Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!grb (Trojan) invasion


  • This topic is locked This topic is locked
10 replies to this topic

#1 hatecable

hatecable

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 22 February 2009 - 02:40 PM

Hey guys,

Well, its happened to me too. Vundo has found its way into my system and I need your help to get it out as I am no longer very computer savy when it comes to things of this lvl. I happened to stumble upon a thread where teacup61 helped a guy with what seems to be the same problem with the same symptoms. I have to say the lvl of patience and help was just almost too good to be true, so I am now here asking for help as well.

This is what happens:
A box pops telling me Internet explorer has encountered a problem and needs to close. It pops up frequently even though im not running an explorer browser window and genereally dont as I use Mozilla. Also, McAfee is constantly trying to detect and remove Vundo!grb. Obviously this has made it almost impossible to get anything done on the comp.

Here is the DDS logs:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Aaron at 13:09:16.15 on Sun 02/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.999 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HyperLobbyPro3\hlpro.exe
C:\Program Files\HyperLobbyPro3\aping.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Aaron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemonsearch.com/intl/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070913
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070913
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: {c65024bd-366f-7e08-74a4-8a62b5692e26}: {62e2965b-26a8-4a47-80e7-f663db42056c} - c:\windows\system32\uusjlr.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\windows\system32\BhoDshop.dll
BHO: {9e95df6e-bd9d-410a-994e-8107a62be43a} - c:\windows\system32\mevehamu.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [<NO NAME>]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Profiler] c:\program files\saitek\software\Profiler.exe
mRun: [SaiSmart] c:\program files\saitek\software\SaiSmart.exe
mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Secure Online Account Numbers] c:\progra~1\discover\soan\SOAN.exe /dontopenmycards
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [finiterope] Rundll32.exe "c:\windows\system32\tapafifa.dll",s
mRun: [5ccc6d49] rundll32.exe "c:\windows\system32\duyotilu.dll",b
mRun: [CPM5fff5ed5] Rundll32.exe "c:\windows\system32\serulise.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\progra~1\discover\soan\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
LSP: bmnet.dll
Trusted Zone: turbotax.com
DPF: {27527D31-447B-11D5-A46E-0001023B4289} - hxxp://gamingzone.ubisoft.com/dev/packages/GSManager.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\windows\system32\jujupebi.dll c:\windows\system32\serulise.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\serulise.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\serulise.dll
LSA: Notification Packages = scecli c:\windows\system32\jujupebi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\8s2y4wrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\aaron\application data\mozilla\firefox\profiles\8s2y4wrx.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-12 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-12 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-12 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-27 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-12 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-12 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-12 40488]
R3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2007-12-12 15360]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-12-9 121984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2007-12-9 179968]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-10-24 101248]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-10-24 73856]

=============== Created Last 30 ================

2009-02-22 12:48 129,024 a--sh--- c:\windows\system32\fdffbq.dll
2009-02-21 18:33 129,024 a--sh--- c:\windows\system32\mnipkt.dll
2009-02-20 19:51 129,024 a--sh--- c:\windows\system32\uusjlr.dll
2009-02-20 18:30 283,648 a------- c:\windows\uninst.exe
2009-02-17 00:05 86,528 a------- c:\windows\bnetunin.exe
2009-01-28 00:40 <DIR> --d----- c:\docume~1\aaron\applic~1\uTorrent
2009-01-27 23:57 <DIR> --d----- c:\docume~1\aaron\applic~1\TigerPlayer
2009-01-27 23:56 <DIR> --d----- c:\program files\MpcStar

==================== Find3M ====================

2009-02-22 12:48 129,024 a--sh--- c:\windows\system32\pimewate.dll
2009-02-22 12:48 79,872 a--sh--- c:\windows\system32\duyotilu.dll
2009-02-22 12:48 84,992 a--sh--- c:\windows\system32\serulise.dll
2009-02-22 12:47 79,007 a------- c:\windows\system32\nvModes.dat
2009-02-21 18:33 79,872 -------- c:\windows\system32\bagutigo.dll
2009-02-21 18:33 129,024 a--sh--- c:\windows\system32\zevegezi.dll
2009-02-21 18:33 84,992 a--sh--- c:\windows\system32\kopiyesi.dll
2009-02-20 19:51 79,872 -------- c:\windows\system32\rihusopi.dll
2009-02-20 19:51 129,024 a--sh--- c:\windows\system32\kihewona.dll
2009-02-20 19:51 84,992 a--sh--- c:\windows\system32\puriyigo.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 18:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 18:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 20:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 20:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 20:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 20:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-01-04 16:04 22,328 a------- c:\docume~1\aaron\applic~1\PnkBstrK.sys
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\jujupebi.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\mevehamu.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\tapafifa.dll
2008-09-03 18:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 13:10:57.13 ===============

Edited by hatecable, 22 February 2009 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 23 February 2009 - 06:32 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hatecable

hatecable
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 February 2009 - 11:29 AM

Thanks for the help! here is the log.

