Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

av2009 trojan


  • This topic is locked This topic is locked
30 replies to this topic

#1 wolfchiro1

wolfchiro1

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 11 February 2009 - 06:03 PM

I have av2009 on a laptop and can't install malwarebytes. I was able to run sbrescue and identify the _c00d4c15.dat and winctrl32.dll and their trojan names ( Trojan.Crypt.ZPACK.Gen and Trojan.Win32.Pandex.gen <v>). I am able to run all other programs on the laptop unfortunately it is our main computer at our office. It has patient files and all confidential information on it. I haven't hooked up the internet to it for a while but it does go to certain sites but no malware removal sites. Can't delete the files in safe mode. Also when I startup I get an error message:
Error loading C:\WINDOWS\system32\ymsyggyp.dll
The specified module could not be found.

DDS (Ver_09-02-01.01) - NTFSx86
Run by David Wolf at 15:46:34.46 on Wed 02/11/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.661 [GMT -6:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\windows\pp1.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svschost.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\WINDOWS\system32\sv˝shost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\David Wolf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Microsoft Internet Explorer provided by CenturyTel
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\david wolf\wpqjxy.exe \s
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Bonjour: {9999a076-a9e2-4c99-8a2b-632fc9429223} - c:\program files\bonjour\ExplorerPlugin.dll
uRun: [Uniblue SpeedUpMyPC]
uRun: [A00F467EFB5.exe] c:\docume~1\davidw~1\locals~1\temp\_A00F467EFB5.exe
uRun: [svschost.exe] c:\windows\system32\svschost.exe -check
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [pp] c:\windows\pp1.exe
mRun: [NvSvc] c:\windows\system32\nvsvc32.exe
mRun: [4d4b72c7] rundll32.exe "c:\windows\system32\ymsyggyp.dll",b
mRun: [Avaxivepa] rundll32.exe "c:\windows\Churuyipid.dll",e
mRun: [Ivulogi] rundll32.exe "c:\windows\amawukuwupomu.dll",e
dRun: [tezrtsjhfr84iusjfo84f] c:\windows\temp\csrssc.exe
uExplorerRun: [services] c:\windows\services.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\risk\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\risk\images\armhelper.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dse-inc.webex.com/client/T26L/webex/ieatgpc.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {5FC2D414-F6C3-4AF1-B9DA-A352F184B749} = 85.255.112.39,85.255.112.40
TCP: {C6E7D6E6-BD17-47EC-BCCD-4BDBB7786987} = 85.255.112.39,85.255.112.40
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: crypt - crypts.dll
Notify: rqRKDVPI - rqRKDVPI.dll
Notify: WinCtrl32 - WinCtrl32.dll
Notify: __c002BE04 - c:\windows\system32\__c002BE04.dat
Notify: __c00377AA - c:\windows\system32\__c00377AA.dat
Notify: __c00452A4 - c:\windows\system32\__c00452A4.dat
Notify: __c005F7FF - c:\windows\system32\__c005F7FF.dat
Notify: __c00700F1 - c:\windows\system32\__c00700F1.dat
Notify: __c009C6F8 - c:\windows\system32\__c009C6F8.dat
Notify: __c00B25EC - c:\windows\system32\__c00B25EC.dat
Notify: __c00B308 - c:\windows\system32\__c00B308.dat
Notify: __c00CA91E - c:\windows\system32\__c00CA91E.dat
Notify: __c00D4C15 - c:\windows\system32\__c00D4C15.dat
Notify: __c00D6C0 - c:\windows\system32\__c00D6C0.dat
Notify: __c00D6C44 - c:\windows\system32\__c00D6C44.dat
Notify: __c00E42C4 - c:\windows\system32\__c00E42C4.dat
Notify: __c00E8261 - c:\windows\system32\__c00E8261.dat
Notify: __c00F6A16 - c:\windows\system32\__c00F6A16.dat
AppInit_DLLs: wjuxxp.dll xktjxk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMdBuUK

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-31 28544]
R0 Winjs08;Winjs08;c:\windows\system32\drivers\Winjs08.sys [2004-8-4 31616]
R0 wpbbooqp;wpbbooqp;c:\windows\system32\drivers\wpbbooqp.sys [2009-2-3 33920]
R1 nfr.sys;nfr.sys;c:\windows\system32\drivers\nfr.sys [2009-2-3 11392]
R2 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe [2009-2-2 29700]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-29 1247600]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-2-9 92464]

