-02-03 17:40 29,184 a---h--- c:\documents and settings\user\cupds.exe
2009-02-03 17:40 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-03 17:33 12,892 a------- c:\windows\system32\17.tmp
2009-02-03 17:31 0 a------- c:\windows\system32\16.tmp
2009-02-03 15:43 0 a------- c:\windows\system32\10.tmp
2009-02-03 15:20 75,782 a------- c:\windows\system32\xp-dc-av.exe
2009-02-03 10:52 0 a------- c:\windows\system32\14.tmp
2009-02-03 01:07 63,488 a------- c:\windows\system32\conf.exe
2009-02-03 00:59 63,488 a------- c:\windows\system32\objcopy.exe
2009-02-03 00:59 61,440 a------- c:\windows\system32\12.tmp
2009-02-03 00:59 63,488 a------- c:\windows\system32\vnetlib.exe
2009-02-02 21:00 63,488 a------- c:\windows\system32\umdh.exe
2009-02-02 21:00 63,488 a------- c:\windows\system32\navw32.exe
2009-02-02 20:12 63,488 a------- c:\windows\system32\luinit.exe
2009-02-02 19:42 63,488 a------- c:\windows\system32\ia64kd.exe
2009-02-02 19:27 63,488 a------- c:\windows\system32\lsetup.exe
2009-02-02 19:27 61,440 a------- c:\windows\system32\63.tmp
2009-02-02 18:14 63,488 a------- c:\windows\system32\wabmig.exe
2009-02-02 18:10 138,496 a------- c:\windows\system32\drivers\ethlkubd.sys
2009-02-02 18:06 5 a------- c:\windows\_id.dat
2009-02-02 18:05 130 a------- c:\windows\adobe.bat
2009-02-02 18:05 63,488 a------- c:\windows\system32\symchk.exe
2009-02-02 17:22 118,010 a------- c:\windows\system32\59.tmp
2009-02-02 17:21 63,488 a------- c:\windows\system32\i386kd.exe
2009-02-02 17:21 61,440 a------- c:\windows\system32\56.tmp
2009-02-02 15:13 406,016 a------- c:\windows\system32\CF16130.exe
2009-02-02 14:28 406,016 a------- c:\windows\system32\CF7358.exe
2009-02-02 13:46 406,016 a------- c:\windows\system32\CF31907.exe
2009-02-02 13:45 <DIR> --d----- C:\Combo-Fix
2009-02-02 13:20 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 12:04 21,504 a------- c:\windows\system32\dllcache\powrprof.dll
2009-02-01 23:04 <DIR> --d----- c:\windows\system32\twain32
2009-02-01 10:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-01 10:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-01 10:34 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-01 10:34 <DIR> --d----- c:\program files\Lavasoft
2009-01-31 22:56 26,112 a------- c:\windows\system32\60.tmp
2009-01-31 16:53 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-01-31 16:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 16:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 16:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 15:48 <DIR> --d----- c:\program files\IObit
2009-01-31 15:48 <DIR> --d----- c:\docume~1\user\applic~1\IObit
2009-01-31 10:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-31 09:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-31 09:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-31 09:19 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 09:19 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 09:19 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 09:19 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-31 09:18 <DIR> --d----- c:\program files\AVG
2009-01-31 09:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-31 08:36 <DIR> --d----- C:\4e663f683fad3a93df568d1bfd2d8c
2009-01-31 07:52 142,848 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-29 22:52 <DIR> --d----- c:\program files\Nero
2009-01-29 22:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-01-28 22:31 815,104 a------- c:\windows\system32\xvidcore.dll
2009-01-28 22:31 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-01-28 22:31 77,824 a------- c:\windows\system32\xvid.ax
2009-01-28 22:31 <DIR> --d----- c:\program files\Xvid
2009-01-18 19:06 <DIR> --d----- c:\program files\Yahoo!
2009-01-08 23:26 2,864 a------- C:\rollback.ini
2009-01-08 22:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-08 22:48 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-01-08 22:47 <DIR> --d----- c:\windows\Internet Logs
2009-01-08 22:28 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-02-02 13:25 992,768 a------- c:\windows\system32\dllcache\kernel32.dll
2009-02-02 13:25 850,944 a------- c:\windows\system32\wininet.dll
2009-02-02 13:25 850,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-02 13:25 21,504 a------- c:\windows\system32\powrprof.dll
2009-01-31 07:52 142,848 a------- c:\windows\system32\userinit.exe
2009-01-30 17:52 0 a------- c:\windows\system32\drivers\Dot4Prt.sys
2008-12-23 17:32 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-12-23 10:46 34,056 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2008-11-29 13:30 43,520 a------- c:\windows\system32\CmdLineExt03.dll

