Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojandownloader.vb


  • This topic is locked This topic is locked
3 replies to this topic

#1 eshardlow

eshardlow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 March 2009 - 04:38 AM

Hi, I ran AdAware and found that I had a trojandownloader.vb virus, which had downloaded a grip of crap onto my computer. After reading previous posts, I ran ComboFix. Here's the log (I am going to run HijackThis now, and will post the log shortly):

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Rabio
c:\windows\error.exe
c:\windows\system32\e5
c:\windows\system32\hiecibmr.ini
c:\windows\system32\iiqljlrc.ini
c:\windows\system32\P8
c:\windows\system32\pac.txt
c:\windows\System32\Yxwvwyay.ini
c:\windows\system32\Yxwvwyay.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-16 01:46 . 2009-03-16 01:46 <DIR> d-------- c:\program files\Trend Micro
2009-03-16 00:33 . 2009-03-16 00:33 <DIR> d-------- c:\users\Ed\AppData\Roaming\Sammsoft
2009-03-16 00:33 . 2009-03-16 00:33 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-13 15:37 . 2008-12-15 20:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-13 15:37 . 2008-12-15 22:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-13 15:37 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-13 15:37 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-13 15:36 . 2009-02-08 20:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-13 15:36 . 2008-11-26 21:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-02-26 00:48 . 2009-03-01 18:31 <DIR> d-------- c:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 09:22 131,442 ----a-w c:\users\All Users\nvModes.dat
2009-03-16 09:22 131,442 ----a-w c:\programdata\nvModes.dat
2009-03-15 17:19 --------- d-----w c:\program files\Windows Mail
2009-03-01 20:23 --------- d-----w c:\programdata\Yahoo!
2009-02-26 17:26 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 04:05 --------- d-----w c:\programdata\NVIDIA
2009-02-08 03:43 129,082 ----a-w c:\users\Ed\AppData\Roaming\nvModes.dat
2008-12-04 21:57 2,354 ----a-w c:\users\Ed\AppData\Roaming\SAS7_000.DAT
2008-11-11 08:02 174 --sha-w c:\program files\desktop.ini
2008-09-13 20:05 732 ----a-w c:\users\Ed\AppData\Roaming\wklnhst.dat
2008-08-08 21:15 27,335 ----a-w c:\users\Karen\AppData\Roaming\nvModes.dat
2008-11-26 23:53 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-11-26 23:53 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-11-26 23:53 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2007-10-17 403456]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a------ 2007-03-12 11:54 50696 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-08-04 04:36 77824 c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 00:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{46A1DFCF-253B-4D0C-9F3D-F6EAA95863D8}c:\\program files\\kodak\\kodak software updater\\7288971\\program\\backweb-7288971.exe"= UDP:c:\program files\kodak\kodak software updater\7288971\program\backweb-7288971.exe:backWeb-7288971
"UDP Query User{DC6B187D-EA15-4FF1-BBC1-2B8D884DB344}c:\\program files\\kodak\\kodak software updater\\7288971\\program\\backweb-7288971.exe"= TCP:c:\program files\kodak\kodak software updater\7288971\program\backweb-7288971.exe:backWeb-7288971
"{93E1DF93-FFCA-4621-9267-FD0C88A7870D}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{A1B3A8B3-35CD-4CE1-8D17-1A1AF2F3D759}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{4AEB7CCD-8E04-47DE-A0D7-6114F0A047BC}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{9DE925F7-1156-48E6-8B29-2213B91805F7}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{D5831296-EC17-45B3-91A8-D53C6437145C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7ABC37F9-ACBE-47A7-AC8F-B2CA10AAD111}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{90C899F0-CDB4-480B-97AB-43A20361918B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B6C43441-BB33-4396-A88E-53640DCC721F}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{5C5453C7-1C69-43C9-88F7-EA6F45241492}c:\\program files\\thq\\titan quest\\titan quest.exe"= UDP:c:\program files\thq\titan quest\titan quest.exe:Titan Quest
"UDP Query User{EE4A563D-7D70-43EB-8ED5-B840A4EE6247}c:\\program files\\thq\\titan quest\\titan quest.exe"= TCP:c:\program files\thq\titan quest\titan quest.exe:Titan Quest
"TCP Query User{9699FD8E-54BC-441A-9408-60C51C4F297C}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{97E729C2-4A08-4D54-80E1-A880D7479151}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{0CEC7794-ACD1-4035-95E8-154DC62266AD}c:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= UDP:c:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"UDP Query User{BD20397D-9B60-4284-830D-5F368EA5B2E0}c:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= TCP:c:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"TCP Query User{37827B9D-1727-4F08-9683-7E41E5E96964}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{A8275140-2DDE-4445-89D7-EFA2A84FEDB6}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{78843890-43AE-4E67-8A3B-59DF50F07371}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DB13150A-0208-4CCD-8ED2-B560DF5AD91F}"= UDP:c:\program files\Canon\DIAS\CnxDIAS.exe:Canon Driver Information Assist Service
"{AB5223F7-19F6-41D7-AFDD-CAA3BDBF05D3}"= TCP:c:\program files\Canon\DIAS\CnxDIAS.exe:Canon Driver Information Assist Service
"{801386DD-8823-462D-AA2D-7B108ED28A8A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{788BD7B9-BD0E-462F-BEE1-68F7D16DA211}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{34E1CF0F-C27B-46E4-812D-7063C9F0A7F6}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{6B856025-94EE-4B13-BDF3-A05202693D33}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{795A409A-BB8F-43A9-8DDF-C9CF673958C3}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{83DEC178-21DE-4914-8E7D-E8F2B2AF28AD}c:\\program files\\thq\\titan quest immortal throne\\tqit.exe"= UDP:c:\program files\thq\titan quest immortal throne\tqit.exe:Tqit
