Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am i infected?


  • Please log in to reply
15 replies to this topic

#1 mav253

mav253

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 12 February 2009 - 10:11 PM

Today i was on the web when i got this weird pop up from my spy bot it asked me to allow changes to registry but i denied, after that spy bot box kept popping up about like 10 boxes constantly none stop until i had to uninstall, then i tried to restore but it wont let me restore computer, i have restore on. I don't know what to do?



Here is Hijackthis Log




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:11 PM, on 2/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ernest\Desktop\MY EXE\Virus tools\Ernest.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [movawimeti] Rundll32.exe "C:\WINDOWS\system32\jelukahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [movawimeti] Rundll32.exe "C:\WINDOWS\system32\jelukahu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065540434
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065532043
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: orccwq.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7585 bytes

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 17 February 2009 - 08:18 PM

hi,

Am i infected


You are. Your log is several days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?


#3 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 18 February 2009 - 04:17 PM

Yes i still need help, what should i do?

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 18 February 2009 - 05:25 PM

ok. first we will use hjt, then get a download to use:

HJT:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKUS\S-1-5-19\..\Run: [movawimeti] Rundll32.exe "C:\WINDOWS\system32\jelukahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [movawimeti] Rundll32.exe "C:\WINDOWS\system32\jelukahu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: orccwq.dll


MBAM: link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply and also a new hjt log.

How Can I Reduce My Risk to Malware?


#5 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 18 February 2009 - 09:45 PM

ok i did it, but your link to the MBAM site does not work or the servers are just down, i have MBAM already but i could not update it. I removed the three items using HJT and then did a full scan using MBAM and these are my results...



MBAM Log



Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/18/2009 9:32:59 PM
mbam-log-2009-02-18 (21-32-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129123
Time elapsed: 26 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






HJT Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:03 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ernest\Desktop\MY EXE\Virus tools\Ernest.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065540434
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065532043
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7444 bytes

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 18 February 2009 - 10:03 PM

hi,

ok good. Not a whole lot there, maybe just some leftovers from previous malware. Are you having any of the possible signs of malware:

http://www.virusvault.us/signs1.html

How Can I Reduce My Risk to Malware?


#7 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 19 February 2009 - 04:17 PM

No i don't think so, but how do i get rid of "leftovers from previous malware" would the leftovers be a problem in the future?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 19 February 2009 - 04:40 PM

hi,

You just got rid of them by using hjt. The leftovers wouldnt be a problem in the future. Your best bet would be to practice safe computing, keep all your anti-malware, your AV and Windows updated. Your scanning frequency is really a function of your computing habits. MBAM must be updated manually, the paid version offers auto updates.

FYI:There is plenty of malware distributed on p2p networks.

Some tips for safe computing;

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" possible vulnerabilities.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#9 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 19 February 2009 - 05:01 PM

ok i try to update my Malwarebytes' Anti-Malware but it wont let me it says update failed do you know why this is? and i try to install spybot but it wont let me it shows an error?

Edited by mav253, 19 February 2009 - 05:14 PM.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 19 February 2009 - 09:22 PM

Hi mav253,

Does your Ad aware and antivirus update ok? For MBAM you can download and install the latest def. files from this link:

http://www.gt500.org/malwarebytes/database.jsp

afterwards do a full system scan and post the MBAM log.

Can you post the error your getting with spybot.

How Can I Reduce My Risk to Malware?


#11 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 19 February 2009 - 09:55 PM

It wont let me update ad-aware either this is the message i get when trying to update ad-aware "connection error, check your settings." For my antivirus i had windows defender that also didn't update, i uninstalled it and got a new antivirus soft named avast it updates ok.


Now for spybot i installed it before i got the Malware and it worked but then when i was infected all these boxes were poping up none stop from spybot asking if i want to make changes to my registry, so i got annoyed and uninstalled it. Then i tryed to reinstall it, it did not let me.... the error message says this " Error sending request. A connection with the server could not be established".


Your link for updating MBAM took me to a page, but i did not see the link to download it.

