Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

At least two major malware issues - Mozilla Google search redirects, IE spawning in the background...


  • This topic is locked This topic is locked
8 replies to this topic

#1 Syrith

Syrith

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 01 April 2009 - 05:51 AM

I really appreciate your help! My poor desktop appears to be rather nastily infected with one or more difficult-to-pin-down malware or virus programs. I'm not prepared to reinstall my OS and start from scratch at this time, but short of that, I'm ready to roll up my sleeves and do some hardcore virus-hunting!

Here are the "symptoms" I'm sure of, though more may be wrong "behind the scenes":

1) In Mozilla Firefox, when I click on Google search results, I am redirected to junk websites such as "". This has been going on a few days only.

2) Internet Explorer is spontaneously loading 1-2 copies of itself (iexplore.exe) invisibly. I can see it in the Task Manager and end the task, but it respawns. Comodo Firewall can similarly end it, but even if I ask Comodo to block it, the application respawns.


Please help! I appreciate your advice in resolving these problems, and anything else that jumps out at you as a major issue in my log.


DDS.txt log:

s
DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeremy Friedman at 6:44:21.00 on Wed 04/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.159 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Verdiem\Edison\edsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Jeremy Friedman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = localhost;*.local
BHO: {012f6303-06fd-402b-8b33-f8af2a949c37} - c:\windows\system32\qvaxybxm.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {310ca74f-cccb-438c-9fba-e67dc36f8ec8} - c:\windows\system32\sasfpp.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4317a55c-76e4-4143-a1e4-5dc2b54693c2} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {547A7C84-9CF6-435D-ABC2-7F314B3F17A9} - No File
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: {902971EF-33A7-4EF3-A4B9-AED91378FEA9} - No File
BHO: {a658cdd6-c8af-42d4-aa61-537491cb2db1} - c:\windows\system32\vtUlLDSi.dll
BHO: {B8E3676C-A8AB-4102-AD55-BDCAC2DF2D0E} - No File
BHO: {C2F34337-4B92-4E22-8A34-C8228B1B9162} - No File
BHO: {f2277ce5-4794-4912-ac8c-377793dbc967} - c:\windows\system32\snxuwsdh.dll
BHO: {fbff3b36-be67-4561-99a4-5477b0bfc5fa} - c:\windows\system32\qoMcbaBT.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Edison] "c:\program files\verdiem\edison\Edison.exe" /autolaunched
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoom~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151272202437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: opnmNhGx - opnmNhGx.dll
Notify: qoMcbaBT - qoMcbaBT.dll
Notify: winzwr32 - winzwr32.dll
AppInit_DLLs: sasfpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\eudora\EuShlExt.dll
SEH: {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - No File
SEH: {fbff3b36-be67-4561-99a4-5477b0bfc5fa} - c:\windows\system32\qoMcbaBT.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtUlLDSi

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy~1\applic~1\mozilla\firefox\profiles\n0msgkqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\jeremy friedman\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJPI141_02.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-8-17 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-8-17 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-20 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-26 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-26 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-26 298264]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 edsvc;Edison Power Management Service;c:\program files\verdiem\edison\edsvc.exe [2008-10-24 75008]
R2 HDDTService;HDD Temperature;c:\program files\palicksoft\hdd temperature\HDDTSvc.exe [2004-11-24 384512]
R3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2007-3-25 606208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2005-12-15 10379]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 Mxllldc;Mxllldc; [x]

=============== Created Last 30 ================

2009-04-01 06:07 <DIR> --d----- c:\program files\trend micro
2009-03-26 10:10 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-26 10:10 <DIR> --d----- c:\program files\MSECACHE
2009-03-22 13:49 <DIR> --d----- c:\program files\iPod
2009-03-22 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 13:18 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-22 13:18 1,409 a------- c:\windows\QTFont.for
2009-03-19 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-03-19 00:04 155,384 a------- c:\windows\system32\guard32.dll
2009-03-19 00:04 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-19 00:04 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 00:03 <DIR> --d----- c:\program files\COMODO
2009-03-15 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Last.fm
2009-03-15 22:07 <DIR> --d----- c:\program files\Last.fm
2009-03-05 09:51 <DIR> --d----- C:\Download

