Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

Computer infected, help?

Started by aotsuki , Mar 02 2009 01:08 PM

  • Please log in to reply
3 replies to this topic

#1 aotsuki

aotsuki

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:10:51 AM

Posted 02 March 2009 - 01:08 PM

Hi, my computer has been having issues lately and I'm 100% sure there's crap in the form of spyware/viruses on it. The problems I've had recently are frequent blue screens which are preceded by the bubble popping up saying my firewall is not enable (even though it is), my internet connection not working, task manager not opening, etc. Before this, I had popups when I searched and website redirections but those have been mysteriously absent for 2 weeks.

Here's my log, hope I'm doing this right. :thumbup2:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Sylvia at 13:03:30.68 on Mon 03/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.462 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Creative\Mouse Gamer HD7600L(VM)\CTPoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sylvia\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://support.cavtel.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: : {d7e26687-b0a4-43f8-ab3f-2f52f08ba604} - c:\windows\system32\reqpvgh.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UMonit] c:\windows\system32\umonit.exe
mRun: [THGuard] "c:\program files\trojanhunter 4.6\THGuard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Creative Mouse Gamer 7600L] "c:\program files\creative\mouse gamer hd7600l(vm)\CTPoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [comidle] "c:\documents and settings\sylvia\application data\comidle\comidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257
StartupFolder: c:\docume~1\sylvia\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\jhsecu~1.lnk - c:\program files\jhsecure\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\privoxy\privoxy.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {cafeefac-0016-0000-0005-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {cafeefac-0016-0000-0012-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {9AEB8944-34DA-49D0-9E29-C2B734FED71A} = 209.137.160.7,64.83.1.10
Notify: abxmlpzi - reqpvgh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sylvia\applic~1\mozilla\firefox\profiles\oysxqemc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XUL Cache: {B6C67F8E-4E12-49ED-96DB-1E0BB044EFBD} - c:\documents and settings\sylvia\local settings\application data\{B6C67F8E-4E12-49ED-96DB-1E0BB044EFBD}

============= SERVICES / DRIVERS ===============

R2 jfzdtagc;Uni for LELAMonitor;c:\windows\system32\svchost.exe -k netsvcs [2005-12-28 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 116224]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-1-9 1373480]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-1-9 1373480]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2008-9-30 25344]
S1 8744e655;8744e655;c:\windows\system32\drivers\8744e655.sys [2009-2-15 0]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\easypdf 5\bepldr.exe [2007-2-21 172032]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2006-10-14 6016]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 restore;restore;c:\windows\system32\drivers\restore.sys [2009-2-28 6656]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-9-23 280344]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-18 15656]
S3 zlportio;zlportio;\??\c:\documents and settings\sylvia\desktop\ultrastar-dx-100\zlportio.sys --> c:\documents and settings\sylvia\desktop\ultrastar-dx-100\zlportio.sys [?]

=============== Created Last 30 ================

2009-03-02 12:58 578,560 a------- c:\windows\system32\xdtoupn
2009-03-02 12:58 105,984 a------- c:\windows\system32\7.tmp
2009-03-02 12:58 40 a------- c:\windows\system32\6.tmp
2009-03-02 12:52 578,560 a------- c:\windows\system32\betc
2009-03-02 12:51 105,984 a------- c:\windows\system32\D.tmp
2009-03-02 12:51 40 a------- c:\windows\system32\C.tmp
2009-03-02 00:32 578,560 a------- c:\windows\system32\wjnhofa
2009-03-02 00:32 105,984 a------- c:\windows\system32\5.tmp
2009-03-02 00:32 40 a------- c:\windows\system32\4.tmp
2009-03-01 18:53 578,560 a------- c:\windows\system32\wlly
2009-03-01 18:53 105,984 a------- c:\windows\system32\B.tmp
2009-03-01 18:53 40 a------- c:\windows\system32\A.tmp
2009-03-01 15:55 <DIR> --d----- c:\docume~1\sylvia\applic~1\comidle
2009-03-01 15:55 578,560 a------- c:\windows\system32\rjmawox
2009-03-01 15:55 105,984 a------- c:\windows\system32\azton.mt
2009-03-01 15:55 105,984 a------- c:\windows\system32\9.tmp
2009-03-01 15:55 40 a------- c:\windows\system32\8.tmp
2009-02-28 00:33 6,656 a------- c:\windows\system32\drivers\restore.sys
2009-02-28 00:33 2,148 a------- c:\windows\system32\wpa.dbl
2009-02-27 21:40 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-27 21:40 32,768 a------- c:\windows\system32\odjan.wa
2009-02-27 21:40 32,768 a------- c:\windows\system32\kei1w.an
2009-02-27 21:40 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-27 21:40 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-27 01:42 262,144 a------- c:\windows\system32\nvtpm32.dll
2009-02-27 01:14 <DIR> --d----- C:\ComboFixp
2009-02-26 00:41 179,200 a------- c:\windows\SWREG.exe
2009-02-26 00:41 116,224 a------- c:\windows\sed.exe
2009-02-26 00:40 <DIR> --d----- c:\program files\Media Player Classic
2009-02-24 18:12 <DIR> --d----- c:\documents and settings\sylvia\IGC
2009-02-24 18:07 245,408 -----r-- c:\windows\system32\unicows.dll
2009-02-24 18:07 <DIR> --d----- c:\program files\IGC
2009-02-23 13:09 0 a------- c:\windows\mqcd.dbt
2009-02-23 13:05 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-22 00:41 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-16 10:28 155,216 a------- c:\windows\system\xccef090131.exe
2009-02-16 10:28 <DIR> --d----- c:\windows\system32\inf
2009-02-15 20:10 <DIR> a-dshr-- C:\cmdcons
2009-02-15 19:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-15 19:21 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-15 13:05 0 a------- c:\windows\system32\drivers\8744e655.sys
2009-02-15 13:05 2 a------- C:\135584563

