Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown malware infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 azjmw

azjmw

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 12 March 2009 - 05:14 PM

Unknown malware infection slowing IE or redirecting. Giving pop-ups for "malware removers" or advertisements (tax programs, Maxim magazine, porn sites, etc). Teatimer.exe doesn't seem effective at keeping system settings. Ran both ad-aware and Spybot, but it doesn't seem to eradicate it and on reboot, it begins again. Thank you in advance for any help/suggestions!

DDS log file follows and attach.txt attached

DDS (Ver_09-02-01.01) - NTFSx86
Run by jwagner at 16:50:28.32 on Thu 03/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.154 [GMT -5:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\jwagner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.bestbuy.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {048dad48-c6d9-4d9e-921a-6b74fd3111a8} - c:\windows\system32\lomovofe.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [A00F706D7F7.exe] c:\docume~1\jwagner\locals~1\temp\_A00F706D7F7.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dit] Dit.exe
mRun: [NWEReboot]
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [c8dbb725] rundll32.exe "c:\windows\system32\kukamibi.dll",b
mRun: [CPMcbe884b9] Rundll32.exe "c:\windows\system32\sumirimi.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\jwagner\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Blackjack - hxxp://download2.games.yahoo.com/games/clients/y/jt0_x.cab
DPF: Yahoo! Go Fish - hxxp://download2.games.yahoo.com/games/clients/y/zt3_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230493306390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38152.3975231481
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.wintu.edu/secure/PhxStudent15.CAB
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\torinehi.dll ebejjp.dll c:\windows\system32\lulujama.dll smpwfg.dll ncygvz.dll c:\windows\system32\sumirimi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\sumirimi.dll
LSA: Notification Packages = scecli c:\windows\system32\torinehi.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-23 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-5-18 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-5-18 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-7-19 10760]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-18 394952]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-4-15 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-4-15 49664]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-5-25 13440]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-6-23 1390976]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\drivers\iiusbisp.sys --> c:\windows\system32\drivers\iiusbisp.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-3 24652]

=============== Created Last 30 ================

2009-03-12 05:48 140,800 a--sh--- c:\windows\system32\ncygvz.dll
2009-03-12 05:48 1,808,094 ---sh--- c:\windows\system32\ifenebes.ini
2009-03-11 05:47 1,808,094 ---sh--- c:\windows\system32\ibimakuk.ini
2009-03-11 05:47 142,336 a--sh--- c:\windows\system32\smpwfg.dll
2009-03-10 17:47 143,872 a--sh--- c:\windows\system32\ebejjp.dll
2009-03-09 20:09 293 a------- C:\win32upd.exe
2009-03-02 15:03 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-03-02 15:00 <DIR> --d----- c:\program files\Firaxis Games
2009-02-21 10:18 <DIR> --d----- c:\program files\Sonic Foundry
2009-02-14 18:35 <DIR> --d----- c:\program files\Walmart MP3 Music Downloads

==================== Find3M ====================

2009-03-12 16:20 13,440 a------- c:\windows\system32\drivers\USBCRFT.SYS
2009-03-12 05:48 102,400 a--sh--- c:\windows\system32\sebenefi.dll
2009-03-12 05:48 140,800 a--sh--- c:\windows\system32\luwuwuti.dll
2009-03-12 05:48 106,496 a--sh--- c:\windows\system32\sumirimi.dll
2009-03-11 17:47 105,472 a--sh--- c:\windows\system32\vuwizodi.dll
2009-03-11 17:47 141,824 a--sh--- c:\windows\system32\lunuhofu.dll
2009-03-11 17:47 101,376 a--sh--- c:\windows\system32\kusajayo.dll
2009-03-11 05:47 142,336 a--sh--- c:\windows\system32\yubosuku.dll
2009-03-11 05:47 108,032 a--sh--- c:\windows\system32\zofitemi.dll
2009-03-10 17:47 143,872 a--sh--- c:\windows\system32\sagujesu.dll
2009-02-07 20:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\jomahelu.dll
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\lomovofe.dll
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\torinehi.dll.vir

============= FINISH: 16:53:17.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:02 AM

Posted 24 March 2009 - 03:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 25 March 2009 - 05:06 PM

THANK YOU, THANK YOU!
Updated DDS log follows, updated attach.txt attached. Still experiencing same issues (getting popups, redirects) and general slow down of activity.