============= FINISH: 19:50:46.62 ===============



========== FILES ==========
c:\windows\system32\srvblck.tmp moved successfully.
File/Folder c:\windows\system32\61.tmp not found.
File/Folder c:\windows\system32\126_av.exe not found.
Folder move failed. c:\windows\system32\dtw5d scheduled to be moved on reboot.
c:\windows\system32\cks moved successfully.
c:\windows\system32\UAs moved successfully.
File/Folder C:\windows\system32\nwklr.ini not found.
File/Folder c:\windows\system32\korlg.ini not found.
File/Folder c:\windows\system32\nwwlnt.ini not found.
File/Folder c:\windows\system32\worlg.ini not found.
File/Folder c:\windows\system32\nwpp.ini not found.
File/Folder c:\windows\system32\pporlg.ini not found.
File/Folder c:\windows\system32\ldshyr.old not found.
File/Folder c:\windows\system32\uniq.tll not found.
File/Folder c:\windows\system32\13.tmp not found.
File/Folder c:\windows\system32\11.tmp not found.
File/Folder c:\windows\system32\E.tmp not found.
File/Folder c:\windows\system32\C.tmp not found.
File/Folder c:\windows\system32\ntdll64.exe not found.
File/Folder c:\windows\system32\frmwrk32.exe not found.
File/Folder c:\windows\system32\winlogon2.exe not found.
File/Folder c:\windows\system32\57.tmp not found.
File/Folder c:\windows\system32\73.tmp not found.
File/Folder c:\windows\system32\303374.exe not found.
File/Folder c:\windows\system32\30.tmp not found.
File/Folder c:\windows\system32\win32hlp.cnf not found.
File/Folder c:\windows\system32\test.ttt not found.
File/Folder c:\windows\system32\chert13-303374.exe not found.
File/Folder c:\windows\ukugedeyo.dll not found.
File/Folder C:\ldlmnpqk.exe not found.
File/Folder C:\urridkab.exe not found.
File/Folder C:\dnpqil.exe not found.
File/Folder C:\2025186937 not found.
File/Folder :commands not found.
File/Folder [emptytemp] not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02042009_193258

Files moved on Reboot...
c:\windows\system32\dtw5d moved successfully.



Malwarebytes' Anti-Malware 1.33
Database version: 1723
Windows 5.1.2600 Service Pack 2

2/3/2009 9:06:20 PM
mbam-log-2009-02-03 (21-06-20).txt

Scan type: Quick Scan
Objects scanned: 54569
Time elapsed: 13 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\ndisio.sys (Backdoor.Bot) -> Delete on reboot.


Joel

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 04 February 2009 - 10:13 PM

What type of error do you get when trying to connect to the internet?
Go to Start run type in cmd then hit ok.
Then at the Command Prompt type in this ipconfig then hit Enter.
After that post the numbers you get here in your next post please.
=======================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 February 2009 - 10:49 PM

Ipconfig in DOS reply: "windows IP configuration". No ip address local or otherwise. No further info. All network adapters inside device manager are yellow "!. I download and save CFix as combo-fix, opens and AVG replies threat detected: C:\docs\user\local\temp\58. tmp \b2e.dll. Trojan horse Back Door.SmallX.VX detected on open. Process name: c:\32788r22fwjfw\prep.com. Process id: 3816

Unable to heal or move to vault. "prep.com needs to close".


