Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

400,000 emails sent from my zombied BT account


  • This topic is locked This topic is locked
10 replies to this topic

#1 jazzhandz

jazzhandz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 14 February 2009 - 08:48 AM

UPDATE - just got a virus alert from BitDefender:
Trivial.27.F - BitDefender could not disinfect, delete or quarantine this. Access has been denied.

Unfortunately, I don't know the name of the spyware/trojan/malware responsible for the problem. 2 weeks ago 350k emails were sent from my account and my internet provider suspended the service. I scanned with Spyware Doctor and removed some trojans, but the problem has returned (or more likely was never properly cleaned) with another 400k emails sent. Any help would be much appreciated! I'm including my DDS scan below. Many thanks -


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jeff at 13:18:36.75 on 14/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1015 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\clclean.0001
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 2\lightroom.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BT Home Hub\Help\bin\BTHelp.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jeff\Desktop\bitdefender_totalsecurity_2009_32b.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\IXP000.TMP\setup.exe
C:\Documents and Settings\Jeff\Desktop\dds.scr
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061102
mDefault_Page_URL = hxxp://home.bt.yahoo.com
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page =
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061102
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [eyeBeam SIP Client]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jeff\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Motive SmartBridge] c:\progra~1\bthome~1\help\smartb~1\BTHelpNotifier.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [Qdahaqegayuxox] rundll32.exe "c:\windows\etiqohuwudehibe.dll",e
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\jeff\locals~1\temp\ixp000.tmp\"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt home hub\help\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monaco~2.lnk - c:\program files\monaco systems\monacooptix 2.0\MonacoGamma.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monaco~1.lnk - c:\program files\monaco systems\monacooptix 2.0\Monaco Reminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: qoMcaXRj - qoMcaXRj.dll
Notify: qumizzhr - qumizzhr.dll
AppInit_DLLs: xazufq.dll acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqRJcya

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\ooikau72.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\documents and settings\jeff\application data\mozilla\firefox\profiles\ooikau72.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\jeff\application data\mozilla\firefox\profiles\ooikau72.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\jeff\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPEyeCheck.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {752BC388-563A-4460-AEF3-19595082D86D} - c:\documents and settings\jeff\local settings\application data\{752BC388-563A-4460-AEF3-19595082D86D}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2008-12-25 18432]
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2007-5-28 16384]
R0 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2008-1-19 7040]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-24 40840]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-6-5 11264]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-24 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-24 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-17 201320]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-28 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-17 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-2-17 144704]
R2 MobilePreInstallerService;MobilePre Installer;c:\program files\m-audio\mobilepre\install\MPInst.exe [2007-11-11 49152]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-24 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-24 1079176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-26 24652]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2008-1-19 12928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-1-28 33792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2007-1-30 29312]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-6-5 33792]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-17 35240]
R3 pae_1394;pae_1394;c:\windows\system32\drivers\pae_1394.sys [2007-1-22 111616]
R3 pae_avs;pae_avs;c:\windows\system32\drivers\pae_avs.sys [2007-1-22 27136]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-7-1 272128]
S0 ati0lbxx;ati0lbxx;c:\windows\system32\drivers\ati0lbxx.sys --> c:\windows\system32\drivers\ati0lbxx.sys [?]
S0 ati1tcxx;ati1tcxx;c:\windows\system32\drivers\ati1tcxx.sys --> c:\windows\system32\drivers\ati1tcxx.sys [?]
S0 ati2jyxx;ati2jyxx;c:\windows\system32\drivers\ati2jyxx.sys --> c:\windows\system32\drivers\ati2jyxx.sys [?]
S0 ati4mcxx;ati4mcxx;c:\windows\system32\drivers\ati4mcxx.sys --> c:\windows\system32\drivers\ati4mcxx.sys [?]
S0 ati8raxx;ati8raxx;c:\windows\system32\drivers\ati8raxx.sys --> c:\windows\system32\drivers\ati8raxx.sys [?]
S0 ati8xpxx;ati8xpxx;c:\windows\system32\drivers\ati8xpxx.sys --> c:\windows\system32\drivers\ati8xpxx.sys [?]
S1 ethnxdjq;ethnxdjq;c:\windows\system32\drivers\ethnxdjq.sys [2009-1-21 138016]
S3 ati4kaxx;ati4kaxx;\??\c:\windows\system32\drivers\ati4kaxx.sys --> c:\windows\system32\drivers\ati4kaxx.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-2-16 13352]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2007-1-30 609408]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-11-11 32000]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-17 695624]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-17 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-17 40488]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [2007-5-26 14936]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-01-31 17:41 <DIR> --d----- c:\program files\BeatPack
2009-01-25 13:20 <DIR> --d----- c:\program files\Imagenomic
2009-01-24 20:36 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-24 20:36 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-24 20:36 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-24 20:36 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-24 20:36 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-24 20:36 <DIR> --d----- c:\docume~1\jeff\applic~1\PC Tools
2009-01-24 16:51 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-24 16:50 <DIR> --d----- c:\documents and settings\jeff\.housecall6.6
2009-01-24 16:00 7,091 a------- c:\windows\Idihadiwox.dat
2009-01-24 12:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-22 21:26 <DIR> --d----- C:\VundoFix Backups
2009-01-21 22:58 135,680 a----r-- c:\windows\etiqohuwudehibe.dll
2009-01-21 22:56 <DIR> --d----- c:\docume~1\jeff\applic~1\McAfee
2009-01-21 22:48 138,016 a------- c:\windows\system32\drivers\ethnxdjq.sys
2009-01-21 22:25 115 a------- C:\Thunbs.db
2009-01-21 22:22 441 a------- c:\windows\system32\TDSSieef.dat
2009-01-21 22:21 2 a------- C:\1477241921
2009-01-19 20:52 <DIR> --d----- c:\docume~1\jeff\applic~1\Spotify
2009-01-19 20:52 <DIR> --d----- c:\program files\Spotify
2009-01-15 21:10 93,302 a------- c:\windows\News Rover Uninstaller.exe