=============== Created Last 30 ================

2009-02-11 15:21 25,088 a------- c:\windows\system32\__c002BE04.dat
2009-02-11 15:20 16,896 a------- c:\windows\system32\WinCtrl32.dll
2009-02-11 12:35 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-09 15:54 131,584 a------- c:\windows\amawukuwupomu.dll
2009-02-09 15:08 200,704 a------- c:\windows\system32\InstallAVg_77015135.exe
2009-02-09 14:21 92,464 a------- c:\windows\system32\drivers\SBREDrv.sys
2009-02-09 14:21 59,904 a------- c:\windows\system32\sbbd.exe
2009-02-09 14:21 <DIR> --d----- C:\SBRESCUE
2009-02-09 14:03 160,945 a------- c:\windows\system32\1F.tmp
2009-02-09 14:03 29,184 a------- c:\windows\system32\1C.tmp
2009-02-09 14:03 172 a------- c:\windows\system32\1A.tmp
2009-02-09 13:21 0 a------- c:\windows\system32\2B.tmp
2009-02-09 13:21 0 a------- c:\windows\system32\2A.tmp
2009-02-09 13:18 73,825 a------- c:\windows\system32\28.tmp
2009-02-09 13:18 29,184 a------- c:\windows\system32\27.tmp
2009-02-09 13:18 172 a------- c:\windows\system32\26.tmp
2009-02-09 12:57 0 a------- c:\windows\system32\1E.tmp
2009-02-09 12:57 0 a------- c:\windows\system32\1D.tmp
2009-02-09 12:57 0 a------- c:\windows\system32\1B.tmp
2009-02-09 12:56 29,184 a------- c:\windows\system32\19.tmp
2009-02-09 12:56 172 a------- c:\windows\system32\18.tmp
2009-02-03 09:11 0 a------- c:\windows\system32\.tmp
2009-02-03 07:51 40,448 a------- c:\windows\kernel32.exe
2009-02-03 07:49 41,472 a------- c:\windows\Churuyipid.dll
2009-02-03 07:49 64,000 a------- c:\windows\system32\system32xp.exe
2009-02-03 07:49 132,608 a------- c:\windows\system32\svschost.exe
2009-02-03 07:49 132,608 a------- c:\windows\system32\sv˝shost.exe
2009-02-03 07:26 33,920 a------- c:\windows\system32\drivers\wpbbooqp.sys
2009-02-03 07:22 5 a------- c:\windows\_id.dat
2009-02-03 07:22 124 a------- c:\windows\adobe.bat
2009-02-03 07:17 11,392 a------- c:\windows\system32\drivers\nfr.sys
2009-02-03 07:14 32,768 a---h--- c:\documents and settings\david wolf\wpqjxy.exe
2009-02-03 07:14 53,248 a------- c:\windows\system32\drivers\ndisio.sys
2009-02-03 07:14 17,174 a------- c:\windows\system32\23.tmp
2009-02-03 07:14 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-02 22:30 1,508,637 a--sh--- c:\windows\system32\pyggysmy.ini
2009-02-02 22:02 73,216 a------- c:\windows\system32\nvsvc32.exe
2009-02-02 22:02 0 a------- c:\windows\mqcd.dbt
2009-02-02 22:01 128,306 -------- C:\jlpooc.exe
2009-02-02 22:01 103,424 -------- C:\btuplu.exe
2009-02-02 22:01 40,448 -------- C:\mlevsfdk.exe
2009-02-02 22:01 22,016 -------- C:\iwvrf.exe
2009-02-02 22:01 32,768 a------- c:\windows\system32\rer.wa
2009-02-02 22:01 28,672 a------- c:\windows\system32\do8d.sr
2009-02-02 22:01 32,768 a------- c:\windows\system32\qzhr1.ant
2009-02-02 22:01 77,312 a------- c:\windows\system32\re3d.pf
2009-02-02 22:01 28,672 a------- c:\windows\system32\dedwf.lp
2009-02-02 22:01 2 -------- C:\1296790120
2009-02-02 22:01 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-02 22:01 84,992 -------- C:\dnwqxus.exe
2009-02-02 21:45 31,232 ----h--- c:\windows\pp1.exe
2009-02-02 21:30 <DIR> --d----- c:\program files\system
2009-02-02 21:16 355 ---shr-- C:\autorun.inf
2009-02-02 21:15 43,520 a------- c:\windows\system32\stu2.exe
2009-02-02 08:24 159 -------- C:\xcrashdump.dat
2009-02-01 22:25 1,509,228 a--sh--- c:\windows\system32\oeujaiws.ini
2009-01-31 18:46 1,465,183 a--sh--- c:\windows\system32\yxwtpfhh.ini
2009-01-31 08:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-30 18:41 1,465,183 a--sh--- c:\windows\system32\wdoimnrn.ini
2009-01-30 18:40 32,846 a--sh--- c:\windows\system32\KUuBdMoq.ini2
2009-01-30 18:40 32,906 a--sh--- c:\windows\system32\KUuBdMoq.ini
2009-01-30 18:40 315,904 a------- c:\windows\system32\_qoMdBuUK.dll
2009-01-29 13:18 1,152 a------- c:\windows\system32\windrv.sys
2009-01-29 13:17 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-24 17:17 <DIR> --d----- c:\program files\Wal-Mart
2009-01-24 17:17 <DIR> --d----- c:\program files\Uniblue
2009-01-24 17:16 <DIR> --d----- c:\program files\pbi- MyoVision
2009-01-22 13:20 <DIR> --d----- c:\program files\Panda Security

==================== Find3M ====================

2009-02-09 14:53 31,616 a------- c:\windows\system32\drivers\Winjs08.sys
2009-02-02 22:01 578,560 a------- c:\windows\system32\user32.DLL
2009-02-02 21:15 26,112 a------- c:\windows\system32\userinit.exe
2009-01-23 07:07 94,563 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-08 14:43 109 -------- C:\TARA.SYS
2008-12-12 11:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-09 09:06 410,984 a------- c:\windows\system32\deploytk.dll
2008-08-26 13:01 93,944 a------- c:\docume~1\davidw~1\applic~1\GDIPFONTCACHEV1.DAT
2007-03-13 15:56 3,820,104 a------- c:\documents and settings\david wolf\gosetup.exe
2006-03-31 07:43 0 a------- c:\docume~1\davidw~1\applic~1\wklnhst.dat

============= FINISH: 15:47:19.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 12 February 2009 - 01:46 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 12 February 2009 - 09:49 PM

Here is the log. IE doesn't work but it looks like everything else does.
Thanks for your help.

ComboFix 09-02-12.03 - David Wolf 2009-02-12 20:19:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.726 [GMT -6:00]
Running from: c:\documents and settings\David Wolf\Desktop\Combo-Fix.exe
FW: Norton Internet Worm Protection *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\docume~1\DAVIDW~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\DAVIDW~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\David Wolf\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
c:\program files\system\smss.exe
c:\program files\system\smss.exe.assembly
c:\recycler\S-6-0-16-100025416-100026336-100013284-2837.com
c:\recycler\S-6-0-56-100032422-100014815-100031880-5316.com
c:\windows\IE4 Error Log.txt
c:\windows\kernel32.exe
c:\windows\system32\__c002BE04.dat
c:\windows\system32\_qoMdBuUK.dll
c:\windows\system32\drivers\nfr.sys
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\Winjs08.sys
c:\windows\system32\KUuBdMoq.ini
c:\windows\system32\KUuBdMoq.ini2
c:\windows\system32\oeujaiws.ini
c:\windows\system32\pyggysmy.ini
c:\windows\system32\svschost.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdu.log
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\wdoimnrn.ini
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\yxwtpfhh.ini
C:\xcrashdump.dat
D:\Autorun.inf
d:\recycler\S-1-2-44-100002816-100001111-100003907-6690.com
d:\recycler\S-2-9-60-100012782-100006093-100004778-3387.com
d:\recycler\S-3-7-22-100014206-100006213-100017388-3428.com
d:\recycler\S-6-0-16-100025416-100026336-100013284-2837.com
d:\recycler\S-6-0-56-100032422-100014815-100031880-5316.com
d:\recycler\S-6-9-93-100018510-100018716-100024336-9143.com
d:\recycler\S-9-0-56-100013238-100017773-100003202-8130.com
d:\recycler\S-9-3-35-100008620-100010829-100001157-4472.com
F:\Autorun.inf
f:\recycler\S-1-2-44-100002816-100001111-100003907-6690.com
f:\recycler\S-2-9-60-100012782-100006093-100004778-3387.com
f:\recycler\S-6-0-16-100025416-100026336-100013284-2837.com
f:\recycler\S-6-9-93-100018510-100018716-100024336-9143.com
f:\recycler\S-9-0-56-100013238-100017773-100003202-8130.com