==================== Find3M ====================

2009-02-27 01:42 578,560 a------- c:\windows\system32\user32.DLL
2009-02-22 00:41 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-01-27 10:47 12,257 a------- c:\program files\setuplog.txt
2009-01-27 10:47 11,378 a------- c:\program files\uninstal.log
2008-12-05 13:26 130,048 a------- c:\windows\mplayerplugin.dll
2008-10-01 11:14 512 a------- c:\docume~1\sylvia\applic~1\wklnhst.dat
2007-03-02 13:15 18,895,728 a------- c:\program files\Install_Messenger.exe
2006-10-23 18:57 944,274 a------- c:\program files\CDisplay.zip
2006-10-21 14:55 3,368,555 a------- c:\program files\oC303PE.rar
2006-09-14 15:52 662,127 a------- c:\program files\Internet Explorer.rar
1999-07-06 19:00 6 ---shr-- c:\windows\@@desktop.dat
1999-07-06 19:00 6 ---shr-- c:\windows\@desktop@.dat
2007-02-10 12:37 8 a--shr-- c:\windows\system32\52E8C752AB.sys
2008-09-30 15:01 56,320 a--sh--- c:\windows\system32\fahokipa.dll
2007-02-10 12:37 952 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-29 13:00 64,512 a--sh--- c:\windows\system32\pitevigu.dll

============= FINISH: 13:04:16.31 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:51 PM

Posted 03 March 2009 - 04:51 PM

Hello Aotsuki and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 aotsuki

aotsuki
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:10:51 AM

Posted 04 March 2009 - 01:20 AM

Thank you for the quick response. Here are the logs.

GooredFix v1.91 by jpshortstuff
Log created at 00:53 on 04/03/2009 running Option #2 (Sylvia)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B6C67F8E-4E12-49ED-96DB-1E0BB044EFBD}"="C:\Documents and Settings\Sylvia\Local Settings\Application Data\{B6C67F8E-4E12-49ED-96DB-1E0BB044EFBD}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Sylvia\Local Settings\Application Data\{B6C67F8E-4E12-49ED-96DB-1E0BB044EFBD}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

---

ComboFix 09-03-03.01 - Sylvia 2009-03-04 0:57:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.604 [GMT -5:00]
Running from: c:\documents and settings\Sylvia\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sylvia\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\B.tmp
c:\windows\system32\drivers\ntndis.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\system32\reqpvgh.dll . . . . failed to delete