DDS (Ver_09-03-16.01) - NTFSx86
Run by jwagner at 17:57:28.87 on Wed 03/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.115 [GMT -5:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jwagner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.bestbuy.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {048dad48-c6d9-4d9e-921a-6b74fd3111a8} - c:\windows\system32\yilopepu.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [A00F706D7F7.exe] c:\docume~1\jwagner\locals~1\temp\_A00F706D7F7.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dit] Dit.exe
mRun: [NWEReboot]
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [c8dbb725] rundll32.exe "c:\windows\system32\vonokave.dll",b
mRun: [CPMcbe884b9] Rundll32.exe "c:\windows\system32\zofitemi.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\jwagner\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Blackjack - hxxp://download2.games.yahoo.com/games/clients/y/jt0_x.cab
DPF: Yahoo! Go Fish - hxxp://download2.games.yahoo.com/games/clients/y/zt3_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230493306390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38152.3975231481
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.wintu.edu/secure/PhxStudent15.CAB
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\torinehi.dll ebejjp.dll c:\windows\system32\lulujama.dll smpwfg.dll ncygvz.dll c:\windows\system32\yaroluwa.dll dldiou.dll zedyof.dll xooecm.dll uftkos.dll c:\windows\system32\sevufato.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sevufato.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\sevufato.dll
LSA: Notification Packages = scecli c:\windows\system32\torinehi.dll c:\windows\system32\yaroluwa.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-23 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-5-18 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-5-18 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-7-19 10760]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-18 394952]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-4-15 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-4-15 49664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-5-25 13440]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-6-23 1390976]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\drivers\iiusbisp.sys --> c:\windows\system32\drivers\iiusbisp.sys [?]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-3 24652]

=============== Created Last 30 ================

2009-03-25 17:10 2,098 ---sh--- c:\windows\system32\havosufi.exe
2009-03-24 23:09 2,098 ---sh--- c:\windows\system32\luweboje.exe
2009-03-24 05:08 2,098 ---sh--- c:\windows\system32\videfipu.exe
2009-03-23 11:10 2,098 ---sh--- c:\windows\system32\sakunaru.exe
2009-03-22 17:09 2,098 ---sh--- c:\windows\system32\hefokiku.exe
2009-03-21 23:05 2,098 ---sh--- c:\windows\system32\tewomodu.exe
2009-03-21 05:06 2,098 ---sh--- c:\windows\system32\tadidaru.exe
2009-03-20 11:02 2,098 ---sh--- c:\windows\system32\rubosewi.exe
2009-03-19 17:01 1,798,268 ---sh--- c:\windows\system32\evakonov.ini
2009-03-19 17:01 141,312 a--sh--- c:\windows\system32\uftkos.dll
2009-03-18 23:59 2,098 ---sh--- c:\windows\system32\fojejive.exe
2009-03-18 05:58 2,098 ---sh--- c:\windows\system32\megoputi.exe
2009-03-17 11:56 2,098 ---sh--- c:\windows\system32\rapizada.exe
2009-03-16 17:54 142,848 a--sh--- c:\windows\system32\xooecm.dll
2009-03-16 02:53 2,098 ---sh--- c:\windows\system32\wajupiva.exe
2009-03-15 08:51 1,714,486 ---sh--- c:\windows\system32\ovaduses.ini
2009-03-15 08:51 141,312 a--sh--- c:\windows\system32\zedyof.dll
2009-03-14 15:49 141,312 a--sh--- c:\windows\system32\dldiou.dll
2009-03-12 05:48 140,800 a--sh--- c:\windows\system32\ncygvz.dll
2009-03-12 05:48 1,808,103 ---sh--- c:\windows\system32\ifenebes.ini
2009-03-11 05:47 1,808,094 ---sh--- c:\windows\system32\ibimakuk.ini
2009-03-11 05:47 142,336 a--sh--- c:\windows\system32\smpwfg.dll
2009-03-10 17:47 143,872 a--sh--- c:\windows\system32\ebejjp.dll
2009-03-09 20:09 293 a------- C:\win32upd.exe
2009-03-02 15:03 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-03-02 15:00 <DIR> --d----- c:\program files\Firaxis Games