MBAM Log



Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/19/2009 10:41:29 PM
mbam-log-2009-02-19 (22-41-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123170
Time elapsed: 24 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by mav253, 19 February 2009 - 10:43 PM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 20 February 2009 - 07:56 AM

ok we will get another download to use. Its called combofix. It will be another check for malware. There is a guide you need to read first which will explain a few things. Read through the guide, download combofix and save it to your desktop. Disable any AV etc as explained in the guide, double click the icon and follow the prompts. Post the combofix log.
the guide:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#13 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 February 2009 - 04:04 PM

ok here is the Log




ComboFix 09-02-19.01 - Ernest 2009-02-20 15:56:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.252 [GMT -5:00]
Running from: c:\documents and settings\Ernest\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090220-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\XPPoliceAntivirus
c:\program files\XPPoliceAntivirus\Plugins\ceva_dll.cvd
c:\program files\XPPoliceAntivirus\Plugins\ceva_emu.cvd
c:\program files\XPPoliceAntivirus\Plugins\ceva_vfs.cvd
c:\program files\XPPoliceAntivirus\Plugins\ceva_vfs.ivd
c:\program files\XPPoliceAntivirus\Plugins\cevakrnl.cvd
c:\program files\XPPoliceAntivirus\Plugins\cevakrnl.ivd
c:\program files\XPPoliceAntivirus\Plugins\cevakrnl.rvd
c:\program files\XPPoliceAntivirus\Plugins\cookie.cvd
c:\program files\XPPoliceAntivirus\Plugins\cran.cvd
c:\program files\XPPoliceAntivirus\Plugins\cran.ivd
c:\program files\XPPoliceAntivirus\Plugins\e_spyw.cvd
c:\program files\XPPoliceAntivirus\Plugins\e_spyw.ivd
c:\program files\XPPoliceAntivirus\Plugins\emalware.ivd
c:\program files\XPPoliceAntivirus\Plugins\gvmscripts.cvd
c:\program files\XPPoliceAntivirus\Plugins\hpe.cvd
c:\program files\XPPoliceAntivirus\Plugins\java.cvd
c:\program files\XPPoliceAntivirus\Plugins\mdx_97.cvd
c:\program files\XPPoliceAntivirus\Plugins\mdx_97.ivd
c:\program files\XPPoliceAntivirus\Plugins\mdx_w95.cvd
c:\program files\XPPoliceAntivirus\Plugins\mdx_x95.cvd
c:\program files\XPPoliceAntivirus\Plugins\mdx_xf.cvd
c:\program files\XPPoliceAntivirus\Plugins\mobmalware.cvd
c:\program files\XPPoliceAntivirus\Plugins\na.cvd
c:\program files\XPPoliceAntivirus\Plugins\nelf.cvd
c:\program files\XPPoliceAntivirus\Plugins\regarch.cvd
c:\program files\XPPoliceAntivirus\Plugins\regscan.cvd
c:\program files\XPPoliceAntivirus\Plugins\rup.cvd
c:\program files\XPPoliceAntivirus\Plugins\sdx.cvd
c:\program files\XPPoliceAntivirus\Plugins\sdx.ivd
c:\program files\XPPoliceAntivirus\Plugins\unpack.cvd
c:\program files\XPPoliceAntivirus\Plugins\unpack.ivd
c:\program files\XPPoliceAntivirus\Plugins\vb0.dat
c:\program files\XPPoliceAntivirus\Plugins\vb1.dat
c:\program files\XPPoliceAntivirus\Plugins\vb2.dat
c:\program files\XPPoliceAntivirus\Plugins\ve.cvd
c:\program files\XPPoliceAntivirus\Plugins\ve.ivd
c:\program files\XPPoliceAntivirus\Plugins\vedata.cvd
c:\program files\XPPoliceAntivirus\setup.dat
c:\program files\XPPoliceAntivirus\sounds\alert.wav
c:\program files\XPPoliceAntivirus\sounds\click.wav
c:\program files\XPPoliceAntivirus\sounds\fire.wav
c:\windows\system32\drivers\gaopdxkyxevdlb.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxrulrtndj.dll
c:\windows\system32\kipilopa.dll
c:\windows\system32\orccwq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-19 19:00 . 2009-02-19 19:00 <DIR> d-------- c:\program files\Alwil Software
2009-02-18 17:53 . 2009-02-18 17:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 17:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-17 16:40 . 2009-02-17 16:41 <DIR> d-------- c:\program files\Disk Cleaner
2009-02-12 17:47 . 2009-02-12 17:56 <DIR> d-------- c:\documents and settings\Ernest\Application Data\GTunnel
2009-02-09 21:46 . 2004-08-04 02:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-08 21:29 . 2009-02-08 21:29 <DIR> d-------- C:\vcs5core
2009-02-08 21:29 . 2009-02-08 21:29 <DIR> d-------- C:\vcs5BGEffects
2009-02-08 21:29 . 2009-02-08 21:29 <DIR> d-------- C:\AV_LOGS
2009-02-06 21:51 . 2009-02-06 21:51 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-04 20:47 . 2009-02-04 20:47 936,960 --a------ c:\windows\system32\rn.tmp
2009-02-04 17:07 . 2009-02-04 17:00 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-04 17:00 . 2009-02-04 17:00 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-04 16:58 . 2009-02-04 16:58 <DIR> d-------- c:\program files\Lavasoft
2009-02-04 16:58 . 2009-02-04 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-04 16:53 . 2009-02-04 16:58 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-04 16:36 . 2009-02-04 16:36 <DIR> d-------- c:\program files\Uniblue
2009-02-02 20:36 . 2009-02-02 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-02-01 13:35 . 2009-02-03 18:49 <DIR> d-------- c:\program files\HTV
2009-02-01 13:17 . 2009-02-04 15:58 <DIR> d-------- c:\program files\LogMeIn