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JFZDTAGC
-------\Service_jfzdtagc
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2094-06-24 01:00 . 2094-06-24 01:00 27,392 --a------ c:\windows\system32\drivers\rndismpk.sys
2009-03-04 01:10 . 2009-02-27 01:42 578,560 --a------ c:\windows\system32\uclry
2009-03-04 01:10 . 2009-03-04 01:10 105,984 --a------ c:\windows\system32\4.tmp
2009-03-04 01:10 . 2009-03-04 01:10 40 --a------ c:\windows\system32\3.tmp
2009-03-03 23:10 . 2009-03-03 23:10 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\rzrsveaq
2009-03-03 22:53 . 2009-03-03 22:53 <DIR> d-------- c:\documents and settings\Sylvia\Application Data\rzrsveaq
2009-03-03 22:28 . 2009-03-03 22:28 77,312 --a------ c:\windows\system32\rkoq.pxf
2009-03-03 22:28 . 2009-03-03 22:28 32,768 --a------ c:\windows\system32\odjan.wa
2009-03-03 22:28 . 2009-03-03 22:28 32,768 --a------ c:\windows\system32\kei1w.an
2009-03-03 22:28 . 2009-03-03 22:28 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-03-03 22:28 . 2009-03-03 22:28 28,672 --a------ c:\windows\system32\doqkm.zt
2009-03-03 22:26 . 2009-02-27 01:42 578,560 --a------ c:\windows\system32\bjywsjdq
2009-03-03 22:26 . 2009-03-04 01:10 105,984 --a------ c:\windows\system32\azton.mt
2009-03-03 22:26 . 2009-03-03 22:26 40 --a------ c:\windows\system32\A.tmp
2009-03-03 22:25 . 2009-03-03 22:25 2,126 --a------ c:\windows\system32\wpa.dbl
2009-03-01 15:55 . 2009-03-01 15:55 <DIR> d-------- c:\documents and settings\Sylvia\Application Data\comidle
2009-02-28 00:33 . 2009-03-04 01:09 6,656 --a------ c:\windows\system32\drivers\restore.sys
2009-02-27 01:42 . 2009-03-04 01:10 262,144 --a------ c:\windows\system32\nvtpm32.dll
2009-02-27 01:14 . 2009-02-27 01:33 <DIR> d-------- C:\ComboFixp
2009-02-26 00:40 . 2009-02-26 00:40 <DIR> d-------- c:\program files\Media Player Classic
2009-02-24 18:12 . 2009-02-25 01:15 <DIR> d-------- c:\documents and settings\Sylvia\IGC
2009-02-24 18:07 . 2009-02-24 18:07 <DIR> d-------- c:\program files\IGC
2009-02-24 18:07 . 2003-05-28 12:19 245,408 -r------- c:\windows\system32\unicows.dll
2009-02-23 13:09 . 2009-02-23 13:09 0 --a------ c:\windows\mqcd.dbt
2009-02-23 13:05 . 2009-02-27 01:42 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-22 00:41 . 2009-02-22 00:41 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-02-16 10:28 . 2009-02-26 00:43 <DIR> d-------- c:\windows\system32\inf
2009-02-16 10:28 . 2009-02-16 10:28 155,216 --a------ c:\windows\system\xccef090131.exe
2009-02-15 19:37 . 2008-01-11 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2009-02-15 19:37 . 2009-02-15 19:37 <DIR> d-------- c:\documents and settings\Administrator
2009-02-15 19:21 . 2009-02-15 19:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-15 19:21 . 2009-02-15 19:21 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-15 13:05 . 2009-02-15 13:05 2 --a------ C:\135584563
2009-02-15 13:05 . 2009-02-27 17:29 0 --a------ c:\windows\system32\drivers\8744e655.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 06:12 --------- d-----w c:\documents and settings\Sylvia\Application Data\WTablet
2009-03-04 06:11 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-03-02 21:39 --------- d-----w c:\program files\Trillian
2009-03-02 18:01 --------- d-----w c:\program files\HJ
2009-02-26 17:50 --------- d-----w c:\documents and settings\Sylvia\Application Data\Azureus
2009-02-26 15:58 --------- d-----w c:\program files\Azureus
2009-02-26 05:36 --------- d-----w c:\program files\Zoom Player
2009-02-24 23:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 05:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-22 05:41 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-16 02:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-16 02:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 00:21 --------- d-----w c:\program files\Java
2009-01-27 15:47 12,257 ----a-w c:\program files\setuplog.txt
2009-01-27 15:47 11,378 ----a-w c:\program files\uninstal.log
2009-01-27 15:45 --------- d-----w c:\program files\EZTest
2009-01-24 04:48 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-01-24 03:35 --------- d-----w c:\program files\Yahoo! Games
2008-12-05 18:26 130,048 ----a-w c:\windows\mplayerplugin.dll
2008-10-01 16:14 512 ----a-w c:\documents and settings\Sylvia\Application Data\wklnhst.dat
2007-03-02 18:15 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-10-23 23:57 944,274 ----a-w c:\program files\CDisplay.zip
2006-10-21 19:55 3,368,555 ----a-w c:\program files\oC303PE.rar
2006-09-14 20:52 662,127 ----a-w c:\program files\Internet Explorer.rar
1999-07-07 00:00 6 --sh--r c:\windows\@@desktop.dat
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2007-02-10 17:37 8 --sha-r c:\windows\system32\52E8C752AB.sys
2008-09-30 20:01 56,320 --sha-w c:\windows\system32\fahokipa.dll
2007-02-10 17:37 952 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-29 18:00 64,512 --sha-w c:\windows\system32\pitevigu.dll
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes )
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