==================== Find3M ====================

2009-01-22 21:19 14,336 a------- c:\windows\system32\svchost.exe
2009-01-22 21:19 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-06-14 07:11 418 a------- c:\docume~1\jeff\applic~1\wklnhst.dat
2006-11-19 00:23 88 ---shr-- c:\windows\system32\26E7D1E349.sys
2006-12-21 22:32 88 ---shr-- c:\windows\system32\68286C64E7.sys
2008-11-04 18:46 768,155 a--sh--- c:\windows\system32\aycJRqss.ini2
2006-12-21 22:33 9,542 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-25 21:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 13:19:57.93 ===============

Attached Files


Edited by jazzhandz, 15 February 2009 - 05:07 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:05 AM

Posted 15 February 2009 - 07:21 AM

Hello Jazzhandz and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 jazzhandz

jazzhandz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 17 February 2009 - 05:39 PM

Many thanks for your reply Thunder. I downloaded GooredFix (and saved to desktop w/o problem) but hit a snag trying to download ComboFix:

C:\Documents and Settings\Jeff\Desktop\ComboFix.exe could not be saved, because you cannot change the contents of that folder.
Change the folder properties and try again, or try saving in a different location.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:05 AM

Posted 18 February 2009 - 05:35 PM

Hello Jazzhandz,

Did you download ComboFix to your desktop first, before trying to open it ?
If downloading to your desktop doesn't work, try another location like "My Documents".
I guess you were using FireFox ?
Did you attempt the download with IE as well ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 jazzhandz

jazzhandz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 February 2009 - 05:34 PM

Here is the GooredFix log:

GooredFix v1.91 by jpshortstuff
Log created at 21:38 on 26/02/2009 running Option #2 (Jeff)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{752BC388-563A-4460-AEF3-19595082D86D}"="C:\Documents and Settings\Jeff\Local Settings\Application Data\{752BC388-563A-4460-AEF3-19595082D86D}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Jeff\Local Settings\Application Data\{752BC388-563A-4460-AEF3-19595082D86D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"FFToolbar@bitdefender.com"="C:\Program Files\BitDefender\BitDefender 2009\FFToolbar\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"



==========================

...am about to run ComboFix.