==================== Find3M ====================

2009-03-23 19:54 13,440 a------- c:\windows\system32\drivers\USBCRFT.SYS
2009-03-19 17:01 141,312 a--sh--- c:\windows\system32\varisoga.dll
2009-03-19 17:01 106,496 a--sh--- c:\windows\system32\sevufato.dll
2009-03-19 17:01 103,424 a--sh--- c:\windows\system32\vonokave.dll
2009-03-16 17:54 142,848 a--sh--- c:\windows\system32\hironuyu.dll
2009-03-16 17:54 107,008 a--sh--- c:\windows\system32\wuzufeno.dll
2009-03-16 17:54 101,376 a--sh--- c:\windows\system32\sagodomo.dll
2009-03-15 08:51 141,312 a--sh--- c:\windows\system32\roniviha.dll
2009-03-15 08:51 106,496 a--sh--- c:\windows\system32\kowayini.dll.vir
2009-03-15 08:51 103,424 -------- c:\windows\system32\sesudavo.dll
2009-03-14 15:49 141,312 a--sh--- c:\windows\system32\tepefeha.dll
2009-03-14 15:49 100,864 a--sh--- c:\windows\system32\pajitebe.dll
2009-03-14 15:49 105,984 a--sh--- c:\windows\system32\regopimu.dll
2009-03-12 05:48 102,400 -------- c:\windows\system32\sebenefi.dll
2009-03-12 05:48 140,800 a--sh--- c:\windows\system32\luwuwuti.dll
2009-03-12 05:48 106,496 a--sh--- c:\windows\system32\sumirimi.dll
2009-03-11 17:47 105,472 a--sh--- c:\windows\system32\vuwizodi.dll
2009-03-11 17:47 141,824 a--sh--- c:\windows\system32\lunuhofu.dll
2009-03-11 17:47 101,376 a--sh--- c:\windows\system32\kusajayo.dll
2009-03-11 05:47 142,336 a--sh--- c:\windows\system32\yubosuku.dll
2009-03-11 05:47 108,032 a--sh--- c:\windows\system32\zofitemi.dll
2009-03-10 17:47 143,872 a--sh--- c:\windows\system32\sagujesu.dll
2009-02-07 20:30 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\soriwenu.dll
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\yaroluwa.dll.vir
0000-00-00 00:00 70,144 a--sh--- c:\windows\system32\yilopepu.dll

============= FINISH: 18:01:45.60 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 25 March 2009 - 05:30 PM

Hi azjmw,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program if you are not using it.
    If you decided to uninstall it click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#5 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 25 March 2009 - 08:53 PM

Farbar thanks for your help to this point. Please note: Spybot wouldn't let me disable teatimer, it repeatedly hung on me. I ended up having to uninstall the entire spybot app. I then proceeded with each step of your instructions (including running resetteatimer.exe). Mbam did find three files that it needed a reboot to remove, I did reboot and then ran HJT. Mbam and HJT logs follow. Looking forward to your reply! Thanks again!

MBAM LOG
Malwarebytes' Anti-Malware 1.34
Database version: 1898
Windows 5.1.2600 Service Pack 2

3/25/2009 9:42:25 PM
mbam-log-2009-03-25 (21-42-25).txt

Scan type: Quick Scan
Objects scanned: 73175
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vonokave.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{048dad48-c6d9-4d9e-921a-6b74fd3111a8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{048dad48-c6d9-4d9e-921a-6b74fd3111a8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002a0a4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005f5a4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006086c (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0081d10 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8dbb725 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f706d7f7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vonokave.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\evakonov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.
C:\win32upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vuwizodi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kowayini.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaroluwa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:51 PM, on 3/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Utilities\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.com
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230493306390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\torinehi.dll ebejjp.dll c:\windows\system32\lulujama.dll smpwfg.dll ncygvz.dll C:\WINDOWS\system32\yaroluwa.dll dldiou.dll zedyof.dll xooecm.dll uftkos.dll c:\windows\system32\sevufato.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6701 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 26 March 2009 - 04:55 AM

Well done azjmw! :thumbup2:
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.