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_LOGICAL_DISK_MANAGER_(NDIS)
-------\Legacy_NFR.SYS
-------\Legacy_WINJS08
-------\Service_Logical Disk Manager (NDIS)
-------\Service_nfr.sys
-------\Service_Winjs08


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-12 20:28 . 2009-02-12 20:28 172 --a------ c:\windows\system32\4.tmp
2009-02-12 20:28 . 2009-02-12 20:28 0 --a------ c:\windows\system32\5.tmp
2009-02-11 12:35 . 2009-02-11 15:30 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-09 15:54 . 2009-02-09 15:54 131,584 --a------ c:\windows\amawukuwupomu.dll
2009-02-09 15:08 . 2009-02-09 16:20 200,704 --a------ c:\windows\system32\InstallAVg_77015135.exe
2009-02-09 14:21 . 2009-02-11 14:08 <DIR> d-------- C:\SBRESCUE
2009-02-09 14:21 . 2008-10-23 03:09 92,464 --a------ c:\windows\system32\drivers\SBREDrv.sys
2009-02-09 14:21 . 2008-10-28 14:00 59,904 --a------ c:\windows\system32\sbbd.exe
2009-02-09 14:03 . 2009-02-09 14:03 160,945 --a------ c:\windows\system32\1F.tmp
2009-02-09 14:03 . 2009-02-09 14:03 29,184 --a------ c:\windows\system32\1C.tmp
2009-02-09 14:03 . 2009-02-09 14:03 172 --a------ c:\windows\system32\1A.tmp
2009-02-09 13:21 . 2009-02-09 13:21 0 --a------ c:\windows\system32\2B.tmp
2009-02-09 13:21 . 2009-02-09 13:21 0 --a------ c:\windows\system32\2A.tmp
2009-02-09 13:18 . 2009-02-09 13:21 73,825 --a------ c:\windows\system32\28.tmp
2009-02-09 13:18 . 2009-02-09 13:18 29,184 --a------ c:\windows\system32\27.tmp
2009-02-09 13:18 . 2009-02-09 13:18 172 --a------ c:\windows\system32\26.tmp
2009-02-09 12:57 . 2009-02-09 12:57 0 --a------ c:\windows\system32\1E.tmp
2009-02-09 12:57 . 2009-02-09 12:57 0 --a------ c:\windows\system32\1D.tmp
2009-02-09 12:57 . 2009-02-09 12:57 0 --a------ c:\windows\system32\1B.tmp
2009-02-09 12:56 . 2009-02-09 12:56 29,184 --a------ c:\windows\system32\19.tmp
2009-02-09 12:56 . 2009-02-09 12:56 172 --a------ c:\windows\system32\18.tmp
2009-02-03 09:11 . 2009-02-03 09:11 0 --a------ c:\windows\system32\.tmp
2009-02-03 07:49 . 2009-02-03 07:49 132,608 --a------ c:\windows\system32\sv˝shost.exe
2009-02-03 07:49 . 2009-02-03 07:49 64,000 --a------ c:\windows\system32\system32xp.exe
2009-02-03 07:49 . 2009-02-09 12:56 41,472 --a------ c:\windows\Churuyipid.dll
2009-02-03 07:26 . 2009-02-03 07:26 33,920 --a------ c:\windows\system32\drivers\wpbbooqp.sys
2009-02-03 07:22 . 2009-02-09 14:08 124 --a------ c:\windows\adobe.bat
2009-02-03 07:22 . 2009-02-03 07:26 5 --a------ c:\windows\_id.dat
2009-02-03 07:14 . 2009-02-03 07:14 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-03 07:14 . 2009-02-03 07:14 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-03 07:14 . 2009-02-03 07:14 32,768 --ah----- c:\documents and settings\David Wolf\wpqjxy.exe
2009-02-03 07:14 . 2009-02-03 07:14 17,174 --a------ c:\windows\system32\23.tmp
2009-02-02 22:02 . 2009-02-02 22:02 73,216 --a------ c:\windows\system32\nvsvc32.exe
2009-02-02 22:02 . 2009-02-02 22:02 0 --a------ c:\windows\mqcd.dbt
2009-02-02 22:01 . 2009-02-02 22:01 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-02 22:01 . 2009-02-03 07:50 128,306 --------- C:\jlpooc.exe
2009-02-02 22:01 . 2009-02-03 07:50 103,424 --------- C:\btuplu.exe
2009-02-02 22:01 . 2009-02-03 07:49 84,992 --------- C:\dnwqxus.exe
2009-02-02 22:01 . 2009-02-02 22:01 77,312 --a------ c:\windows\system32\re3d.pf
2009-02-02 22:01 . 2009-02-03 07:50 40,448 --------- C:\mlevsfdk.exe
2009-02-02 22:01 . 2009-02-02 22:01 32,768 --a------ c:\windows\system32\rer.wa
2009-02-02 22:01 . 2009-02-02 22:01 32,768 --a------ c:\windows\system32\qzhr1.ant
2009-02-02 22:01 . 2009-02-02 22:01 28,672 --a------ c:\windows\system32\do8d.sr
2009-02-02 22:01 . 2009-02-02 22:01 28,672 --a------ c:\windows\system32\dedwf.lp
2009-02-02 22:01 . 2009-02-03 07:49 22,016 --------- C:\iwvrf.exe
2009-02-02 22:01 . 2009-02-03 07:49 2 --------- C:\1296790120
2009-02-02 21:45 . 2009-02-02 21:45 31,232 ---h----- c:\windows\pp1.exe
2009-02-02 21:30 . 2009-02-12 20:20 <DIR> d-------- c:\program files\system
2009-02-02 21:15 . 2008-04-13 18:12 43,520 --a------ c:\windows\system32\stu2.exe
2009-01-31 08:13 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-29 13:18 . 2009-01-29 13:18 1,152 --a------ c:\windows\system32\windrv.sys
2009-01-29 13:17 . 2009-01-29 13:17 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Wal-Mart
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Uniblue
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d-------- c:\program files\pbi- MyoVision
2009-01-23 07:08 . 2009-01-23 07:08 <DIR> d-------- c:\documents and settings\David Wolf\Application Data\Image Zone Express
2009-01-22 13:20 . 2009-01-22 13:20 <DIR> d-------- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-24 23:17 --------- d-----w c:\documents and settings\David Wolf\Application Data\Uniblue
2009-01-23 13:16 --------- d-----w c:\documents and settings\David Wolf\Application Data\Wal-Mart Digital Photo Manager
2009-01-23 13:15 --------- d-----w c:\program files\Common Files\SoftTech InterCorp
2009-01-23 13:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-23 13:07 --------- d-----w c:\program files\HPQ
2009-01-23 12:51 --------- d-----w c:\program files\Bonjour
2009-01-08 20:43 109 ------w C:\TARA.SYS
2009-01-07 19:56 --------- d-----w c:\program files\Report Master
2009-01-07 18:26 --------- d-----w c:\program files\Yahoo SiteBuilder
2009-01-07 18:26 --------- d-----w c:\program files\SmartDraw 7
2009-01-07 18:26 --------- d-----w c:\program files\Google
2009-01-07 18:25 --------- d-----w c:\program files\Bible Navigator
2008-08-26 19:01 93,944 ----a-w c:\documents and settings\David Wolf\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 21:56 3,820,104 ----a-w c:\documents and settings\David Wolf\gosetup.exe
2006-03-31 13:43 0 ----a-w c:\documents and settings\David Wolf\Application Data\wklnhst.dat
2007-05-29 22:35 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-05-29 22:35 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-05-29 21:34 49,152 -c--a-w c:\program files\mozilla firefox\plugins\atmccli.dll
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 08:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-03 04:01:12 c:\windows\system32\user32.DLL
578,560 2009-02-03 04:01:12 c:\windows\system32\dllcache\user32.dll