#6 jazzhandz

jazzhandz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 27 February 2009 - 03:48 AM

Here is my ComboFix log:


ComboFix 09-02-26.01 - Jeff 2009-02-26 23:03:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1386 [GMT 0:00]
Running from: c:\documents and settings\Jeff\Desktop\combofix-folder\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *disabled*
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.
ADS - svchost.exe: deleted 32256 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc10F.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1128.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc12D5.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc158.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1613.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc19AC.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1A68.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1C8.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1D77.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc1E3.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc209A.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc21D.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc26E.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc2B5.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc31D.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc406.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc4A.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc4A0.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc4AB.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc4B.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc532.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc62B.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc6F7.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc72B.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc949.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mcc9BD.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccB2.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccB3.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccB8D.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccC5.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccDE.tmp
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\mccF16.tmp
c:\windows\system32\aycJRqss.ini
c:\windows\system32\aycJRqss.ini2
c:\windows\system32\TDSSieef.dat
c:\windows\system32\TDSSuyik.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_ISODRIVE
-------\Legacy_PACKET
-------\Service_ISODrive


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-26 18:28 . 2009-02-26 18:29 407 --a------ c:\windows\system32\BDUpdateV1.xml
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\program files\AIM Toolbar
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-02-15 16:58 . 2009-02-15 17:04 <DIR> d-------- c:\program files\AIM6
2009-02-14 14:03 . 2009-02-26 23:14 81,984 --a------ c:\windows\system32\bdod.bin
2009-02-14 13:54 . 2009-02-14 13:54 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-02-14 13:54 . 2009-02-14 13:54 385 --a------ c:\windows\system32\user_gensett.xml
2009-02-14 13:24 . 2009-02-14 13:24 <DIR> d-------- c:\windows\system32\logs
2009-02-14 13:24 . 2009-02-14 13:24 <DIR> d-------- c:\documents and settings\Jeff\Application Data\BitDefender
2009-02-14 13:23 . 2009-02-14 13:24 <DIR> d-------- c:\program files\BitDefender
2009-02-14 13:23 . 2009-02-14 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-02-14 13:21 . 2009-02-14 13:24 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-02-03 17:03 . 2009-02-03 17:03 104,328 --a------ c:\windows\system32\drivers\bdfndisf.sys
2009-01-31 17:41 . 2009-02-02 11:43 <DIR> d-------- c:\program files\BeatPack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 23:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 17:54 --------- d-----w c:\program files\Spyware Doctor
2009-02-26 03:14 --------- d-----w c:\program files\McAfee
2009-02-26 03:12 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-17 22:41 --------- d-----w c:\documents and settings\Jeff\Application Data\Spotify
2009-02-15 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-15 16:59 --------- d-----w c:\program files\Common Files\AOL
2009-02-15 12:50 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-25 18:58 --------- d-----w c:\documents and settings\Jeff\Application Data\Imagenomic
2009-01-25 18:45 --------- d-----w c:\program files\NewsRover
2009-01-25 13:20 --------- d-----w c:\program files\Imagenomic
2009-01-24 20:36 --------- d-----w c:\documents and settings\Jeff\Application Data\PC Tools
2009-01-24 16:50 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-01-24 12:20 --------- d-----w c:\program files\Trend Micro
2009-01-21 22:58 135,680 ----a-r c:\windows\etiqohuwudehibe.dll
2009-01-21 22:56 --------- d-----w c:\documents and settings\Jeff\Application Data\McAfee
2009-01-21 22:48 --------- d-----w c:\program files\Common Files\Motive
2009-01-19 20:52 --------- d-----w c:\program files\Spotify
2009-01-15 21:10 93,302 ----a-w c:\windows\News Rover Uninstaller.exe
2009-01-11 20:28 --------- d-----w c:\documents and settings\Jeff\Application Data\Ulead Systems
2009-01-10 17:59 --------- d-----w c:\program files\BookSmart
2009-01-10 16:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-08 01:36 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2009-01-08 01:34 --------- d-----w c:\program files\Windows Media Components
2009-01-08 01:34 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-01-08 01:33 --------- d-----w c:\program files\Corel
2009-01-03 23:56 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2007-06-14 07:11 418 ----a-w c:\documents and settings\Jeff\Application Data\wklnhst.dat
2008-12-16 17:52 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
2006-11-19 00:23 88 --sh--r c:\windows\system32\26E7D1E349.sys
2006-12-21 22:32 88 --sh--r c:\windows\system32\68286C64E7.sys
2006-12-21 22:33 9,542 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-25 21:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102520081026\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-02 26112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-18 184320]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 61440]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2005-11-09 91136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"Qdahaqegayuxox"="c:\windows\etiqohuwudehibe.dll" [2009-01-21 135680]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-01-09 741376]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-12 622653]
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2007-01-07 217088]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2007-05-26 102400]
MonacoReminder.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe [2007-05-26 176128]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-07-01 1261568]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-11-02 532480]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-23 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 10:30 53248 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"VIDC.NSVI"= nsvideo.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2008-12-25 18432]
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2007-05-28 16384]
R0 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2008-01-19 7040]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-06-05 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-10-06 82696]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-28 206096]
R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [2007-11-11 49152]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-24 356920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-26 24652]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-02-03 104328]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2008-01-19 12928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-01-28 33792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2007-01-30 29312]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-06-05 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-07-01 272128]
S1 ethnxdjq;ethnxdjq;c:\windows\system32\drivers\ethnxdjq.sys --> c:\windows\system32\drivers\ethnxdjq.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-02-16 13352]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2007-01-30 609408]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-11-11 32000]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [2007-05-26 14936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87672079-d1ff-11dd-92ad-00146cf069b5}]
\Shell\AutoRun\command - w:\.\RapidBlogManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6821EF1-EF0A-8551-DD77-453A0A7FC41F}]
c:\windows\system32\microsoft\microsoft.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1696680999-1869049101-1325769822-1005.job
- c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 16:12]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eyeBeam SIP Client - (no file)
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Logitech BT Wizard - LBTWiz.exe
Notify-qoMcaXRj - qoMcaXRj.dll
Notify-qumizzhr - qumizzhr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061102
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPEyeCheck.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 23:11:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1436)
c:\windows\system32\RtlGina2.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\SetPoint\LBTWiz.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Jeff\LOCALS~1\temp\clclean.0001
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\BT Home Hub\Help\bin\mpbtn.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-02-26 23:32:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 23:31:28