==================== Find3M ====================

2009-02-16 01:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-06 09:18 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 09:18 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-06 09:18 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-09-11 20:24 213,368 a------- c:\docume~1\jeremy~1\applic~1\GDIPFONTCACHEV1.DAT
2006-06-24 23:03 461 a------- c:\program files\INSTALL.LOG
2005-11-12 20:03 6,052,174 a------- c:\program files\Pocket Tanks Deluxe.zip
2005-09-30 17:53 37 a------- c:\documents and settings\jeremy friedman\getfile.dat
2005-01-21 03:10 6,312 a------- c:\program files\Uninst.isu
2004-08-04 08:00 67,072 a----r-- c:\docume~1\jeremy~1\applic~1\twex.exe
2005-11-03 17:18 56 a--shr-- c:\windows\system32\042F80B0A9.sys
2008-10-28 22:34 956,208 a--sh--- c:\windows\system32\iSDLlUtv.ini2
2005-11-03 17:18 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 6:45:48.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 PM

Posted 04 April 2009 - 02:54 PM

Hello Syrith,

Sorry for the delay. We have many logs backed up.

If you still need help, then please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 04 April 2009 - 02:55 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Syrith

Syrith
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 05 April 2009 - 03:22 PM

Hi Mike,
Thanks for getting back to me!

I downloaded MBAM and had another spooky problem - when I clicked the install file, nothing would happen - no processes would open in the Task Manager or anything. When I renamed it and tried again, it opened fine - suggests that Malware was blocking the install? Yikes!

Next, tried to "update then scan" as you suggested at the end of installation - again, nothing - no program comes up. Renamed the shortcut and tried again - nothing. Finally renamed the actual mbam exe file in the Program Files and Malwarebytes cheerfully popped up right away! Ran an update.

Just now ran a scan too. I mistakenly ran a "quick scan" instead of a system scan, but rather than go back I've posted the logfile below. Here's a fresh DDS log too, below that.

It was unable to remove one file (a DLL in the System32 folder), so I'm going to restart now, and then I'll run a full scan instead of the quick one and post those results.

For the record, the iexplore.exe processes continue to respawn in the background, so at the very least, that's not dead yet!

Thanks,

Jeremy



Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 2

4/5/2009 4:16:19 PM
mbam-log-2009-04-05 (16-16-19).txt

Scan type: Quick Scan
Objects scanned: 82115
Time elapsed: 9 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{fbff3b36-be67-4561-99a4-5477b0bfc5fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomcbabt (Trojan.Vundo.H) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fbff3b36-be67-4561-99a4-5477b0bfc5fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{012f6303-06fd-402b-8b33-f8af2a949c37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{012f6303-06fd-402b-8b33-f8af2a949c37} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{f2277ce5-4794-4912-ac8c-377793dbc967} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f2277ce5-4794-4912-ac8c-377793dbc967} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf2f7e80-83ff-41a7-a826-e96b45bf7c89} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}

(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fbff3b36-be67-4561-99a4-5477b0bfc5fa} (Trojan.Vundo)

-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzwr32 (Dialer) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea4

0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fbff3b36-be67-4561-99a4-5477b0bfc5f

a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atiupdate (Trojan.Downloader) -> Quarantined and deleted

successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qoMcbaBT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winzwr32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMff6b9437.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMff6b9437.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.





DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeremy Friedman at 16:20:23.78 on Sun 04/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.266 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Verdiem\Edison\edsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeremy Friedman\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Jeremy Friedman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {310ca74f-cccb-438c-9fba-e67dc36f8ec8} - c:\windows\system32\sasfpp.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4317a55c-76e4-4143-a1e4-5dc2b54693c2} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {547A7C84-9CF6-435D-ABC2-7F314B3F17A9} - No File
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: {902971EF-33A7-4EF3-A4B9-AED91378FEA9} - No File
BHO: {a658cdd6-c8af-42d4-aa61-537491cb2db1} - c:\windows\system32\vtUlLDSi.dll
BHO: {B8E3676C-A8AB-4102-AD55-BDCAC2DF2D0E} - No File
BHO: {C2F34337-4B92-4E22-8A34-C8228B1B9162} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Steam]
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Edison] "c:\program files\verdiem\edison\Edison.exe" /autolaunched
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe c:\windows\system32\stlbdist.DLL,DllRunMain
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [VBundleOuterDL] c:\program files\vbouncer\BundleOuter.EXE
mRun: [UpdateStats] c:\program files\media\media\UpdateStats.exe
mRun: [updater] c:\program files\common files\updater\wupdater.exe
mRun: [TotalRecorderScheduler] c:\program files\totalrecorder\TotRecSched.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_01\bin\jusched.exe
mRun: [stcloader] c:\windows\system32\stcloader.exe
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [RunWindowsUpdate] c:\windows\uptodate.exe
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [QD FastAndSafe] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [nwiz] nwiz.exe /install
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [mlwbat] c:\windows\mlwbat.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [LimeShop] wjview /cp:p "c:\program files\limeshop\system\code" main lp: "c:\program files\LimeShop"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AutoUpdater] c:\progra~1\autoup~1\AUTOUP~1.EXE
mRun: [AcctMgr] c:\program files\norton systemworks\password manager\AcctMgr.exe /startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\meep.exe" /runcleanupscript
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoom~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: opnmNhGx - opnmNhGx.dll
AppInit_DLLs: sasfpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\eudora\EuShlExt.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtUlLDSi

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy~1\applic~1\mozilla\firefox\profiles\n0msgkqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\jeremy friedman\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\realplayer\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-8-17 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-8-17 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-20 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-26 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-19 24336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-26 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-26 298264]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-19 700152]
R2 edsvc;Edison Power Management Service;c:\program files\verdiem\edison\edsvc.exe [2008-10-24 75008]
R2 HDDTService;HDD Temperature;c:\program files\palicksoft\hdd temperature\HDDTSvc.exe [2004-11-24 384512]
R3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2007-3-25 606208]
S3 Mxllldc;Mxllldc; [x]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2005-12-15 10379]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-04-05 16:17 61,440 a------- c:\windows\system32\drivers\bgcIzyt.sys
2009-04-05 16:02 <DIR> --d----- c:\docume~1\jeremy~1\applic~1\Malwarebytes
2009-04-05 15:58 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 15:58 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 15:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RetroExp
2009-04-04 10:42 <DIR> --d----- c:\program files\CCleaner
2009-04-01 06:07 <DIR> --d----- c:\program files\trend micro
2009-03-26 10:10 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-26 10:10 <DIR> --d----- c:\program files\MSECACHE
2009-03-22 13:49 <DIR> --d----- c:\program files\iPod
2009-03-22 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 13:18 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-22 13:18 1,409 a------- c:\windows\QTFont.for
2009-03-19 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-03-19 00:04 155,384 a------- c:\windows\system32\guard32.dll
2009-03-19 00:04 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-19 00:04 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 00:03 <DIR> --d----- c:\program files\COMODO
2009-03-15 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Last.fm
2009-03-15 22:07 <DIR> --d----- c:\program files\Last.fm