***wait my bad..ran old copy of combo-fix. This time running from your link now. Advise to disengage AVG..OK I did..blue background command prompt opens

***ok, running auto scan now

Edited by delta6, 04 February 2009 - 11:02 PM.


#13 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 February 2009 - 11:40 PM

Ok, here is the log from combofix:

ComboFix 09-02-04.01 - user 2009-02-04 22:01:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.125 [GMT -6:00]
Running from: c:\documents and settings\user\desktop\repair\coolmbo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cks
c:\windows\system32\ppdnp.ini
c:\windows\system32\UAs
c:\windows\system32\UAs\AAWService_UAs001.dat
c:\windows\system32\UAs\msfeedssync_UAs001.dat
c:\windows\system32\UAs\wgatray_UAs001.dat
c:\windows\system32\windmlp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 22:07 . 2009-02-04 22:25 <DIR> d-------- c:\windows\system32\UAs
2009-02-04 18:40 . 2007-12-10 14:21 20,480 --a------ c:\windows\system32\drivers\PcdrNdisuio.sys
2009-02-04 17:26 . 2002-06-06 14:46 348,672 --------- c:\windows\system32\IMWEBRES.dll
2009-02-04 17:26 . 2002-05-31 14:30 300,116 --------- c:\windows\system32\IMWEBCFG.cpl
2009-02-04 17:26 . 2002-06-24 11:14 218,624 --------- c:\windows\system32\imweb.exe
2009-02-04 17:26 . 2002-05-29 13:28 215,552 --------- c:\windows\system32\IMWEBSTA.exe
2009-02-04 17:26 . 2002-05-29 13:18 77,312 --------- c:\windows\system32\IMWEBIOC.dll
2009-02-04 17:26 . 2002-06-06 13:33 52,736 --------- c:\windows\system32\drivers\IMWEBN51.sys
2009-02-03 19:26 . 2009-02-03 19:26 29,184 --ah----- c:\documents and settings\user\bhcl.exe
2009-02-03 19:19 . 2009-02-03 19:19 29,184 --ah----- c:\documents and settings\user\jen.exe
2009-02-03 19:02 . 2009-02-03 19:02 <DIR> d-------- C:\_OTMoveIt
2009-02-03 18:55 . 2009-02-03 18:55 29,184 --ah----- c:\documents and settings\user\ydx.exe
2009-02-03 17:42 . 2009-02-03 17:42 29,184 --ah----- c:\documents and settings\user\iqcj.exe
2009-02-03 17:40 . 2009-02-03 19:26 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-03 17:40 . 2009-02-03 17:40 29,184 --ah----- c:\documents and settings\user\cupds.exe
2009-02-03 17:33 . 2009-02-03 17:33 12,892 --a------ c:\windows\system32\17.tmp
2009-02-03 17:31 . 2009-02-03 17:31 0 --a------ c:\windows\system32\16.tmp
2009-02-03 15:43 . 2009-02-03 15:43 0 --a------ c:\windows\system32\10.tmp
2009-02-03 15:20 . 2009-02-03 15:21 75,782 --a------ c:\windows\system32\xp-dc-av.exe
2009-02-03 10:52 . 2009-02-03 10:52 0 --a------ c:\windows\system32\14.tmp
2009-02-03 01:07 . 2009-02-03 01:07 63,488 --a------ c:\windows\system32\conf.exe
2009-02-03 00:59 . 2009-02-03 00:59 63,488 --a------ c:\windows\system32\objcopy.exe
2009-02-03 00:59 . 2009-02-03 00:59 61,440 --a------ c:\windows\system32\12.tmp
2009-02-02 21:00 . 2009-02-02 21:00 63,488 --a------ c:\windows\system32\umdh.exe
2009-02-02 21:00 . 2009-02-02 21:00 63,488 --a------ c:\windows\system32\navw32.exe
2009-02-02 19:42 . 2009-02-02 19:42 63,488 --a------ c:\windows\system32\ia64kd.exe
2009-02-02 19:27 . 2009-02-02 19:27 63,488 --a------ c:\windows\system32\lsetup.exe
2009-02-02 19:27 . 2009-02-02 19:27 61,440 --a------ c:\windows\system32\63.tmp
2009-02-02 18:06 . 2009-02-02 18:08 5 --a------ c:\windows\_id.dat
2009-02-02 18:05 . 2009-02-02 18:05 63,488 --a------ c:\windows\system32\symchk.exe
2009-02-02 18:05 . 2009-02-03 19:40 130 --a------ c:\windows\adobe.bat
2009-02-02 17:22 . 2009-02-02 17:22 118,010 --a------ c:\windows\system32\59.tmp
2009-02-02 17:21 . 2009-02-02 17:21 61,440 --a------ c:\windows\system32\56.tmp
2009-02-02 13:45 . 2009-02-02 13:45 <DIR> d-------- C:\Combo-Fix
2009-02-02 13:20 . 2009-02-02 13:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 12:04 . 2009-02-02 13:25 21,504 --a------ c:\windows\system32\dllcache\powrprof.dll
2009-02-01 23:04 . 2009-02-02 18:02 <DIR> d-------- c:\windows\system32\twain32
2009-02-01 15:00 . 2009-02-01 15:00 0 --a------ c:\windows\nsreg.dat
2009-02-01 10:56 . 2009-02-01 10:36 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-01 10:37 . 2009-02-01 10:36 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-01 10:34 . 2009-02-01 10:34 <DIR> d-------- c:\program files\Lavasoft
2009-02-01 10:34 . 2009-02-01 10:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-01 10:34 . 2009-02-01 10:34 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 22:56 . 2009-01-31 22:56 26,112 --a------ c:\windows\system32\60.tmp