------- Sigcheck -------

2004-08-04 02:00 31744 fefd8cfe3cf990487bbaa2e5d10fc29a c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 20c8356a78fdf1cde0caff695174ee4e c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 4fa16dba73657cf724f3bbd1f4b697bd c:\windows\system32\svchost.exe

2005-03-02 12:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 09:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 09:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 02:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 12:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 18:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2009-02-02 22:01 578560 ef409d20029c7857ca5342f4b799bb9b c:\windows\system32\user32.DLL
2009-02-02 22:01 578560 ef409d20029c7857ca5342f4b799bb9b c:\windows\system32\dllcache\user32.dll

2008-04-13 18:12 1051136 256d495f482f650bd4900730c5be6f85 c:\windows\explorer.exe
2007-06-13 05:26 1050624 e3e7ed2367a2ad640f48fe34db07429d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 137600b4178fa9ca9855baa836e9837e c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:00 1049600 16537db0b282d2d47b8631039ab9868c c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1051136 a9e70b0cb90e448e4b7ae468e674caef c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:00 32768 e10b51e49472499f910b596ff9baf436 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 9c0982ef707211e18ffa042c9534f7f9 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 104d1739b5f8b1deb6125f6fabb85b23 c:\windows\system32\ctfmon.exe

2005-06-10 18:17 75264 a1051f1571d5c421e0a821db01125d77 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 0ddda1e4ae8501b631e4c86f4b6e8b61 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:00 75264 68fc3859f829d6fe0c76016c804e33fc c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 18:12 75264 e333ab3c6d3e686d76378bace08b6591 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 718e554d04e03b2f6f3b5e9fe1428972 c:\windows\system32\spoolsv.exe

2004-08-04 02:00 41984 2966f3db9fd7b6f9ff0523f1fb494adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 0f2b7848b45fa7de00239b68ca7cf2dd c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-02 21:15 26112 535f4cc81d4c557425bda42522ce2832 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 364544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 749658]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 254014]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-03 98304]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 835584]
"pp"="c:\windows\pp1.exe" [2009-02-02 31232]
"NvSvc"="c:\windows\system32\nvsvc32.exe" [2009-02-02 73216]
"Avaxivepa"="c:\windows\Churuyipid.dll" [2009-02-09 41472]
"Ivulogi"="c:\windows\amawukuwupomu.dll" [2009-02-09 131584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wjuxxp.dll xktjxk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wpbbooqp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Associate KeepAlive]
--a--c--- 2007-03-28 09:19 49152 c:\program files\Foot Levelers\Foot Analysis System\KeepAlive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 20:26 389186 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-12-13 16:45 528384 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a--c--- 2005-12-12 13:39 114688 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-03 17:19 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 12:23 1208320 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2005-10-28 17:11 700416 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\EduTrader\\EduTrader.exe"=
"c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-31 28544]
R0 wpbbooqp;wpbbooqp;c:\windows\system32\drivers\wpbbooqp.sys [2009-02-03 33920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-02-09 92464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-0-16-100025416-100026336-100013284-2837.com c:\
\Shell\Open\command - c:\recycler\S-6-0-16-100025416-100026336-100013284-2837.com c:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-0-16-100025416-100026336-100013284-2837.com d:\
\Shell\Open\command - d:\recycler\S-6-0-16-100025416-100026336-100013284-2837.com d:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{960b89c6-3973-11dd-809d-0014a57acf4b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9906fb26-4846-11db-bc8a-0014a57acf4b}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd86e4c2-7545-11dd-80ef-0014a57acf4b}]
\Shell\AutoRun\command - F:\RDEapp.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\oojlmlwf.job
- c:\windows\system32\yayxxXPI.dll []

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-svschost.exe - c:\windows\system32\svschost.exe
HKCU-Run-Uniblue SpeedUpMyPC - (no file)
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
HKLM-Run-4d4b72c7 - c:\windows\system32\ymsyggyp.dll
HKU-Default-Run-tezrtsjhfr84iusjfo84f - c:\windows\TEMP\csrssc.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKCU-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
Notify-__c002BE04 - c:\windows\system32\__c002BE04.dat
Notify-__c00377AA - c:\windows\system32\__c00377AA.dat
Notify-__c00452A4 - c:\windows\system32\__c00452A4.dat
Notify-__c005F7FF - c:\windows\system32\__c005F7FF.dat
Notify-__c00700F1 - c:\windows\system32\__c00700F1.dat
Notify-__c009C6F8 - c:\windows\system32\__c009C6F8.dat
Notify-__c00B25EC - c:\windows\system32\__c00B25EC.dat
Notify-__c00B308 - c:\windows\system32\__c00B308.dat
Notify-__c00CA91E - c:\windows\system32\__c00CA91E.dat
Notify-__c00D4C15 - c:\windows\system32\__c00D4C15.dat
Notify-__c00D6C0 - c:\windows\system32\__c00D6C0.dat
Notify-__c00D6C44 - c:\windows\system32\__c00D6C44.dat
Notify-__c00E42C4 - c:\windows\system32\__c00E42C4.dat
Notify-__c00E8261 - c:\windows\system32\__c00E8261.dat
Notify-__c00F6A16 - c:\windows\system32\__c00F6A16.dat
Notify-rqRKDVPI - rqRKDVPI.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-MailListController - c:\program files\Arclab\MailList Controller\amlcSCT.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-RegClean Expert Scheduler - c:\program files\Registry Clean Expert\RCHelper.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 20:28:05
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?3?0?7??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxexwpntur.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-12 20:30:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 02:30:21