#7 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 26 March 2009 - 04:32 PM

Thanks Farbar! Getting there I think. Combofix did install the recovery console. Eagerly awaiting your feedback! :-)

CF log and new HJT log follow.

Combofix Log

ComboFix 09-03-25.04 - jwagner 2009-03-26 17:17:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.158 [GMT -5:00]
Running from: c:\documents and settings\jwagner\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\ibimakuk.ini
c:\windows\system32\ifenebes.ini
c:\windows\system32\lunuhofu.dll
c:\windows\system32\ovaduses.ini

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Malwarebytes
2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 21:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 21:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 21:26 . 2009-03-25 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-25 17:10 . 2009-03-25 17:10 2,098 ---hs---- c:\windows\system32\havosufi.exe
2009-03-24 23:09 . 2009-03-24 23:09 2,098 ---hs---- c:\windows\system32\luweboje.exe
2009-03-24 05:08 . 2009-03-24 05:08 2,098 ---hs---- c:\windows\system32\videfipu.exe
2009-03-23 11:10 . 2009-03-23 11:10 2,098 ---hs---- c:\windows\system32\sakunaru.exe
2009-03-22 17:09 . 2009-03-22 17:09 2,098 ---hs---- c:\windows\system32\hefokiku.exe
2009-03-21 23:05 . 2009-03-21 23:05 2,098 ---hs---- c:\windows\system32\tewomodu.exe
2009-03-21 05:06 . 2009-03-21 05:06 2,098 ---hs---- c:\windows\system32\tadidaru.exe
2009-03-20 11:02 . 2009-03-20 11:02 2,098 ---hs---- c:\windows\system32\rubosewi.exe
2009-03-18 23:59 . 2009-03-18 23:59 2,098 ---hs---- c:\windows\system32\fojejive.exe
2009-03-18 05:58 . 2009-03-18 05:58 2,098 ---hs---- c:\windows\system32\megoputi.exe
2009-03-17 11:56 . 2009-03-17 11:56 2,098 ---hs---- c:\windows\system32\rapizada.exe
2009-03-16 02:53 . 2009-03-16 02:53 2,098 ---hs---- c:\windows\system32\wajupiva.exe
2009-03-10 09:48 . 2009-03-10 09:48 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Move Networks
2009-03-07 15:19 . 2009-03-07 15:19 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Leadertech
2009-03-02 15:03 . 2009-03-02 15:03 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-02 15:00 . 2009-03-02 15:00 <DIR> d-------- c:\program files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 04:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-26 02:44 13,440 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-03-26 01:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-26 01:56 --------- d-----w c:\documents and settings\jwagner\Application Data\Viewpoint
2009-03-26 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-26 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 20:38 --------- d-----w c:\documents and settings\jwagner\Application Data\AVG7
2009-03-02 20:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-02 14:12 --------- d-----w c:\documents and settings\jwagner\Application Data\AdobeUM
2009-02-21 19:19 --------- d-----w c:\documents and settings\jwagner\Application Data\Ahead
2009-02-21 15:18 --------- d-----w c:\program files\Sonic Foundry
2009-02-15 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-02-14 23:35 --------- d-----w c:\program files\Walmart MP3 Music Downloads
2009-02-08 02:21 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-08 02:19 --------- d-----w c:\program files\Common Files\Intuit
2009-02-08 02:19 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-08 02:16 --------- d-----w c:\program files\TurboTax
2009-02-08 02:09 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-03 01:30 --------- d-----w c:\documents and settings\jwagner\Application Data\Amazon
2009-02-03 01:25 --------- d-----w c:\program files\Amazon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-06-07 3809280]
"Dit"="Dit.exe" [2004-04-02 c:\windows\Dit.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\HDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-15 219136]

c:\documents and settings\jwagner\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\OSA.EXE"=