==================== Find3M ====================

2009-02-16 01:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-06 09:18 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 09:18 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-06 09:18 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-09-11 20:24 213,368 a------- c:\docume~1\jeremy~1\applic~1\GDIPFONTCACHEV1.DAT
2006-06-24 23:03 461 a------- c:\program files\INSTALL.LOG
2005-11-12 20:03 6,052,174 a------- c:\program files\Pocket Tanks Deluxe.zip
2005-09-30 17:53 37 a------- c:\documents and settings\jeremy friedman\getfile.dat
2005-01-21 03:10 6,312 a------- c:\program files\Uninst.isu
2004-08-04 08:00 67,072 a----r-- c:\docume~1\jeremy~1\applic~1\twex.exe
2005-11-03 17:18 56 a--shr-- c:\windows\system32\042F80B0A9.sys
2008-10-28 22:34 956,208 a--sh--- c:\windows\system32\iSDLlUtv.ini2
2005-11-03 17:18 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:21:50.90 ===============

edited to attach the new attach.txt DDS file.

Attached Files


Edited by Syrith, 05 April 2009 - 03:23 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 PM

Posted 05 April 2009 - 05:00 PM

Hi Jeremy,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.1_02
    Java 2 Runtime Environment, SE v1.4.2
    Java 2 Runtime Environment, SE v1.4.2_01
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
Since you are heavily infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG8 Antivirus, Ad-Watch and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Disable Ad-Watch to make sure it won't interfere fixing.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

Make sure you allow ComboFix to install Recovery Console, as that is our safety net.

Post the log from ComboFix in your next reply,


A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Syrith

Syrith
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 11 April 2009 - 02:19 PM

Hi Mike,

Thanks for your patience! I had to wait for the weekend to have the time to really pay the attention this is due and follow it through.

I've followed all the instructions - removed all versions of Java, disabled a/v software, ran Combofix (which did remove some files, etc.), and have posted the log below. I'm going to go re-enable A/V right now.

How am I doing? I've got Malwarebytes and CCleaner standing by for another round of cleanup.