"UDP Query User{85258CB4-BF10-48F4-8CF9-E61661E98279}c:\\program files\\thq\\titan quest immortal throne\\tqit.exe"= TCP:c:\program files\thq\titan quest immortal throne\tqit.exe:Tqit
"{A4AE3266-55D9-4A1C-B448-F2DC337F5A63}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{51E69407-9F51-48A2-B085-F65C96F8192B}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{1A8928DF-A091-4766-8D76-F3290774A943}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{E34F97EB-9FAA-4C09-BCC0-F401145828C8}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{A2B8D2A7-FA48-479D-87D6-944BC7FE73C0}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CB814092-B76D-4388-900C-C4624FD4C891}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{677B77F4-15FF-469C-9C62-5A45A90AD22E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{1B81B7DB-5415-40A6-BFF9-EAE40C039372}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{BB148439-9602-4B83-A886-53ADF50FEAC8}c:\\program files\\thq\\titan quest immortal throne\\tqit.exe"= UDP:c:\program files\thq\titan quest immortal throne\tqit.exe:Tqit
"UDP Query User{23365154-13A3-4B22-A3F6-8E354E69BA15}c:\\program files\\thq\\titan quest immortal throne\\tqit.exe"= TCP:c:\program files\thq\titan quest immortal throne\tqit.exe:Tqit
"TCP Query User{56345F47-B2E7-485F-AA8E-AC5E72CBBBB7}c:\\program files\\morpheus\\morpheus.exe"= UDP:c:\program files\morpheus\morpheus.exe:Morpheus
"UDP Query User{21D5AAAF-8237-4EB1-A3E3-16779C001329}c:\\program files\\morpheus\\morpheus.exe"= TCP:c:\program files\morpheus\morpheus.exe:Morpheus
"{37E303AD-B46F-4B2A-937D-2D435B81D988}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{4BA31EFD-0033-4138-BB7E-D2F5576B11D4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0D2E7A11-FE3A-47E8-8E4D-F537E1A6C7D9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{73B6236A-66D5-4036-BA46-EBEAD4248860}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{9610AEAB-6858-4C68-B4D6-A8298E55107C}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{C996A204-3A0F-4754-B957-6154DD8D056D}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{37A66828-8526-4F18-AE43-43EB7BA82341}c:\\programdata\\autobahn\\autobahn.exe"= UDP:c:\programdata\autobahn\autobahn.exe:autobahn
"UDP Query User{1E961A7B-D642-4D66-869D-0F18ABA1761D}c:\\programdata\\autobahn\\autobahn.exe"= TCP:c:\programdata\autobahn\autobahn.exe:autobahn
"{044026A5-DEC4-4F04-9896-DBF5EFC3C5A0}"= UDP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{4EEB77E2-3633-413D-B68D-6E8AE1299113}"= TCP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{F8FC5BA6-FB74-4200-944E-780EA06C1AE2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A857ABCE-5E82-4E2E-93A4-172F99259FFA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{287996C5-9D68-41CC-BDB8-704FC7A12F36}"= UDP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{536F6E55-6E80-4051-B083-11FA60196C3E}"= TCP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{F33F7BF4-7A29-4532-BCB1-2C2F76A907C4}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{0C28E7CD-6FD0-4ED5-8CB5-D8BE1DD56628}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{2AD52306-0B66-47DD-99C4-72D34D5B6706}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{12A56769-5C13-4752-8B49-EA0271A1AE77}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8D9ECC9A-1E51-4721-90C5-8149A1BB84DE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2007-11-29 1223168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\User_Feed_Synchronization-{139DF1CA-CBB8-4BC8-B9AA-8973CC8C760D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 00:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CC376D90-5DE8-400F-AAA4-4A9A8D6F7A44} - c:\windows\system32\yaywvwxY.dll
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
HKLM-Run-MMUpdate - \\agy044\mmapps\ISHIELD\Update\Disk1\update.exe
HKLM-Run-BM174c89bc - c:\windows\system32\tchgyflk.dll
HKLM-Run-147fba20 - c:\windows\system32\rmbiceih.dll
ShellExecuteHooks-{1764AF3F-400C-415E-9A92-67A7D55C2C71} - c:\windows\system32\awtrrpNE.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\cwalsp.dll
Trusted Zone: dell.com\premier
Trusted Zone: dell.com\signin
Trusted Zone: edcor.com
Trusted Zone: Massmutual.com
Trusted Zone: Massmutualdesigns.com
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: winflexweb.com\www
FF - ProfilePath - c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\y52hhvh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\y52hhvh7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000053.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 02:24:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\DIAS\CnxDIAS.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\iPod Access for Windows\iPAHelper.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-03-16 2:32:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 09:32:08

Pre-Run: 32,131,227,648 bytes free
Post-Run: 33,648,586,752 bytes free

264 --- E O F --- 2009-03-15 17:19:06

BC AdBot (Login to Remove)

 


#2 eshardlow

eshardlow
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 March 2009 - 04:40 AM

Here's the HijackThis log:


Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [cwcptray] "C:\Program Files\ContentWatch\Internet Protection\cwtray.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: *.Massmutual.com
O15 - Trusted Zone: *.Massmutualdesigns.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:03 PM

Posted 27 March 2009 - 08:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:03 PM

Posted 03 April 2009 - 12:32 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please start a new topic.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users