2009-01-31 16:53 . 2009-01-31 16:53 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-31 16:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 16:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 16:52 . 2009-01-31 16:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 16:52 . 2009-01-31 16:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 15:48 . 2009-01-31 15:48 <DIR> d-------- c:\program files\IObit
2009-01-31 15:48 . 2009-01-31 15:48 <DIR> d-------- c:\documents and settings\user\Application Data\IObit
2009-01-31 10:17 . 2009-02-04 21:47 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-31 09:34 . 2009-01-31 09:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-31 09:34 . 2009-01-31 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 09:19 . 2009-02-03 10:22 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-31 09:19 . 2009-01-31 09:19 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-31 09:19 . 2009-01-31 09:19 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-31 09:19 . 2009-01-31 09:19 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-31 09:18 . 2009-01-31 09:18 <DIR> d-------- c:\program files\AVG
2009-01-31 09:18 . 2009-01-31 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-31 08:36 . 2009-01-31 08:36 <DIR> d-------- C:\4e663f683fad3a93df568d1bfd2d8c
2009-01-31 07:52 . 2009-01-31 07:52 142,848 --a------ c:\windows\system32\dllcache\userinit.exe
2009-01-30 05:02 . 2009-01-30 05:08 <DIR> d-------- c:\documents and settings\user\Application Data\Nero
2009-01-29 22:52 . 2009-01-29 23:28 <DIR> d-------- c:\program files\Nero
2009-01-29 22:50 . 2009-01-31 08:12 <DIR> d-------- c:\program files\Common Files\Nero
2009-01-29 22:50 . 2009-01-31 08:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-28 22:31 . 2009-01-28 22:31 <DIR> d-------- c:\program files\Xvid
2009-01-28 22:31 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-01-28 22:31 . 2008-12-04 21:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-01-28 22:31 . 2008-12-13 20:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-01-18 19:06 . 2009-01-18 19:06 <DIR> d-------- c:\program files\Yahoo!
2009-01-18 19:06 . 2009-01-18 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-08 23:26 . 2009-01-09 20:22 2,864 --a------ C:\rollback.ini
2009-01-08 22:49 . 2009-01-11 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2009-01-08 22:48 . 2009-02-02 17:18 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-08 22:48 . 2009-01-28 17:59 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-08 22:47 . 2009-02-02 17:18 <DIR> d-------- c:\windows\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 03:54 --------- d-----w c:\documents and settings\user\Application Data\U3
2009-02-04 23:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 02:43 --------- d-----w c:\program files\PeerGuardian2
2009-01-30 23:52 0 ----a-w c:\windows\system32\drivers\Dot4Prt.sys
2009-01-30 04:25 --------- d-----w c:\documents and settings\user\Application Data\uTorrent
2009-01-21 04:33 --------- d-----w c:\program files\Common Files\Ahead
2009-01-21 04:33 --------- d-----w c:\program files\Ahead
2009-01-09 04:39 --------- d-----w c:\program files\PCDR5
2009-01-09 04:21 --------- d-----w c:\program files\OpenOffice.org 2.1
2009-01-09 04:19 --------- d-----w c:\documents and settings\user\Application Data\Atari
2009-01-09 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-31 10:31 --------- d-----w c:\program files\uTorrent
2008-12-23 23:32 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-12-23 23:32 --------- d-----w c:\program files\NETGEAR
2008-12-23 16:46 34,056 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 532480]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-05 114688]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 40960]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 258048]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1409024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 364544]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-08 61440]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 884736]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 106496]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-01 509784]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]