ComboFix 09-04-04.01 - Jeremy Friedman 2009-04-11 13:48:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.625 [GMT -4:00]
Running from: c:\documents and settings\Jeremy Friedman\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tpBe12
c:\temp\tpBe12\etFr.log
c:\temp\vtmp2
c:\temp\vtmp2\ktnv33.log
c:\windows\system32\Cache
c:\windows\system32\Cache\buts.bin
c:\windows\system32\Cache\chart 1.bmp
c:\windows\system32\Cache\ding.bmp
c:\windows\system32\Cache\disk 1.bmp
c:\windows\system32\Cache\document.bmp
c:\windows\system32\Cache\mail unreaded.bmp
c:\windows\system32\Cache\peoples 1.bmp
c:\windows\system32\Cache\search find 2.bmp
c:\windows\system32\Cache\web app.bmp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACtcbpsmfe.sys
c:\windows\system32\ekxtorvj.ini
c:\windows\SYSTEM32\iSDLlUtv.ini
c:\windows\SYSTEM32\iSDLlUtv.ini2
c:\windows\system32\lccvjdgs.ini
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\pwsayfpo.ini
c:\windows\system32\tygltxrq.ini
c:\windows\system32\UACcrwykpem.dll
c:\windows\system32\UACgqntbjns.dll
c:\windows\system32\UACoycsstuo.log
c:\windows\system32\UACphlendis.dat
c:\windows\system32\UACqrcolfqi.log
c:\windows\system32\UACrqkhcnoc.dll
c:\windows\system32\UACsspgjpnu.log
c:\windows\system32\UACtoewcsxx.dll
c:\windows\system32\UACyhnmwtsv.dll
c:\windows\system32\uninstall.exe
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://eservicesupport.us.dell.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_ZESOFT
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-11 08:18 . 2009-04-11 08:18 17,594 --a------ C:\cc_20090411_081824.reg
2009-04-06 10:02 . 2009-04-06 10:02 484 --a------ C:\cc_20090406_100229.reg
2009-04-06 09:53 . 2009-04-06 09:53 52,288 --a------ C:\cc_20090406_095309.reg
2009-04-06 09:35 . 2009-04-06 09:35 1,158 --a------ C:\cc_20090406_093511.reg
2009-04-06 09:33 . 2009-04-06 09:33 377,620 --a------ C:\cc_20090406_093325.reg
2009-04-06 09:28 . 2009-04-06 09:28 1,444,476 --a------ C:\cc_20090406_092818.reg
2009-04-05 16:02 . 2009-04-05 16:02 <DIR> d-------- c:\documents and settings\Jeremy Friedman\Application Data\Malwarebytes
2009-04-05 15:58 . 2009-04-11 08:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:58 . 2009-04-05 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:58 . 2009-04-06 15:32 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-04-05 15:58 . 2009-04-06 15:32 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-04-05 15:43 . 2009-06-06 01:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\RetroExp
2009-04-04 10:42 . 2009-04-04 10:42 <DIR> d-------- c:\program files\CCleaner
2009-04-01 06:07 . 2009-04-01 06:08 <DIR> d-------- C:\rsit
2009-04-01 06:07 . 2009-04-01 06:08 <DIR> d-------- c:\program files\trend micro
2009-03-26 10:10 . 2009-03-26 10:10 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-26 10:10 . 2009-03-26 10:10 <DIR> d-------- c:\program files\MSECACHE
2009-03-22 13:49 . 2009-03-22 13:49 <DIR> d-------- c:\program files\iPod
2009-03-22 13:49 . 2009-03-22 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 13:18 . 2009-03-22 13:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-22 13:18 . 2009-03-22 13:18 1,409 --a------ c:\windows\QTFont.for
2009-03-19 00:04 . 2009-03-21 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-19 00:04 . 2009-03-19 00:03 155,384 --a------ c:\windows\SYSTEM32\guard32.dll
2009-03-19 00:04 . 2009-03-19 00:03 110,992 --a------ c:\windows\SYSTEM32\DRIVERS\cmdguard.sys
2009-03-19 00:04 . 2009-03-19 00:03 24,336 --a------ c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys
2009-03-19 00:03 . 2009-03-19 00:03 <DIR> d-------- c:\program files\COMODO
2009-03-15 22:08 . 2009-03-15 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-03-15 22:07 . 2009-03-28 19:17 <DIR> d-------- c:\program files\Last.fm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-08 03:04 --------- d-----w c:\program files\Lavasoft
2009-04-08 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-06 13:46 --------- d-----w c:\program files\Paint Shop Pro 7
2009-04-06 13:44 --------- d-----w c:\program files\Microsoft Works
2009-04-05 19:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 14:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 14:35 --------- d-----w c:\program files\Java
2009-04-04 14:25 --------- d-----w c:\program files\WebSite Downloader for Windows
2009-04-04 13:55 --------- d-----w c:\program files\@Last Software
2009-04-01 09:43 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\OpenOffice.org2
2009-03-22 18:30 --------- d-----w c:\program files\Apple Software Update
2009-03-22 17:49 --------- d-----w c:\program files\iTunes
2009-03-22 17:49 --------- d-----w c:\program files\Common Files\Apple
2009-03-22 17:47 --------- d-----w c:\program files\Bonjour
2009-03-22 17:46 --------- d-----w c:\program files\QuickTime
2009-03-21 20:57 --------- d-----w c:\program files\GameSpy Arcade
2009-03-17 14:10 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\Azureus
2009-03-07 23:55 --------- d-----w c:\program files\Azureus
2009-03-06 05:43 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\U3