R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-05-25 13440]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-06-23 1390976]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\Drivers\iiusbisp.sys --> c:\windows\system32\Drivers\iiusbisp.sys [?]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.wintu.edu/secure/PhxStudent15.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 17:21:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-26 17:25:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 22:25:49

Pre-Run: 127,786,348,544 bytes free
Post-Run: 127,966,056,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

160


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:22 PM, on 3/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Utilities\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.com
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230493306390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6449 bytes

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 26 March 2009 - 05:02 PM

Still a little work to do but we get there soon.
  • We need to scan a file. Click on this link--> virustotal
    • Copy and paste the following bold line in the Browse... area:

      C:\WINDOWS\Dit.exe

    • Click Send File.
    • If the file is analyzed before, click Reanalyse File Now button.
    • Please copy and paste the results of the scan in your next post.
  • Open notepad (start > run > type notepad in the run box and click OK)and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/210656/unknown-malware-infection/?p=1194329
    
    Collect::[4]
    c:\windows\system32\havosufi.exe
    c:\windows\system32\luweboje.exe
    c:\windows\system32\videfipu.exe
    c:\windows\system32\sakunaru.exe
    c:\windows\system32\hefokiku.exe
    c:\windows\system32\tewomodu.exe
    c:\windows\system32\tadidaru.exe
    c:\windows\system32\rubosewi.exe
    c:\windows\system32\fojejive.exe
    c:\windows\system32\megoputi.exe
    c:\windows\system32\rapizada.exe
    c:\windows\system32\wajupiva.exe

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
    A command window opens, wait until a log file opens. Please post the content of it to your reply.

  • AVG 7 is outdated. You need protection from an updated Antivirus.

    Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop. Don't install it yet.
    • Go to Add/Remove programs and uninstall AVG 7.
    • Reboot.
    • Use Windows search to search for AVG and remove the folders.
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply.


#9 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 26 March 2009 - 08:06 PM

Farbar; VirusTotal scan results for c:\windows\dit.exe. More info coming....Thanks! azjmw




Result: 0/39 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.27 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.27 -
Avast 4.8.1335.0 2009.03.26 -
AVG 8.5.0.283 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.27 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6419 2009.03.27 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.27 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.27 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.27 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.27 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 86016 bytes
MD5...: 748b9439fde6e1c161e109dcf5908066
SHA1..: 89749fbb5e5f8a883c4728126d4fc9e277b02b13
SHA256: 244c669ab7ac73793942d6c61d1c5aaad83b3b6fd07cb657463a7823c3a1978e
SHA512: 74f09aac8f1f808d1af944d0dc8bb456c3cac266a007f97302a48f9a5dda35f2
22a0cf86fe0a1b93e6c43ad1b43971170db2d3f9609dad3b993271ffb04fa19e
ssdeep: 1536:7X9WVR/tH5vyhDM6lLOKsNGvo+qmFSLCdeRa:b9W4JhNsNGvo+qmQLCcc

PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6391
timedatestamp.....: 0x406cfa98 (Fri Apr 02 05:31:04 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x92c8 0xa000 6.20 7a6b0e134419c9d635b55e2add23b828
.rdata 0xb000 0x10a0 0x2000 3.50 8b22bd728a1281cecce651ef39af6954
.data 0xd000 0x4a44 0x1000 3.76 a54e18338a405163f4546730c609eac8
.rsrc 0x12000 0x60d8 0x7000 4.68 0f7447ccd43f6b9989b93e024cf70be3