c:\documents and settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-08-23 273408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-03 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 09:19 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\zadawvot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 08:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-02-09 14:48 903680 c:\windows\system32\LXSUPMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2009-01-08 19:38 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 21:37 434176 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 53248 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 02:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-06-27 09:53 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-01 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-31 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-31 107272]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-08-22 16384]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2002-04-01 88064]
S0 zadawvot;zadawvot;c:\windows\system32\Drivers\zadawvot.sys --> c:\windows\system32\Drivers\zadawvot.sys [?]
S1 ethlkubd;ethlkubd;c:\windows\system32\drivers\ethlkubd.sys --> c:\windows\system32\drivers\ethlkubd.sys [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\user\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\user\LOCALS~1\Temp\cdiskdun.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2008-06-06 22136]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-08-22 69692]
S3 jznbsbmu;jznbsbmu;\??\c:\windows\System32\Drivers\jznbsbmu.sys --> c:\windows\System32\Drivers\jznbsbmu.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\drivers\TNET1130x.sys [2008-07-11 385536]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2002-06-19 22568]
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-01 10:36]

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]

2006-08-22 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 02:38]

2009-02-05 c:\windows\Tasks\User_Feed_Synchronization-{4E33733D-AC48-44FC-9AB2-49600749DC27}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-Qtemubomurediq - c:\windows\Qhavozofaneyafi.dll
MSConfigStartUp-Ucumeposucef - c:\windows\ukugedeyo.dll


.
------- Supplementary Scan -------
.
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jjtcusn5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 22:25:43
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Cisco Systems\SSL VPN Client\Agent.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-04 22:28:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 04:28:25

Pre-Run: 13,124,509,696 bytes free
Post-Run: 13,073,227,776 bytes free

274 --- E O F --- 2008-06-12 14:56:02



Joel

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:30 AM

Posted 05 February 2009 - 08:54 AM

For now let's get rid of the malware and the nwe will go from there about the system issues.
=============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
zadawvot
cdiskdun
jznbsbmu

File::
c:\documents and settings\user\bhcl.exe
C:\documents and settings\user\jen.exe
c:\documents and settings\user\ydx.exe
c:\documents and settings\user\iqcj.exe
c:\windows\system32\17.tmp
c:\windows\system32\16.tmp
c:\windows\system32\10.tmp
c:\windows\system32\12.tmp
c:\windows\system32\63.tmp
C:\windows\system32\59.tmp
c:\windows\system32\56.tmp
c:\windows\system32\60.tmp
c:\windows\system32\Drivers\zadawvot.sys
c:\windows\System32\Drivers\jznbsbmu.sys

Folder::
c:\windows\system32\UAs

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\zadawvot.sys]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by kahdah, 05 February 2009 - 08:54 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 delta6

delta6
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 05 February 2009 - 06:59 PM

Hi when I copy the text into Combo-Fix, the app begins to run then several windows of c:\32788r22fwjfw\swreg.exe not a valid win32... Then after closing those windows, another pops up and indicates that Combofix cannot be renamed. So I delete and download again from your link but same result. I ran in safemode with same result.

Joel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users