2009-02-25 12:19 --------- d-----w c:\program files\RealPlayer
2009-02-16 21:41 --------- d-----w c:\program files\Eudora
2009-02-16 21:25 --------- d-----w c:\program files\Yahoo!
2009-02-16 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-16 21:24 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\Yahoo!
2009-02-16 21:24 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-16 19:19 --------- d-----w c:\program files\ACW
2009-02-16 06:16 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-16 05:41 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-16 03:59 --------- d-sh--w c:\documents and settings\Jeremy Friedman\Application Data\twain32
2008-09-12 00:24 213,368 ----a-w c:\documents and settings\Jeremy Friedman\Application Data\GDIPFONTCACHEV1.DAT
2005-11-13 00:03 6,052,174 ----a-w c:\program files\Pocket Tanks Deluxe.zip
2005-09-30 21:53 37 ----a-w c:\documents and settings\Jeremy Friedman\getfile.dat
2005-01-21 07:10 6,312 ----a-w c:\program files\Uninst.isu
2004-08-04 12:00 67,072 ----a-r c:\documents and settings\Jeremy Friedman\Application Data\twex.exe
2005-11-03 21:18 56 --sha-r c:\windows\SYSTEM32\042F80B0A9.sys
2005-11-03 21:18 1,682 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edison"="c:\program files\Verdiem\Edison\Edison.exe" [2008-10-24 1799424]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
"MXOBG"="c:\windows\MXOALDR.EXE" [2005-10-05 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2007-06-29 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 09:18 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sasfpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"vidc.mxmc"= MimicICM.DLL
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.ap41"= DivXc32f.dll
"vidc.dvx4"= divx4.dll
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BOINC.lnk]
backup=c:\windows\pss\BOINC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"c:\\Program Files\\Yahoo Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo Messenger\\YServer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype Beta\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\OutSite-In_Standard\\OutSiteIn.exe"=
"c:\\Program Files\\OutSite-In_Standard\\silamp\\apache\\1.3.35\\Apache.exe"=
"c:\\Program Files\\OutSite-In_Standard\\silamp\\mysql\\4.0.27\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [2006-08-17 156800]
R0 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [2006-08-17 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-10-26 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-10-26 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2009-03-19 24336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-26 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 298264]
R2 edsvc;Edison Power Management Service;c:\program files\Verdiem\Edison\edsvc.exe [2008-10-24 75008]
R3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\SYSTEM32\DRIVERS\DELUSB_51.sys [2007-03-25 606208]
S0 ndgelt;ndgelt;c:\windows\system32\drivers\bgcIzyt.sys --> c:\windows\system32\drivers\bgcIzyt.sys [?]
S3 Mxllldc;Mxllldc; [x]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [2005-12-15 10379]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12c69d86-ada3-11dd-9746-0014a50661db}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2732706b-133e-11dd-9708-0014a50661db}]
\Shell\AutoRun\command - g:\win32\autorun\m4ck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af7c408d-e236-11dd-974d-0014a5066171}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f116145e-16c4-11db-878e-0007e97044d5}]
\Shell\AutoRun\command - g:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{012F6303-06FD-402B-8B33-F8AF2A949C37} - (no file)
BHO-{310ca74f-cccb-438c-9fba-e67dc36f8ec8} - (no file)
BHO-{4317a55c-76e4-4143-a1e4-5dc2b54693c2} - (no file)
BHO-{547A7C84-9CF6-435D-ABC2-7F314B3F17A9} - (no file)
BHO-{902971EF-33A7-4EF3-A4B9-AED91378FEA9} - (no file)
BHO-{A658CDD6-C8AF-42D4-AA61-537491CB2DB1} - (no file)
BHO-{B8E3676C-A8AB-4102-AD55-BDCAC2DF2D0E} - (no file)
BHO-{C2F34337-4B92-4E22-8A34-C8228B1B9162} - (no file)
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
BHO-{f2277ce5-4794-4912-ac8c-377793dbc967} - (no file)
BHO-{FBFF3B36-BE67-4561-99A4-5477B0BFC5FA} - (no file)
HKCU-Run-Steam - (no file)
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
Notify-opnmNhGx - opnmNhGx.dll
Notify-qoMcbaBT - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
Trusted Zone: aol.com\free
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
FF - ProfilePath - c:\documents and settings\Jeremy Friedman\Application Data\Mozilla\Firefox\Profiles\n0msgkqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Jeremy Friedman\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 14:42:56
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-671870412-4013097036-2377719393-1006\Software\SecuROM\License information*]
"datasecu"=hex:0b,88,cc,29,ff,32,d4,da,f6,dc,3e,68,a2,82,36,c8,8f,3d,4a,ab,86,
28,d7,af,a8,50,80,0e,ef,9a,31,33,1d,75,35,8c,0b,87,15,77,b9,87,f1,f5,75,a9,\
"rkeysecu"=hex:98,72,df,55,b0,9d,4a,93,bb,69,5b,45,3d,5f,47,56