ComboFix 09-02-21.01 - Aaron 2009-02-23 9:58:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT -6:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 18:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-22 14:54 . 2009-02-22 14:55 <DIR> d-------- c:\program files\Cobian Backup 8
2009-02-22 12:48 . 2009-02-22 12:48 129,024 --ahs---- c:\windows\system32\fdffbq.dll
2009-02-21 18:33 . 2009-02-21 18:33 129,024 --ahs---- c:\windows\system32\mnipkt.dll
2009-02-20 18:30 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2009-02-17 00:05 . 2009-02-17 00:05 86,528 --a------ c:\windows\bnetunin.exe
2009-01-28 00:40 . 2009-01-28 01:07 <DIR> d-------- c:\documents and settings\Aaron\Application Data\uTorrent
2009-01-27 23:57 . 2009-01-28 00:23 <DIR> d-------- c:\documents and settings\Aaron\Application Data\TigerPlayer
2009-01-27 23:56 . 2009-01-27 23:57 <DIR> d-------- c:\program files\MpcStar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 15:55 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-22 00:41 --------- d-----w c:\program files\HyperLobbyPro3
2009-02-01 19:15 --------- d-----w c:\program files\Google
2009-01-30 05:49 --------- d-----w c:\documents and settings\Aaron\Application Data\Apple Computer
2009-01-27 21:14 --------- d-----w c:\program files\DivX
2009-01-26 15:58 --------- d-----w c:\program files\RealFlightG3
2009-01-11 21:43 --------- d-----w c:\program files\Quicken
2009-01-11 21:43 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-11 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-11 21:42 --------- d-----w c:\documents and settings\Aaron\Application Data\Intuit
2008-12-30 22:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-01-04 22:04 22,328 ------w c:\documents and settings\Aaron\Application Data\PnkBstrK.sys
2007-09-21 16:51 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-04 00:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-30 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-22 1836544]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 33280]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-10-20 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-10-20 98304]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2004-10-20 135168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-14 185896]
"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-02 233472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-04-30 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-04-30 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-09 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-09-12 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-05-02 17:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-21 00:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20646:TCP"= 20646:TCP:BitComet 20646 TCP
"20646:UDP"= 20646:UDP:BitComet 20646 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-27 24652]
R3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2007-12-12 15360]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-18 109080]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-12-09 121984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2007-12-09 179968]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-10-24 101248]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-10-24 73856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4717e462-de33-11dc-95d7-00a0d5ffff85}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4fde2e-9e96-11dc-95a8-001b77c4ccd7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-09-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070913
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: bmnet.dll
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 10:01:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241669109-2407734445-884350976-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,3a,01,f1,4a,c4,15,0e,c7,00,23,71,3f,e5,13,a9,1c,52,52,4b,9c,eb,f8,
88,91,06,f6,16,42,06,a7,bf,22,70,85,f1,e9,ed,db,76,9c,14,0d,33,dc,c7,24,1a,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-02-23 10:05:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 16:05:26

Pre-Run: 13,305,782,272 bytes free
Post-Run: 14,704,189,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

235 --- E O F --- 2009-02-11 09:03:33

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 23 February 2009 - 12:48 PM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\fdffbq.dll
c:\windows\system32\mnipkt.dll
c:\windows\bnetunin.exe
Domains::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hatecable

hatecable
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 February 2009 - 01:29 PM

There was no attempt to reboot.