Pre-Run: 6,329,577,472 bytes free
Post-Run: 7,037,059,072 bytes free

368 --- E O F --- 2009-01-15 14:35:36

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 03:45 AM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\nvsvc32.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    c:\windows\system32\??.tmp
    c:\windows\system32\?.tmp
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.DLL

Driver::
wpbbooqp
gaopdxserv.sys
gaopdxserv

Rootkit::
c:\windows\system32\drivers\wpbbooqp.sys
c:\windows\system32\drivers\gaopdxexwpntur.sys

File::
c:\windows\system32\drivers\gaopdxexwpntur.sys
c:\windows\system32\drivers\wpbbooqp.sys
c:\windows\amawukuwupomu.dll
c:\windows\system32\InstallAVg_77015135.exe
c:\windows\system32\.tmp
c:\windows\system32\sv˝shost.exe
c:\windows\system32\system32xp.exe
c:\windows\Churuyipid.dll
c:\windows\system32\drivers\wpbbooqp.sys
c:\windows\adobe.bat
c:\windows\_id.dat
c:\windows\system32\secupdat.dat
c:\windows\system32\drivers\ndisio.sys
c:\documents and settings\David Wolf\wpqjxy.exe
c:\windows\mqcd.dbt
C:\jlpooc.exe
C:\btuplu.exe
C:\dnwqxus.exe
c:\windows\system32\re3d.pf
C:\mlevsfdk.exe
c:\windows\system32\rer.wa
c:\windows\system32\qzhr1.ant
c:\windows\system32\do8d.sr
c:\windows\system32\dedwf.lp
C:\iwvrf.exe
C:\1296790120
c:\windows\pp1.exe
c:\windows\system32\windrv.sys
c:\windows\system32\stu2.exe
c:\windows\Tasks\oojlmlwf.job
c:\windows\system32\yayxxXPI.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pp"=-
"NvSvc"=-
"Avaxivepa"=-
"Ivulogi"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wpbbooqp.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{960b89c6-3973-11dd-809d-0014a57acf4b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9906fb26-4846-11db-bc8a-0014a57acf4b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd86e4c2-7545-11dd-80ef-0014a57acf4b}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gaopdxserv.sys]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • OTMoveIt3
  • Combofix.txt
  • VirScan.org report.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 07:40 AM

IE can't connect to any websites so I can't do the first step. Can I skip it?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 07:49 AM

Do the next steps...

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 09:03 AM

It's been either really slow or stuck on startup. I ran the last combofix w/ cfscript.txt about 45 min. ago. Is that normal? So I don't have any logs to post.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 12:05 PM

No.. It is not normal.. If the ComboFix finish its scan, please post the log here.. Or find the log at C:\combofix.txt and post it here..

If not, then exit ComboFix and tell me more about it :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 12:44 PM

After combofix finished it went to restart and it got stuck on startup. I can bring up task mngr to browse for programs and start them that way but otherwise there is nothing on my screen but the wallpaper. I was able to locate the log:
ComboFix 09-02-12.03 - David Wolf 2009-02-13 7:25:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.696 [GMT -6:00]
Running from: C:\Documents and Settings\David Wolf\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\David Wolf\Desktop\CFScript.txt.txt
FW: Norton Internet Worm Protection *disabled*

FILE ::
C:\1296790120
C:\btuplu.exe
C:\dnwqxus.exe
c:\documents and settings\David Wolf\wpqjxy.exe
C:\iwvrf.exe
C:\jlpooc.exe
C:\mlevsfdk.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\amawukuwupomu.dll
c:\windows\Churuyipid.dll
c:\windows\mqcd.dbt
c:\windows\pp1.exe
c:\windows\system32\.tmp
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\drivers\gaopdxexwpntur.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\wpbbooqp.sys
c:\windows\system32\InstallAVg_77015135.exe
c:\windows\system32\qzhr1.ant
c:\windows\system32\re3d.pf
c:\windows\system32\rer.wa
c:\windows\system32\secupdat.dat
c:\windows\system32\stu2.exe
c:\windows\system32\sv˝shost.exe
c:\windows\system32\system32xp.exe
c:\windows\system32\windrv.sys
c:\windows\system32\yayxxXPI.dll
c:\windows\Tasks\oojlmlwf.job
.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 12:50 PM

Hello..

Open Task Manager (Ctrl + Alt + Del) and go to File >> New Task (Run...) >> type explorer.exe >> Enter

Can you get your Desktop back?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 12:59 PM

Yes the desktop came back and combofix finished and here is the log:

ComboFix 09-02-12.03 - David Wolf 2009-02-13 7:25:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.696 [GMT -6:00]
Running from: c:\documents and settings\David Wolf\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David Wolf\Desktop\CFScript.txt.txt
FW: Norton Internet Worm Protection *disabled*

FILE ::
C:\1296790120
C:\btuplu.exe
C:\dnwqxus.exe
c:\documents and settings\David Wolf\wpqjxy.exe
C:\iwvrf.exe
C:\jlpooc.exe
C:\mlevsfdk.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\amawukuwupomu.dll
c:\windows\Churuyipid.dll
c:\windows\mqcd.dbt
c:\windows\pp1.exe
c:\windows\system32\.tmp
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\drivers\gaopdxexwpntur.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\wpbbooqp.sys
c:\windows\system32\InstallAVg_77015135.exe
c:\windows\system32\qzhr1.ant
c:\windows\system32\re3d.pf
c:\windows\system32\rer.wa
c:\windows\system32\secupdat.dat
c:\windows\system32\stu2.exe
c:\windows\system32\sv˝shost.exe
c:\windows\system32\system32xp.exe
c:\windows\system32\windrv.sys
c:\windows\system32\yayxxXPI.dll
c:\windows\Tasks\oojlmlwf.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1296790120
C:\btuplu.exe
C:\dnwqxus.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\David Wolf\reader_s.exe
c:\documents and settings\David Wolf\wpqjxy.exe
C:\iwvrf.exe
C:\jlpooc.exe
C:\mlevsfdk.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\amawukuwupomu.dll
c:\windows\Churuyipid.dll
c:\windows\mqcd.dbt
c:\windows\system32\7.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\drivers\gaopdxexwpntur.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxumqlrgal.dll
c:\windows\system32\InstallAVg_77015135.exe
c:\windows\system32\qzhr1.ant
c:\windows\system32\re3d.pf
c:\windows\system32\reader_s.exe
c:\windows\system32\rer.wa
c:\windows\system32\secupdat.dat
c:\windows\system32\stu2.exe
c:\windows\system32\sv˝shost.exe
c:\windows\system32\system32xp.exe
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\windrv.sys
c:\windows\Tasks\oojlmlwf.job
c:\windows\system32\twain_32 . . . . failed to delete
c:\windows\system32\twain_32\local.ds . . . . failed to delete
c:\windows\system32\twain_32\user.ds . . . . failed to delete
c:\windows\system32\twext.exe . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://b9n.org
c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.DLL
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_WPBBOOQP
-------\Service_restore
-------\Service_wpbbooqp