( 4 imports )
> SETUPAPI.dll: SetupDiEnumDeviceInterfaces, SetupDiGetDeviceRegistryPropertyA, SetupDiSetDeviceRegistryPropertyA, SetupDiSetClassInstallParamsA, SetupDiDeleteDeviceInterfaceData, SetupDiChangeState, SetupDiGetDeviceInterfaceDetailA, SetupDiOpenDeviceInterfaceA, SetupDiCreateDeviceInfoList, SetupDiGetClassDevsA, SetupDiDestroyDeviceInfoList
> KERNEL32.dll: LoadLibraryA, FreeLibrary, WaitForSingleObject, ResetEvent, CreateEventA, SetThreadPriority, CreateThread, Sleep, SetEvent, GetPrivateProfileIntA, lstrcatA, GetModuleFileNameA, GetPrivateProfileStringA, lstrlenA, lstrcpyA, GetDriveTypeA, GetVersionExA, WinExec, GetTickCount, lstrcmpiA, WideCharToMultiByte, GetSystemDirectoryA, SetFilePointer, SetStdHandle, LCMapStringW, LCMapStringA, FlushFileBuffers, GetOEMCP, GetACP, GetCPInfo, GetStringTypeW, GetStringTypeA, MultiByteToWideChar, RtlUnwind, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetProcAddress, DeviceIoControl, GetLastError, CloseHandle, CreateFileA, HeapDestroy, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapReAlloc, VirtualAlloc, VirtualFree, GetModuleHandleA, HeapAlloc, HeapFree, GetSystemDirectoryW, FindResourceA, LoadResource, SizeofResource, GetVersion, GetWindowsDirectoryA, WriteFile, LockResource, HeapCreate
> USER32.dll: wsprintfW, wsprintfA, SetTimer, EnumWindows, GetClassNameA, PostQuitMessage, DestroyWindow, DefWindowProcA, GetMessageA, DispatchMessageA, TranslateMessage, FindWindowA, PostMessageA, CreateWindowExA, ShowWindow, UpdateWindow, LoadIconA, LoadCursorA, RegisterClassExA, CharUpperA, PostThreadMessageA, KillTimer
> ADVAPI32.dll: RegOpenKeyExA, RegEnumKeyA, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegSetValueExW, RegQueryValueExA, RegDeleteValueA, RegCloseKey

( 0 exports )

RDS...: NSRL Reference Data Set
-

#10 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 26 March 2009 - 09:18 PM

Farbar, Virustotal scan posted just prior. Ran combofix with the cfscript.txt info (files submitted for analysis). Uninstalled AVG 7.x, installed AVG 8. Combofix log, AVG 8 log (scan/txt), and HJT log follow. Thanks! - azjmw


Combofix log
ComboFix 09-03-25.04 - jwagner 2009-03-26 20:46:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.194 [GMT -5:00]
Running from: c:\documents and settings\jwagner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jwagner\Desktop\cfscript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fojejive.exe
c:\windows\system32\havosufi.exe
c:\windows\system32\hefokiku.exe
c:\windows\system32\luweboje.exe
c:\windows\system32\megoputi.exe
c:\windows\system32\rapizada.exe
c:\windows\system32\rubosewi.exe
c:\windows\system32\sakunaru.exe
c:\windows\system32\tadidaru.exe
c:\windows\system32\tewomodu.exe
c:\windows\system32\videfipu.exe
c:\windows\system32\wajupiva.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Malwarebytes
2009-03-25 21:31 . 2009-03-25 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 21:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 21:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 21:26 . 2009-03-25 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-10 09:48 . 2009-03-10 09:48 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Move Networks
2009-03-07 15:19 . 2009-03-07 15:19 <DIR> d-------- c:\documents and settings\jwagner\Application Data\Leadertech
2009-03-02 15:03 . 2009-03-02 15:03 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-02 15:00 . 2009-03-02 15:00 <DIR> d-------- c:\program files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 22:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-26 02:44 13,440 ----a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-03-26 01:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-26 01:56 --------- d-----w c:\documents and settings\jwagner\Application Data\Viewpoint
2009-03-26 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-26 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 23:16 11,505,551 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-07 20:38 --------- d-----w c:\documents and settings\jwagner\Application Data\AVG7
2009-03-02 20:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-02 14:12 --------- d-----w c:\documents and settings\jwagner\Application Data\AdobeUM
2009-02-21 19:19 --------- d-----w c:\documents and settings\jwagner\Application Data\Ahead
2009-02-21 15:18 --------- d-----w c:\program files\Sonic Foundry
2009-02-15 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-02-14 23:35 --------- d-----w c:\program files\Walmart MP3 Music Downloads
2009-02-08 02:21 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-08 02:19 --------- d-----w c:\program files\Common Files\Intuit
2009-02-08 02:19 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-08 02:16 --------- d-----w c:\program files\TurboTax
2009-02-08 02:09 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-03 01:30 --------- d-----w c:\documents and settings\jwagner\Application Data\Amazon
2009-02-03 01:25 --------- d-----w c:\program files\Amazon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-06-07 3809280]
"Dit"="Dit.exe" [2004-04-02 c:\windows\Dit.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\HDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-15 219136]