ComboFix 09-02-21.01 - Aaron 2009-02-23 12:22:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1489 [GMT -6:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\bnetunin.exe
c:\windows\system32\fdffbq.dll
c:\windows\system32\mnipkt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bnetunin.exe
c:\windows\system32\fdffbq.dll
c:\windows\system32\mnipkt.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 10:20 . 2009-02-23 10:20 <DIR> d-------- c:\program files\Avira
2009-02-23 10:20 . 2009-02-23 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 18:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-22 14:54 . 2009-02-22 14:55 <DIR> d-------- c:\program files\Cobian Backup 8
2009-02-20 18:30 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2009-01-28 00:40 . 2009-01-28 01:07 <DIR> d-------- c:\documents and settings\Aaron\Application Data\uTorrent
2009-01-27 23:57 . 2009-01-28 00:23 <DIR> d-------- c:\documents and settings\Aaron\Application Data\TigerPlayer
2009-01-27 23:56 . 2009-01-27 23:57 <DIR> d-------- c:\program files\MpcStar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 18:18 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-23 15:55 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-22 18:48 129,024 --sha-w c:\windows\system32\pimewate.dll
2009-02-22 00:41 --------- d-----w c:\program files\HyperLobbyPro3
2009-02-22 00:33 84,992 --sha-w c:\windows\system32\kopiyesi.dll
2009-02-22 00:33 79,872 ------w c:\windows\system32\bagutigo.dll
2009-02-22 00:33 129,024 --sha-w c:\windows\system32\zevegezi.dll
2009-02-21 01:51 84,992 --sha-w c:\windows\system32\puriyigo.dll
2009-02-21 01:51 79,872 ------w c:\windows\system32\rihusopi.dll
2009-02-01 19:15 --------- d-----w c:\program files\Google
2009-01-30 05:49 --------- d-----w c:\documents and settings\Aaron\Application Data\Apple Computer
2009-01-27 21:14 --------- d-----w c:\program files\DivX
2009-01-26 15:58 --------- d-----w c:\program files\RealFlightG3
2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-11 21:43 --------- d-----w c:\program files\Quicken
2009-01-11 21:43 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-11 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-11 21:42 --------- d-----w c:\documents and settings\Aaron\Application Data\Intuit
2008-12-30 22:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-01-04 22:04 22,328 ------w c:\documents and settings\Aaron\Application Data\PnkBstrK.sys
2007-09-21 16:51 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-04 00:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_10.04.48.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 18:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 16:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2009-02-23 15:58:20 64,602 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-23 16:05:27 64,602 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-23 15:58:20 408,238 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-23 16:05:27 408,238 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-30 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-22 1836544]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 33280]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-10-20 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-10-20 98304]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2004-10-20 135168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-14 185896]
"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-02 233472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-04-30 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-04-30 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-09 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-09-12 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-05-02 17:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-21 00:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20646:TCP"= 20646:TCP:BitComet 20646 TCP
"20646:UDP"= 20646:UDP:BitComet 20646 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2007-12-12 15360]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-18 109080]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-12-09 121984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2007-12-09 179968]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-10-24 101248]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-10-24 73856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULER
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4717e462-de33-11dc-95d7-00a0d5ffff85}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4fde2e-9e96-11dc-95a8-001b77c4ccd7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-09-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070913
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 12:24:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241669109-2407734445-884350976-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,3a,01,f1,4a,c4,15,0e,c7,00,23,71,3f,e5,13,a9,1c,52,52,4b,9c,eb,f8,
88,91,06,f6,16,42,06,a7,bf,22,70,85,f1,e9,ed,db,76,9c,14,0d,33,dc,c7,24,1a,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-02-23 12:25:40
ComboFix-quarantined-files.txt 2009-02-23 18:25:31
ComboFix2.txt 2009-02-23 16:05:30

Pre-Run: 14,644,461,568 bytes free
Post-Run: 14,628,261,888 bytes free

239 --- E O F --- 2009-02-11 09:03:33

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 23 February 2009 - 01:37 PM

Hi,

Your logs are confusing.
The first log shows the presence of a LOT of malware.
Then the second log shows almost no malware anymore (not sure what happened in between there) and the latest log shows the presence of new malware.

So we'll have to give this another try..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\kopiyesi.dll
c:\windows\system32\bagutigo.dll
c:\windows\system32\zevegezi.dll
c:\windows\system32\puriyigo.dll
c:\windows\system32\rihusopi.dll
c:\windows\system32\pimewate.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Then, post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hatecable

hatecable
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 February 2009 - 01:51 PM

After my first DDS log I ran MBAM while i was waiting so thats the reason for there not being so much malware in the second log.