2009-02-01 13:17 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-02-01 13:17 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-02-01 13:17 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-01 13:17 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-01-31 20:27 . 2009-01-31 20:27 <DIR> d-------- c:\program files\Advanced IP Scanner
2009-01-29 17:04 . 2009-02-03 19:31 <DIR> d-------- c:\program files\World of Warcraft Trial
2009-01-29 17:04 . 2009-01-29 17:04 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-01-23 21:39 . 2009-01-23 21:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-20 22:13 . 2009-01-20 22:14 <DIR> d-------- c:\program files\iTunes
2009-01-20 22:13 . 2009-01-20 22:13 <DIR> d-------- c:\program files\iPod
2009-01-20 22:13 . 2009-01-20 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-20 21:58 . 2009-01-20 21:58 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 21:58 . 2009-01-20 21:58 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 20:51 --------- d-----w c:\documents and settings\Ernest\Application Data\DNA
2009-02-20 20:29 --------- d-----w c:\program files\DNA
2009-02-20 20:27 --------- d-----w c:\program files\Ulead Systems
2009-02-20 01:50 --------- d-----w c:\program files\BlueVoda Website Builder
2009-02-20 01:46 --------- d-----w c:\program files\LimeWire
2009-02-20 01:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 01:42 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-02-20 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-17 21:21 --------- d---a-w c:\documents and settings\All Users\Application Data\Temp
2009-02-13 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-09 20:36 --------- d-----w c:\documents and settings\Ernest\Application Data\U3
2009-02-07 03:58 --------- d-----w c:\documents and settings\Ernest\Application Data\uTorrent
2009-02-01 18:03 --------- d-----w c:\program files\TightVNC
2009-01-31 03:08 --------- d-----w c:\program files\DivX
2009-01-24 02:40 --------- d-----w c:\program files\Eusing Free Registry Cleaner
2009-01-24 02:38 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-24 02:17 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-24 02:13 --------- d-----w c:\program files\Java
2009-01-21 03:18 --------- d-----w c:\program files\Bonjour
2009-01-21 03:12 --------- d-----w c:\program files\QuickTime
2009-01-19 18:47 --------- d-----w c:\documents and settings\Ernest\Application Data\Malwarebytes
2009-01-19 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 21:09 --------- d-----w c:\documents and settings\Ernest\Application Data\Ahead
2009-01-17 21:05 --------- d-----w c:\program files\Ahead
2009-01-17 21:04 --------- d-----w c:\program files\Common Files\Ahead
2009-01-15 21:55 --------- d-----w c:\program files\CleanMyPC
2009-01-14 23:50 --------- d-----w c:\program files\Tickerbar
2009-01-14 20:22 --------- d-----w c:\program files\Apple Software Update
2009-01-14 01:00 --------- d-----w c:\documents and settings\Ernest\Application Data\BitTorrent
2009-01-11 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-11 06:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 06:06 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-10 15:56 --------- d-----w c:\documents and settings\Ernest\Application Data\DivX
2009-01-09 02:29 --------- d-----w c:\program files\Ad-Aware SE Personal
2009-01-09 02:28 --------- d-----w c:\program files\Total Video Converter
2009-01-09 02:28 --------- d-----w c:\program files\America's Army Deploy Client
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\Canneverbe_Limited
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\Apple Computer
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\acccore
2008-12-23 03:47 --------- d-----w c:\documents and settings\Ernest\Application Data\CyberLink
2008-12-23 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-23 03:43 505,128 ----a-w c:\windows\system32\msvcp71.dll
2008-12-23 03:43 353,576 ----a-w c:\windows\system32\msvcr71.dll
2008-12-23 03:43 29,480 ----a-w c:\windows\system32\msxml3a.dll
2008-12-23 00:30 --------- d-----w c:\program files\BitTorrent
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-11-27 01:03 202,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-25 20:39 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-07-07 20:27 73,784 ----a-w c:\documents and settings\Ernest\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 18:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-16 5724184]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-20 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-04 509784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 c:\windows\alcwzrd.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Ernest^Start Menu^Programs^Startup^Cashfiesta.lnk]
backup=c:\windows\pss\Cashfiesta.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-04 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-19 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-01 47640]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2008-07-02 45344]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-06-04 29184]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2721f4-247f-11dd-bbbd-0011d8324ece}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nircmd.exe execmd CALL batexe\progstart.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5059c536-836c-11dd-bca2-0011d8324ece}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-04 17:00]