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,b5,83,67,be,03,
3b,c0,74,e2,63,26,f1,3f,c8,ff,68,c6,78,82,ad,d4,fa,90,20,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c6,e3,ee,d2,6e,
15,44,08,6a,9c,d6,61,af,45,84,18,ad,76,d9,6e,62,9b,d1,18,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,83,28,25,90,b2,
1c,06,70,ff,7c,85,e0,43,d4,0e,fe,dd,5c,5e,a9,47,30,48,fe,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,c0,7d,80,31,ea,
6a,49,ad,86,8c,21,01,be,91,eb,e7,04,59,49,78,e3,a0,0b,d9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,dd,fe,b6,fa,aa,
15,75,f0,f5,1d,4d,73,a8,13,5c,05,04,d8,94,f8,41,72,08,63,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,23,5a,27,58,a1,
af,6e,8f,df,20,58,62,78,6b,cf,c8,cb,e3,1d,a5,a4,b3,a3,3f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,05,bb,5b,f5,6e,
a2,af,e6,fb,a7,78,e6,12,2f,9a,ea,ec,12,61,35,24,dc,be,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,1c,b4,f9,3b,ce,
ee,a4,3b,01,3a,48,fc,e8,04,4a,f1,5c,0e,1b,f4,59,dc,d5,de,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,5e,59,ea,fd,6e,
d9,a1,80,f6,0f,4e,58,98,5b,89,c9,88,c6,7a,0a,e8,33,24,e3,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,0d,b4,77,12,fd,
7a,04,fc,3d,ce,ea,26,2d,45,aa,78,50,c3,93,5d,d4,5b,3e,c1,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,11,d4,13,e4,95,
e0,a1,3d,2a,b7,cc,b5,b9,7f,41,e7,4a,3b,1a,6c,af,8e,5b,d3,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,f2,d5,df,2d,98,
25,d1,e4,6c,43,2d,1e,aa,22,2f,9c,45,13,1e,18,26,dc,81,51,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\CDANTSRV.EXE
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-11 14:54:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 18:54:01