ComboFix 09-02-21.01 - Aaron 2009-02-23 12:43:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -6:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\bagutigo.dll
c:\windows\system32\kopiyesi.dll
c:\windows\system32\pimewate.dll
c:\windows\system32\puriyigo.dll
c:\windows\system32\rihusopi.dll
c:\windows\system32\zevegezi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bagutigo.dll
c:\windows\system32\kopiyesi.dll
c:\windows\system32\pimewate.dll
c:\windows\system32\puriyigo.dll
c:\windows\system32\rihusopi.dll
c:\windows\system32\zevegezi.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 10:20 . 2009-02-23 10:20 <DIR> d-------- c:\program files\Avira
2009-02-23 10:20 . 2009-02-23 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-22 18:15 <DIR> d-------- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-02-22 18:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 18:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-22 14:54 . 2009-02-22 14:55 <DIR> d-------- c:\program files\Cobian Backup 8
2009-02-20 18:30 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2009-01-28 00:40 . 2009-01-28 01:07 <DIR> d-------- c:\documents and settings\Aaron\Application Data\uTorrent
2009-01-27 23:57 . 2009-01-28 00:23 <DIR> d-------- c:\documents and settings\Aaron\Application Data\TigerPlayer
2009-01-27 23:56 . 2009-01-27 23:57 <DIR> d-------- c:\program files\MpcStar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 18:18 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-23 15:55 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-22 00:41 --------- d-----w c:\program files\HyperLobbyPro3
2009-02-01 19:15 --------- d-----w c:\program files\Google
2009-01-30 05:49 --------- d-----w c:\documents and settings\Aaron\Application Data\Apple Computer
2009-01-27 21:14 --------- d-----w c:\program files\DivX
2009-01-26 15:58 --------- d-----w c:\program files\RealFlightG3
2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-11 21:43 --------- d-----w c:\program files\Quicken
2009-01-11 21:43 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-11 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-11 21:42 --------- d-----w c:\documents and settings\Aaron\Application Data\Intuit
2008-12-30 22:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-01-04 22:04 22,328 ------w c:\documents and settings\Aaron\Application Data\PnkBstrK.sys
2007-09-21 16:51 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-04 00:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_10.04.48.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 18:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 16:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2009-02-23 15:58:20 64,602 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-23 16:05:27 64,602 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-23 15:58:20 408,238 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-23 16:05:27 408,238 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-30 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-22 1836544]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 33280]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-10-20 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-10-20 98304]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2004-10-20 135168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-14 185896]
"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-02 233472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-04-30 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-04-30 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-09 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-09-12 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.tscc"= c:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-05-02 17:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-21 00:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20646:TCP"= 20646:TCP:BitComet 20646 TCP
"20646:UDP"= 20646:UDP:BitComet 20646 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2007-12-12 15360]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-18 109080]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-12-09 121984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2007-12-09 179968]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-10-24 101248]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-10-24 73856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULER
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4717e462-de33-11dc-95d7-00a0d5ffff85}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4fde2e-9e96-11dc-95a8-001b77c4ccd7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-09-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemonsearch.com/intl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070913
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\8s2y4wrx.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 12:44:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241669109-2407734445-884350976-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,3a,01,f1,4a,c4,15,0e,c7,00,23,71,3f,e5,13,a9,1c,52,52,4b,9c,eb,f8,
88,91,06,f6,16,42,06,a7,bf,22,70,85,f1,e9,ed,db,76,9c,14,0d,33,dc,c7,24,1a,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1096)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-02-23 12:45:41
ComboFix-quarantined-files.txt 2009-02-23 18:45:32
ComboFix2.txt 2009-02-23 18:25:41
ComboFix3.txt 2009-02-23 16:05:30

Pre-Run: 14,615,060,480 bytes free
Post-Run: 14,595,756,032 bytes free

240 --- E O F --- 2009-02-11 09:03:33

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 23 February 2009 - 01:56 PM

Hi,

After my first DDS log I ran MBAM while i was waiting so thats the reason for there not being so much malware in the second log.

Ya, that makes sense, but the third log doesn't make sense anymore since new malware appeared in a meanwhile. Anyway, no worries, I see it is gone now and nothing new appeared in between.
I see you installed the AVG Antivirus in a meanwhile as well which is a good choice - It's a good scanner, good in detection and doesn't slow down your computer as McAfee does. :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hatecable

hatecable
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 23 February 2009 - 02:16 PM

Everything seems to working good with no errors or anything, and my blood pressure is down so hopefully we are done with the little demon for now :thumbup2: . Thank you so much for your patience and help. I will be sure to get the word out there of this place. I was about to download and install the Comodo firewall as per teacup61's suggestion to another user and do away with McAfee all together. Is this a good idea or is there something better?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 23 February 2009 - 02:34 PM

Hi,

Yes, Comodo is a good idea, but make sure you uncheck the toolbar during install. This because that toolbar is powered by ask.com and has a questionable reputation.
Also, if you use a desktop firewall, make sure that you know how it works and don't block every alert it shows you, because you're not supposed to do that.
In general, give it a try and in case the Firewall is too advanced for you, I suggest to keep with the Windows Firewall. :thumbup2:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:48 PM

Posted 24 February 2009 - 08:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users