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = local;*.local
IE: Add all items to the auction list - c:\program files\RKD\AuctionNavigator\BidCtxtClick.dll/202
IE: Add this item to the auction list - c:\program files\RKD\AuctionNavigator\BidCtxtClick.dll/201
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ernest\Application Data\Mozilla\Firefox\Profiles\vhmzrbj8.default\
FF - prefs.js: browser.search.selectedEngine - Winzy
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\documents and settings\Ernest\Application Data\Mozilla\Firefox\Profiles\vhmzrbj8.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 15:58:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\LMIinit.dll
.
Completion time: 2009-02-20 16:00:27
ComboFix-quarantined-files.txt 2009-02-20 21:00:06
ComboFix2.txt 2009-01-24 02:24:41

Pre-Run: 105,299,345,408 bytes free
Post-Run: 105,317,957,632 bytes free

266 --- E O F --- 2009-02-11 20:45:15

#14 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:28 PM

Posted 20 February 2009 - 05:56 PM

hi,

ok good. Combofix removed some items. Iam surprised really because I have XPpolice on my malware machine and MBAM did a good job of cleaning it up. Maybe a new scareware just added to the MBAM database, or you may have a variation of the malware. Looks like you had more "installed" than I did. Anyway try updating MBAM now and see if that works.

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3

2/20/2009 4:37:26 PM
mbam-log-2009-02-20 (16-37-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 60763
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 14

Memory Processes Infected:
C:\Program Files\XPPoliceAntivirus\xppolice.exe (Rogue.XPPoliceAntivirus) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wingdiapp.wingdi (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wingdiapp.wingdi.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12c7290a-157b-4f43-b109-97e792c598ed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

etc........

I have a shot of it on my webpage also:
http://www.virusvault.us/prevention1.html

How Can I Reduce My Risk to Malware?


#15 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 February 2009 - 07:38 PM

oh ok.

so i updated MBAM it works now i also updated my ad-aware, and spybot i finally got it working again i downloaded it and updated it, i think my programs can update again thanks. Is there anything else i need to do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users