2005-12-28 11:04 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-22 00:41 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-22 00:41 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 19:12 1050624 674828368274bb3677074034e1aa7c45 c:\windows\explorer.exe
2007-06-13 06:26 1050624 c11eca6cf02507041297bfbca1d1f7a5 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 90b23ba03de146f30aa6898e7cf4ef39 c:\windows\$NtServicePackUninstall$\explorer.exe
2005-12-28 11:04 1049600 58b756afc3c9ac2083059899e4ef6f08 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 2201e9de4bddc64bb475a5fa9c15938e c:\windows\ServicePackFiles\i386\explorer.exe

2005-12-28 11:03 32256 d1538774f541381befffc81b752b6e97 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32768 959891fc41739615fac2e450809447ab c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 dad202f0f6451fc93899f247683ed8ae c:\windows\system32\ctfmon.exe

2005-06-10 19:17 74752 d5ae33a05de58c0754e100ee8900e237 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 74752 d8d4576e2ad61a1f8c0003017d43faeb c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 19:12 75264 1feb2cea83c6db08066481668e6c7b7f c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 74752 2805985b00b8d5f49edeac863f8a0cbb c:\windows\system32\spoolsv.exe

2005-12-28 11:05 41472 23e2c1c2cd6003126ecf6caf624a4159 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 83072db7598c6e6d3a12ba65ff160b95 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43520 71a2f5436de9d0becbb2abf6d022abc0 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-26_ 1.11.57.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 183,808 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 48,640 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 49,152 ----a-w c:\windows\NIRCMD.exe
+ 2005-12-28 16:04:57 47,360 ----a-w c:\windows\system32\cblairsi.dat
- 2009-02-26 05:55:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-04 06:10:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-26 05:55:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-04 06:10:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-26 05:55:32 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-04 06:10:22 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-28 16:04:43 20,992 -c--a-w c:\windows\system32\dllcache\msg.exe
+ 2005-12-28 16:04:43 37,888 -c--a-w c:\windows\system32\dllcache\msg.exe
- 2005-12-28 16:04:44 126,976 -c--a-w c:\windows\system32\dllcache\mshearts.exe
+ 2005-12-28 16:04:44 143,872 -c--a-w c:\windows\system32\dllcache\mshearts.exe
- 2005-12-28 16:04:44 39,936 -c--a-w c:\windows\system32\dllcache\msinfo32.exe
+ 2005-12-28 16:04:44 57,344 -c--a-w c:\windows\system32\dllcache\msinfo32.exe
- 2005-12-28 16:04:49 6,656 -c--a-w c:\windows\system32\dllcache\msswchx.exe
+ 2005-12-28 16:04:49 24,064 -c--a-w c:\windows\system32\dllcache\msswchx.exe
- 2005-12-28 16:04:49 407,552 -c--a-w c:\windows\system32\dllcache\mstsc.exe
+ 2005-12-28 16:04:49 424,448 -c--a-w c:\windows\system32\dllcache\mstsc.exe
- 2005-12-28 16:04:51 20,480 -c--a-w c:\windows\system32\dllcache\nbtstat.exe
+ 2005-12-28 16:04:51 37,888 -c--a-w c:\windows\system32\dllcache\nbtstat.exe
- 2005-12-28 16:04:55 35,328 -c--a-w c:\windows\system32\dllcache\notiflag.exe
+ 2005-12-28 16:04:55 52,736 -c--a-w c:\windows\system32\dllcache\notiflag.exe
- 2005-12-28 16:04:57 31,744 -c--a-w c:\windows\system32\dllcache\ntsd.exe
+ 2005-12-28 16:04:57 48,640 -c--a-w c:\windows\system32\dllcache\ntsd.exe
+ 2005-12-28 16:04:57 23,424 ----a-w c:\windows\system32\drivers\jwmnydaz.sys
+ 2005-12-28 16:04:57 23,424 ----a-w c:\windows\system32\drivers\udcsrkzc.sys
+ 2005-12-28 16:04:57 36,608 ----a-w c:\windows\system32\ivrmzuyk.dat
+ 2005-12-28 16:04:57 50,944 ----a-w c:\windows\system32\kkcrezpc.dat
+ 2005-12-28 16:04:57 1,015,808 ----a-w c:\windows\system32\libeay32.dll
+ 2005-12-28 16:04:57 196,608 ----a-w c:\windows\system32\libssl32.dll
+ 2005-12-28 16:04:57 219,392 ----a-w c:\windows\system32\qjnyfkto.dat
+ 2005-12-28 16:04:57 6,566,656 ----a-w c:\windows\system32\qufthnmp.dat
+ 2005-12-28 16:04:57 105,984 ----a-w c:\windows\system32\reqpvgh.dll
+ 2005-12-28 16:04:57 633,600 ----a-w c:\windows\system32\trqfuvcf.dat
- 2009-02-24 02:22:30 578,560 ----a-w c:\windows\system32\user32.DLL
+ 2009-02-27 06:42:12 578,560 ----a-w c:\windows\system32\user32.DLL
+ 2009-03-04 06:12:04 105,984 ----a-w c:\windows\system32\yctkafx.dll
+ 2009-03-04 06:10:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8f0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7E26687-B0A4-43F8-AB3F-2F52F08BA604}]
2009-03-04 01:12 105984 --a------ c:\windows\system32\reqpvgh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 81920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 151552]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-08-18 130048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-04 185896]
"UMonit"="c:\windows\system32\umonit.exe" [2004-01-05 73728]
"THGuard"="c:\program files\TrojanHunter 4.6\THGuard.exe" [2007-04-22 1119744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 434176]
"Creative Mouse Gamer 7600L"="c:\program files\Creative\Mouse Gamer HD7600L(VM)\CTPoint.exe" [2006-07-14 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"comidle"="c:\documents and settings\Sylvia\Application Data\comidle\comidle.exe" [2009-03-01 56832]