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 07:37 . 2009-02-13 07:37 <DIR> d--hs---- c:\documents and settings\LocalService\Application Data\twain_32
2009-02-13 07:37 . 2009-02-13 11:43 135 --------- c:\windows\system32\twain_32\local.ds
2009-02-13 07:37 . 2009-02-13 11:53 106 --a------ c:\windows\system32\twain_32\user.ds
2009-02-13 07:37 . 2009-02-13 07:37 84 --a------ c:\windows\system32\4.tmp
2009-02-13 07:24 . 2009-02-13 07:24 84 --a------ c:\windows\system32\8.tmp
2009-02-13 07:15 . 2009-02-13 07:15 84 --a------ c:\windows\system32\5.tmp
2009-02-13 07:15 . 2009-02-13 07:15 1 --a------ c:\windows\system32\6.tmp
2009-02-13 07:05 . 2009-02-13 07:05 <DIR> d-------- C:\_OTMoveIt
2009-02-13 06:34 . 2009-02-13 11:43 <DIR> d--hs---- c:\windows\system32\twain_32
2009-02-12 21:04 . 2009-02-12 21:04 56,321 --a------ c:\windows\services.ex_
2009-02-12 21:04 . 2009-02-12 21:04 32,256 --ah----- c:\documents and settings\David Wolf\pdrjx.exe
2009-02-12 20:37 . 2009-02-12 20:37 32,256 --ah----- c:\documents and settings\David Wolf\vek.exe
2009-02-12 20:31 . 2009-02-12 20:31 182,656 --a------ c:\windows\system32\dllcache\ndis.sys
2009-02-12 20:31 . 2009-02-12 20:31 32,256 --ah----- c:\documents and settings\David Wolf\wfypwm.exe
2009-02-12 20:30 . 2009-02-12 20:30 137,824 --a------ c:\windows\system32\drivers\ethtdxsg.sys
2009-02-11 12:35 . 2009-02-11 15:30 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-09 14:21 . 2009-02-11 14:08 <DIR> d-------- C:\SBRESCUE
2009-02-09 14:21 . 2008-10-23 03:09 92,464 --a------ c:\windows\system32\drivers\SBREDrv.sys
2009-02-09 14:21 . 2008-10-28 14:00 59,904 --a------ c:\windows\system32\sbbd.exe
2009-02-02 22:02 . 2009-02-02 22:02 73,216 --a------ c:\windows\system32\nvsvc32.exe
2009-02-02 22:01 . 2009-02-02 22:01 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-02 21:45 . 2009-02-02 21:45 31,232 --ah----- c:\windows\pp1.ex_
2009-02-02 21:30 . 2009-02-12 20:20 <DIR> d-------- c:\program files\system
2009-01-31 08:13 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-29 13:17 . 2009-01-29 13:17 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Wal-Mart
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Uniblue
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d-------- c:\program files\pbi- MyoVision
2009-01-23 07:08 . 2009-01-23 07:08 <DIR> d-------- c:\documents and settings\David Wolf\Application Data\Image Zone Express
2009-01-22 13:20 . 2009-01-22 13:20 <DIR> d-------- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 02:31 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-01-30 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-24 23:17 --------- d-----w c:\documents and settings\David Wolf\Application Data\Uniblue
2009-01-23 13:16 --------- d-----w c:\documents and settings\David Wolf\Application Data\Wal-Mart Digital Photo Manager
2009-01-23 13:15 --------- d-----w c:\program files\Common Files\SoftTech InterCorp
2009-01-23 13:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-23 13:07 --------- d-----w c:\program files\HPQ
2009-01-23 12:51 --------- d-----w c:\program files\Bonjour
2009-01-08 20:43 109 ------w C:\TARA.SYS
2009-01-07 19:56 --------- d-----w c:\program files\Report Master
2009-01-07 18:26 --------- d-----w c:\program files\Yahoo SiteBuilder
2009-01-07 18:26 --------- d-----w c:\program files\SmartDraw 7
2009-01-07 18:26 --------- d-----w c:\program files\Google
2009-01-07 18:25 --------- d-----w c:\program files\Bible Navigator
2008-08-26 19:01 93,944 ----a-w c:\documents and settings\David Wolf\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 21:56 3,820,104 ----a-w c:\documents and settings\David Wolf\gosetup.exe
2006-03-31 13:43 0 ----a-w c:\documents and settings\David Wolf\Application Data\wklnhst.dat
2007-05-29 22:35 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-05-29 22:35 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-05-29 21:34 49,152 -c--a-w c:\program files\mozilla firefox\plugins\atmccli.dll
.

------- Sigcheck -------

2004-08-04 02:00 31744 fefd8cfe3cf990487bbaa2e5d10fc29a c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 20c8356a78fdf1cde0caff695174ee4e c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 4fa16dba73657cf724f3bbd1f4b697bd c:\windows\system32\svchost.exe

2004-08-04 02:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 13:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-12 20:31 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-12 20:31 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 18:12 1051136 256d495f482f650bd4900730c5be6f85 c:\windows\explorer.exe
2007-06-13 05:26 1050624 e3e7ed2367a2ad640f48fe34db07429d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 137600b4178fa9ca9855baa836e9837e c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:00 1049600 16537db0b282d2d47b8631039ab9868c c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1051136 a9e70b0cb90e448e4b7ae468e674caef c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:00 32768 e10b51e49472499f910b596ff9baf436 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 9c0982ef707211e18ffa042c9534f7f9 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 104d1739b5f8b1deb6125f6fabb85b23 c:\windows\system32\ctfmon.exe

2005-06-10 18:17 75264 a1051f1571d5c421e0a821db01125d77 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 0ddda1e4ae8501b631e4c86f4b6e8b61 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:00 75264 68fc3859f829d6fe0c76016c804e33fc c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 18:12 75264 e333ab3c6d3e686d76378bace08b6591 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 718e554d04e03b2f6f3b5e9fe1428972 c:\windows\system32\spoolsv.exe