c:\documents and settings\jwagner\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\OSA.EXE"=

R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-05-25 13440]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-06-23 1390976]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\Drivers\iiusbisp.sys --> c:\windows\system32\Drivers\iiusbisp.sys [?]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.wintu.edu/secure/PhxStudent15.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 20:48:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-26 20:49:25
ComboFix-quarantined-files.txt 2009-03-27 01:49:20
ComboFix2.txt 2009-03-26 22:25:53

Pre-Run: 127,953,661,952 bytes free
Post-Run: 127,930,089,472 bytes free

130


AVG 8 (scan.txt)
"Scan ""Scan whole computer"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Thursday, March 26, 2009, 9:17:20 PM"
"Scan finished:";"Thursday, March 26, 2009, 10:01:10 PM (43 minute(s) 49 second(s))"
"Total object scanned:";"283089"
"User who launched the scan:";"jwagner"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\jwagner\Cookies\jwagner@247realmedia[1].txt";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@247realmedia[1].txt:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@247realmedia[2].txt";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@247realmedia[2].txt:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@247realmedia[2].txt:\247realmedia.com.d90d45cf";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@2o7[2].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@2o7[2].txt:\2o7.net.bf62af4f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@2o7[3].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@2o7[3].txt:\2o7.net.13983ce1";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt:\realmedia.com.68087763";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt:\realmedia.com.aad362d8";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@realmedia[1].txt:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@revsci[2].txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@statse.webtrendslive[2].txt";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\jwagner\Cookies\jwagner@statse.webtrendslive[2].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"


HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:46 PM, on 3/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Utilities\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.com
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230493306390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6738 bytes

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 27 March 2009 - 12:07 PM

We are almost there.
  • If you have set bestbuy.com as your start page it is OK otherwise:

    Open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.com

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Then reset your start page.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    Note 1. If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Please copy and paste a fresh Hijackthis log to your reply for a final check and tell me how is your computer running.


#12 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 27 March 2009 - 05:54 PM

Hello Farbar. Start page reset, Java updated, and fresh HJT log follows. System is running GREAT! No issues, pop-ups, etc. New AVG installed and running. Hopefully, this last HJT review will confirm that we are now ok. I can't thank you enough. All of you help VERY MUCH appreciated! Thanks - azjmw


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:20 PM, on 3/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utilities\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230493306390
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6224 bytes

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 27 March 2009 - 07:09 PM

Yes the log looks good. And you are most welcome azjmw.
  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.

  • I recommend updating Internet Explorer 6 to Internet Explorer 7. IE 7 has more functionality and is much safer.

  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
Please let me know Combofix uninstalled properly.

Happy surfing!

#14 azjmw

azjmw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 27 March 2009 - 07:48 PM

Farbar - YOU ROCK! Thanks again and once more I appreciate all of your help!

Combofix uninstall complete

Spywareblaster installed and enabled

And I'm looking into IE 7


Hope to talk to you again (but not too soon, nor for this issue - LOL)

azjmw

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:02 AM

Posted 27 March 2009 - 07:58 PM

You are most welcome azjmw, hope you never get infected again :thumbup2:

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users