Pre-Run: 25,520,840,704 bytes free
Post-Run: 25,846,763,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

343 --- E O F --- 2009-02-26 21:48:06

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:05 AM

Posted 27 February 2009 - 03:41 PM

Hello Jazzhandz,

Please don't run 2 antivirus programs simultanously, it's not advisable.
I suggest for now, you remove McAfee trough Control Panel > Software.

Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\etiqohuwudehibe.dll
c:\windows\system32\26E7D1E349.sys
c:\windows\system32\68286C64E7.sys
c:\windows\system32\drivers\ethnxdjq.sys
Driver::
ethnxdjq
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qdahaqegayuxox"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 jazzhandz

jazzhandz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 01 March 2009 - 04:49 AM

Thanks very much for your help so far. Here's the new ComboFix log:




ComboFix 09-02-28.01 - Jeff 2009-03-01 9:15:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1254 [GMT 0:00]
Running from: c:\documents and settings\Jeff\Desktop\combofix-folder\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\combofix-folder\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\etiqohuwudehibe.dll
c:\windows\system32\26E7D1E349.sys
c:\windows\system32\68286C64E7.sys
c:\windows\system32\drivers\ethnxdjq.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\etiqohuwudehibe.dll
c:\windows\system32\26E7D1E349.sys
c:\windows\system32\68286C64E7.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ethnxdjq