2004-08-04 02:00 41984 2966f3db9fd7b6f9ff0523f1fb494adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 0f2b7848b45fa7de00239b68ca7cf2dd c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-02 21:15 26112 535f4cc81d4c557425bda42522ce2832 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-12_20.29.25.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-06-11 00:17:13 57,856 -c--a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2005-06-11 00:17:13 75,264 -c--a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
- 2007-06-13 11:26:03 1,033,216 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
+ 2007-06-13 11:26:03 1,050,624 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
- 2004-08-04 08:00:00 15,360 -c----w c:\windows\$NtServicePackUninstall$\ctfmon.exe
+ 2004-08-04 08:00:00 32,768 -c----w c:\windows\$NtServicePackUninstall$\ctfmon.exe
- 2007-06-13 10:23:07 1,033,216 -c----w c:\windows\$NtServicePackUninstall$\explorer.exe
+ 2007-06-13 10:23:07 1,050,624 -c----w c:\windows\$NtServicePackUninstall$\explorer.exe
- 2004-08-04 08:00:00 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
+ 2004-08-04 08:00:00 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
- 2005-06-10 23:53:32 57,856 -c----w c:\windows\$NtServicePackUninstall$\spoolsv.exe
+ 2005-06-10 23:53:32 75,264 -c----w c:\windows\$NtServicePackUninstall$\spoolsv.exe
- 2004-08-04 08:00:00 14,336 -c----w c:\windows\$NtServicePackUninstall$\svchost.exe
+ 2004-08-04 08:00:00 31,744 -c----w c:\windows\$NtServicePackUninstall$\svchost.exe
- 2004-08-04 08:00:00 24,576 -c----w c:\windows\$NtServicePackUninstall$\userinit.exe
+ 2004-08-04 08:00:00 41,984 -c----w c:\windows\$NtServicePackUninstall$\userinit.exe
- 2004-08-04 08:00:00 57,856 -c--a-w c:\windows\$NtUninstallKB896423$\spoolsv.exe
+ 2004-08-04 08:00:00 75,264 -c--a-w c:\windows\$NtUninstallKB896423$\spoolsv.exe
- 2004-08-04 08:00:00 1,032,192 -c----w c:\windows\$NtUninstallKB938828$\explorer.exe
+ 2004-08-04 08:00:00 1,049,600 -c----w c:\windows\$NtUninstallKB938828$\explorer.exe
- 2009-02-13 02:25:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-13 17:45:46 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-13 02:25:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 17:45:46 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 03:01:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009021220090213\index.dat
+ 2009-02-13 13:38:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009021320090214\index.dat
- 2009-02-13 02:25:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-13 17:45:46 81,920 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-11 19:16:33 342,624 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-13 13:20:04 342,624 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 00:11:24 354,304 ------w c:\windows\system32\twext.exe
+ 2009-02-13 16:25:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_138.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 364544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 749658]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-03 98304]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 835584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eeethykt.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Associate KeepAlive]
--a--c--- 2007-03-28 09:19 49152 c:\program files\Foot Levelers\Foot Analysis System\KeepAlive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 20:26 389186 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-12-13 16:45 528384 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a--c--- 2005-12-12 13:39 114688 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-03 17:19 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 12:23 1208320 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2005-10-28 17:11 700416 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\EduTrader\\EduTrader.exe"=
"c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-31 28544]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S0 eeethykt;eeethykt;c:\windows\system32\Drivers\eeethykt.sys --> c:\windows\system32\Drivers\eeethykt.sys [?]
S1 ethtdxsg;ethtdxsg;c:\windows\system32\drivers\ethtdxsg.sys [2009-02-12 137824]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-02-09 92464]
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-reader_s - c:\documents and settings\David Wolf\reader_s.exe
HKLM-Run-Cpqset - c:\program files\HPQ\Default Settings\cpqset.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKU-Default-Run-hdimtkyr.exe - c:\windows\hdimtkyr.exe
HKU-Default-Run-reader_s - c:\documents and settings\David Wolf\reader_s.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 11:53:09
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?3?0?7??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-02-13 11:56:21 - machine was rebooted [David Wolf]
ComboFix-quarantined-files.txt 2009-02-13 17:56:19
ComboFix2.txt 2009-02-13 02:30:26

Pre-Run: 7,045,181,440 bytes free
Post-Run: 6,983,471,104 bytes free

346 --- E O F --- 2009-01-15 14:35:36

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 01:42 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\windows\$NtServicePackUninstall$\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\dllcache\ndis.sys
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe
c:\windows\$NtServicePackUninstall$\spoolsv.exe | c:\windows\system32\spoolsv.exe

Driver::
eeethykt
ethtdxsg

Rootkit::
c:\windows\system32\4.tmp
c:\windows\system32\8.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\services.ex_
c:\documents and settings\David Wolf\pdrjx.exe
c:\documents and settings\David Wolf\vek.exe
c:\documents and settings\David Wolf\wfypwm.exe
c:\windows\system32\drivers\ethtdxsg.sys
c:\windows\pp1.ex_
C:\TARA.SYS
c:\windows\system32\twext.exe
c:\windows\system32\Drivers\eeethykt.sys
c:\windows\system32\drivers\ethtdxsg.sys

File::
c:\windows\system32\4.tmp
c:\windows\system32\8.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\services.ex_
c:\documents and settings\David Wolf\pdrjx.exe
c:\documents and settings\David Wolf\vek.exe
c:\documents and settings\David Wolf\wfypwm.exe
c:\windows\system32\drivers\ethtdxsg.sys
c:\windows\pp1.ex_
C:\TARA.SYS
c:\windows\system32\twext.exe
c:\windows\system32\Drivers\eeethykt.sys
c:\windows\system32\drivers\ethtdxsg.sys

Folder::
c:\documents and settings\LocalService\Application Data\twain_32
c:\windows\system32\twain_32

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eeethykt.sys]

DirLook::
c:\program files\system

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 02:40 PM

It automaticly rebooted and it stalled on startup again until I opened task mngr and ran explorer.exe then combofix came back on and did its thing. Here is that log:

ComboFix 09-02-12.03 - David Wolf 2009-02-13 12:53:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.649 [GMT -6:00]
Running from: c:\documents and settings\David Wolf\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David Wolf\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\David Wolf\pdrjx.exe
c:\documents and settings\David Wolf\vek.exe
c:\documents and settings\David Wolf\wfypwm.exe
C:\TARA.SYS
c:\windows\pp1.ex_
c:\windows\services.ex_
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\system32\8.tmp
c:\windows\system32\Drivers\eeethykt.sys
c:\windows\system32\drivers\ethtdxsg.sys
c:\windows\system32\twext.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\David Wolf\pdrjx.exe
c:\documents and settings\David Wolf\vek.exe
c:\documents and settings\David Wolf\wfypwm.exe
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
C:\TARA.SYS
c:\windows\pp1.ex_
c:\windows\services.ex_
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\system32\8.tmp
c:\windows\system32\dllcache\ndis.sys
c:\windows\system32\drivers\ethtdxsg.sys
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe

----- BITS: Possible infected sites -----

hxxp://b9n.org
c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\$NtServicePackUninstall$\explorer.exe --> c:\windows\explorer.exe
c:\windows\$NtServicePackUninstall$\spoolsv.exe --> c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EEETHYKT
-------\Service_eeethykt
-------\Service_ethtdxsg


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 07:05 . 2009-02-13 07:05 <DIR> d-------- C:\_OTMoveIt
2009-02-11 12:35 . 2009-02-11 15:30 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-09 14:21 . 2009-02-11 14:08 <DIR> d-------- C:\SBRESCUE
2009-02-09 14:21 . 2008-10-23 03:09 92,464 --a------ c:\windows\system32\drivers\SBREDrv.sys
2009-02-09 14:21 . 2008-10-28 14:00 59,904 --a------ c:\windows\system32\sbbd.exe
2009-02-02 22:02 . 2009-02-02 22:02 73,216 --a------ c:\windows\system32\nvsvc32.exe
2009-02-02 22:01 . 2009-02-02 22:01 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-02 21:30 . 2009-02-12 20:20 <DIR> d-------- c:\program files\system
2009-01-31 08:13 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-29 13:17 . 2009-01-29 13:17 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Wal-Mart
2009-01-24 17:17 . 2009-01-24 17:17 <DIR> d-------- c:\program files\Uniblue
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d-------- c:\program files\pbi- MyoVision
2009-01-23 07:08 . 2009-01-23 07:08 <DIR> d-------- c:\documents and settings\David Wolf\Application Data\Image Zone Express
2009-01-22 13:20 . 2009-01-22 13:20 <DIR> d-------- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-24 23:17 --------- d-----w c:\documents and settings\David Wolf\Application Data\Uniblue
2009-01-23 13:16 --------- d-----w c:\documents and settings\David Wolf\Application Data\Wal-Mart Digital Photo Manager
2009-01-23 13:15 --------- d-----w c:\program files\Common Files\SoftTech InterCorp
2009-01-23 13:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-23 13:07 --------- d-----w c:\program files\HPQ
2009-01-23 12:51 --------- d-----w c:\program files\Bonjour
2009-01-07 19:56 --------- d-----w c:\program files\Report Master
2009-01-07 18:26 --------- d-----w c:\program files\Yahoo SiteBuilder
2009-01-07 18:26 --------- d-----w c:\program files\SmartDraw 7
2009-01-07 18:26 --------- d-----w c:\program files\Google
2009-01-07 18:25 --------- d-----w c:\program files\Bible Navigator
2008-08-26 19:01 93,944 ----a-w c:\documents and settings\David Wolf\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 21:56 3,820,104 ----a-w c:\documents and settings\David Wolf\gosetup.exe
2006-03-31 13:43 0 ----a-w c:\documents and settings\David Wolf\Application Data\wklnhst.dat
2007-05-29 22:35 44,624 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-05-29 22:35 108,192 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-05-29 21:34 49,152 -c--a-w c:\program files\mozilla firefox\plugins\atmccli.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\system ----



------- Sigcheck -------

2004-08-04 02:00 31744 fefd8cfe3cf990487bbaa2e5d10fc29a c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 20c8356a78fdf1cde0caff695174ee4e c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 4fa16dba73657cf724f3bbd1f4b697bd c:\windows\system32\svchost.exe

2008-04-13 18:12 1051136 256d495f482f650bd4900730c5be6f85 c:\windows\explorer.exe
2007-06-13 05:26 1050624 e3e7ed2367a2ad640f48fe34db07429d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 137600b4178fa9ca9855baa836e9837e c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:00 1049600 16537db0b282d2d47b8631039ab9868c c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1051136 a9e70b0cb90e448e4b7ae468e674caef c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:00 32768 e10b51e49472499f910b596ff9baf436 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 9c0982ef707211e18ffa042c9534f7f9 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 104d1739b5f8b1deb6125f6fabb85b23 c:\windows\system32\ctfmon.exe

2005-06-10 18:17 75264 a1051f1571d5c421e0a821db01125d77 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 0ddda1e4ae8501b631e4c86f4b6e8b61 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:00 75264 68fc3859f829d6fe0c76016c804e33fc c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 18:12 75264 e333ab3c6d3e686d76378bace08b6591 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 718e554d04e03b2f6f3b5e9fe1428972 c:\windows\system32\spoolsv.exe

2004-08-04 02:00 41984 2966f3db9fd7b6f9ff0523f1fb494adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 0f2b7848b45fa7de00239b68ca7cf2dd c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-02 21:15 26112 535f4cc81d4c557425bda42522ce2832 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-13_11.55.30.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 08:00:00 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
+ 2004-08-04 08:00:00 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
- 2009-02-13 17:45:46 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-13 19:02:27 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-13 17:45:46 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 19:02:27 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-13 17:45:46 81,920 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-13 19:02:27 81,920 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-13 19:02:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_380.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 364544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 749658]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-03 98304]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 835584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Associate KeepAlive]
--a--c--- 2007-03-28 09:19 49152 c:\program files\Foot Levelers\Foot Analysis System\KeepAlive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 20:26 389186 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-12-13 16:45 528384 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a--c--- 2005-12-12 13:39 114688 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-03 17:19 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 12:23 1208320 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2005-10-28 17:11 700416 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\EduTrader\\EduTrader.exe"=
"c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-31 28544]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-02-09 92464]
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]

2009-01-23 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-12-07 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 13:36:14
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2009-02-13 13:38:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 19:38:43
ComboFix2.txt 2009-02-13 17:56:23
ComboFix3.txt 2009-02-13 02:30:26

Pre-Run: 6,963,437,568 bytes free
Post-Run: 6,944,063,488 bytes free

255 --- E O F --- 2009-01-15 14:35:36

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 13 February 2009 - 03:34 PM

Ok.. Looking at your log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files... We are looking for possible Virut infection, and if it is.. Then you might have to wipe the machine clean..


Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Edited by fenzodahl512, 13 February 2009 - 03:37 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 wolfchiro1

wolfchiro1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 13 February 2009 - 06:45 PM

I will not be available this weekend so I will perform the tasks Sunday night or Monday. Thanks for all your help thus far and have a great weekend!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users