c:\documents and settings\Sylvia\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-13 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 46592]
JHSecure VPN Client.lnk - c:\program files\JHSecure\VPN Client\vpngui.exe [2006-09-23 1524776]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 86068]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\Pen_Tablet.exe"=
"c:\\Program Files\\EZTest\\mysql\\bin\\mysqld.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R0 udcsrkzc;udcsrkzc;c:\windows\system32\drivers\udcsrkzc.sys [2005-12-28 23424]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-01-09 1373480]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-01-09 1373480]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2008-09-30 25344]
S1 8744e655;8744e655;c:\windows\system32\drivers\8744e655.sys [2009-02-15 0]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 172032]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2006-10-14 6016]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-18 15656]
S3 zlportio;zlportio;\??\c:\documents and settings\Sylvia\Desktop\ultrastar-dx-100\zlportio.sys --> c:\documents and settings\Sylvia\Desktop\ultrastar-dx-100\zlportio.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27d4226a-42d0-11db-ae8d-0018f32e5c2a}]
\Shell\AutoRun\command - D:\install.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d3dbfc-38a8-11dd-b085-0018f32e5c2a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-04-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://support.cavtel.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: {9AEB8944-34DA-49D0-9E29-C2B734FED71A} = 209.137.160.7,64.83.1.10
FF - ProfilePath - c:\documents and settings\Sylvia\Application Data\Mozilla\Firefox\Profiles\oysxqemc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 01:12:07
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1696)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\JHSecure\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-03-04 1:18:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 06:18:19
ComboFix2.txt 2009-02-27 06:33:41
ComboFix3.txt 2009-02-26 06:12:57
ComboFix4.txt 2009-02-16 01:54:11

Pre-Run: 93,278,253,056 bytes free
Post-Run: 93,833,269,248 bytes free

305 --- E O F --- 2009-03-03 08:00:22

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:51 PM

Posted 12 March 2009 - 05:15 PM

Hello Aotsuki,

I seem to have missed your reply. :thumbup2:

Your system is still heavily infected.
Can you please remove the old ComboFix copy and replace it with the latest one,
then run another scan ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·