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-26 18:28 . 2009-02-26 18:29 407 --a------ c:\windows\system32\BDUpdateV1.xml
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\program files\AIM Toolbar
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-02-15 17:00 . 2009-02-15 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-02-15 16:58 . 2009-02-15 17:04 <DIR> d-------- c:\program files\AIM6
2009-02-14 14:03 . 2009-02-28 00:03 81,984 --a------ c:\windows\system32\bdod.bin
2009-02-14 13:54 . 2009-02-14 13:54 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-02-14 13:54 . 2009-02-14 13:54 385 --a------ c:\windows\system32\user_gensett.xml
2009-02-14 13:24 . 2009-02-14 13:24 <DIR> d-------- c:\windows\system32\logs
2009-02-14 13:23 . 2009-02-28 00:05 <DIR> d-------- c:\program files\BitDefender
2009-02-14 13:23 . 2009-02-14 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-02-14 13:21 . 2009-02-28 00:05 <DIR> d-------- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 09:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 09:07 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-01 09:06 --------- d-----w c:\program files\McAfee.com
2009-03-01 08:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-26 17:54 --------- d-----w c:\program files\Spyware Doctor
2009-02-26 03:12 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-17 22:41 --------- d-----w c:\documents and settings\Jeff\Application Data\Spotify
2009-02-15 16:59 --------- d-----w c:\program files\Common Files\AOL
2009-02-15 12:50 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-02 11:43 --------- d-----w c:\program files\BeatPack
2009-01-25 18:58 --------- d-----w c:\documents and settings\Jeff\Application Data\Imagenomic
2009-01-25 18:45 --------- d-----w c:\program files\NewsRover
2009-01-25 13:20 --------- d-----w c:\program files\Imagenomic
2009-01-24 20:36 --------- d-----w c:\documents and settings\Jeff\Application Data\PC Tools
2009-01-24 16:50 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-01-24 12:20 --------- d-----w c:\program files\Trend Micro
2009-01-21 22:56 --------- d-----w c:\documents and settings\Jeff\Application Data\McAfee
2009-01-21 22:48 --------- d-----w c:\program files\Common Files\Motive
2009-01-19 20:52 --------- d-----w c:\program files\Spotify
2009-01-15 21:10 93,302 ----a-w c:\windows\News Rover Uninstaller.exe
2009-01-11 20:28 --------- d-----w c:\documents and settings\Jeff\Application Data\Ulead Systems
2009-01-10 17:59 --------- d-----w c:\program files\BookSmart
2009-01-10 16:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-08 01:36 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2009-01-08 01:34 --------- d-----w c:\program files\Windows Media Components
2009-01-08 01:34 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-01-08 01:33 --------- d-----w c:\program files\Corel
2009-01-03 23:56 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2007-06-14 07:11 418 ----a-w c:\documents and settings\Jeff\Application Data\wklnhst.dat
2006-12-21 22:33 9,542 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-25 21:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102520081026\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-26_23.28.50.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-26 17:00:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-01 07:17:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-26 17:00:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-01 07:17:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-26 17:00:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-01 07:17:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-02 26112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-18 184320]
"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 61440]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2005-11-09 91136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-12 622653]
BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2007-01-07 217088]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2007-05-26 102400]
MonacoReminder.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe [2007-05-26 176128]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-07-01 1261568]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2006-11-02 532480]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-23 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2006-04-27 10:30 53248 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"VIDC.NSVI"= nsvideo.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2008-12-25 18432]
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2007-05-28 16384]
R0 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2008-01-19 7040]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-06-05 11264]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [2007-11-11 49152]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-24 356920]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2008-01-19 12928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-01-28 33792]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2007-01-30 29312]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-06-05 33792]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-07-01 272128]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-02-16 13352]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2007-01-30 609408]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-11-11 32000]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [2007-05-26 14936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87672079-d1ff-11dd-92ad-00146cf069b5}]
\Shell\AutoRun\command - w:\.\RapidBlogManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6821EF1-EF0A-8551-DD77-453A0A7FC41F}]
c:\windows\system32\microsoft\microsoft.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1696680999-1869049101-1325769822-1005.job
- c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6061102
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\ooikau72.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Jeff\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPEyeCheck.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 09:23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\RtlGina2.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\BT Home Hub\Help\bin\mpbtn.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-03-01 9:39:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 09:38:08
ComboFix2.txt 2009-02-26 23:32:48

Pre-Run: 26,140,168,192 bytes free
Post-Run: 26,284,208,128 bytes free

262 --- E O F --- 2009-03-01 03:01:06

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:05 AM

Posted 01 March 2009 - 06:18 AM

Hello Jazzhandz,

Your log looks fine now. :thumbup2:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 jazzhandz

jazzhandz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 01 March 2009 - 11:56 AM

Many thanks, Thunder! :thumbup2:

Will report back if any problems arise - so far, so good though!

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:05 AM

Posted 02 March 2009 - 01:22 PM

Glad we could help, Jazzhandz :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users