Pre-Run: 18,003,525,632 bytes free
Post-Run: 17,862,955,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

396

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 PM

Posted 11 April 2009 - 02:47 PM

Hello Jeremy,

I see this in your log
C:\cc_20090411_081824.reg
Have you been run CCleaner Registry cleaner? :thumbup2:

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.


    You need to disable your AVG8 Antivirus, Ad-Watch and Spybot Teatimer before running ComboFix, as they will prevent it from running.


    To disable AVG antivirus:
    Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
    When you need to enable the AVG Resident Shield, ( I??ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

    To disable TeaTimer. We can reenable it when we're done if you like. [list=1]
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Disable Ad-Watch to make sure it won't interfere fixing.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\SYSTEM32\042F80B0A9.sys
c:\windows\system32\drivers\bgcIzyt.sys
Driver:: 
ndgelt
Mxllldc


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Syrith

Syrith
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 11 April 2009 - 11:03 PM

Hi Mike,

Thanks for the additional advice and information, and I apologize if my use of CCleaner made your task unnecessarily complicated. I consider myself an advanced Windows user, and have been known to fiddle with the registry now and again - using CCleaner and not - but I'll certainly refrain from here, for the duration of this support session! :thumbup2:

I've followed your instructions, and posted a new Combofix log, below:

ComboFix 09-04-04.01 - Jeremy Friedman 2009-04-11 22:23:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.688 [GMT -4:00]
Running from: c:\documents and settings\Jeremy Friedman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeremy Friedman\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\042F80B0A9.sys
c:\windows\system32\drivers\bgcIzyt.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\SYSTEM32\042F80B0A9.sys

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MXLLLDC
-------\Service_Mxllldc
-------\Service_ndgelt


((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-11 16:01 . 2009-04-11 16:01 21,720 --a------ C:\cc_20090411_160121.reg
2009-04-11 15:32 . 2009-04-11 15:49 <DIR> d-------- c:\documents and settings\Jeremy Friedman\Application Data\Uniblue
2009-04-11 08:18 . 2009-04-11 08:18 17,594 --a------ C:\cc_20090411_081824.reg
2009-04-06 10:02 . 2009-04-06 10:02 484 --a------ C:\cc_20090406_100229.reg
2009-04-06 09:53 . 2009-04-06 09:53 52,288 --a------ C:\cc_20090406_095309.reg
2009-04-06 09:35 . 2009-04-06 09:35 1,158 --a------ C:\cc_20090406_093511.reg
2009-04-06 09:33 . 2009-04-06 09:33 377,620 --a------ C:\cc_20090406_093325.reg
2009-04-06 09:28 . 2009-04-06 09:28 1,444,476 --a------ C:\cc_20090406_092818.reg
2009-04-05 16:02 . 2009-04-05 16:02 <DIR> d-------- c:\documents and settings\Jeremy Friedman\Application Data\Malwarebytes
2009-04-05 15:58 . 2009-04-11 15:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:58 . 2009-04-05 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:58 . 2009-04-06 15:32 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-04-05 15:58 . 2009-04-06 15:32 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-04-05 15:43 . 2009-06-06 01:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\RetroExp
2009-04-04 10:42 . 2009-04-04 10:42 <DIR> d-------- c:\program files\CCleaner
2009-04-01 06:07 . 2009-04-01 06:08 <DIR> d-------- c:\program files\trend micro
2009-03-26 10:10 . 2009-03-26 10:10 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-26 10:10 . 2009-03-26 10:10 <DIR> d-------- c:\program files\MSECACHE
2009-03-22 13:49 . 2009-03-22 13:49 <DIR> d-------- c:\program files\iPod
2009-03-22 13:49 . 2009-03-22 13:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 13:18 . 2009-03-22 13:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-22 13:18 . 2009-03-22 13:18 1,409 --a------ c:\windows\QTFont.for
2009-03-19 00:04 . 2009-03-21 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-19 00:04 . 2009-03-19 00:03 155,384 --a------ c:\windows\SYSTEM32\guard32.dll
2009-03-19 00:04 . 2009-03-19 00:03 110,992 --a------ c:\windows\SYSTEM32\DRIVERS\cmdguard.sys
2009-03-19 00:04 . 2009-03-19 00:03 24,336 --a------ c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys
2009-03-19 00:03 . 2009-03-19 00:03 <DIR> d-------- c:\program files\COMODO
2009-03-15 22:08 . 2009-03-15 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-03-15 22:07 . 2009-03-28 19:17 <DIR> d-------- c:\program files\Last.fm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-08 03:04 --------- d-----w c:\program files\Lavasoft
2009-04-08 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-06 13:46 --------- d-----w c:\program files\Paint Shop Pro 7
2009-04-06 13:44 --------- d-----w c:\program files\Microsoft Works
2009-04-05 19:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 14:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 14:35 --------- d-----w c:\program files\Java
2009-04-04 14:25 --------- d-----w c:\program files\WebSite Downloader for Windows
2009-04-04 13:55 --------- d-----w c:\program files\@Last Software
2009-04-01 09:43 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\OpenOffice.org2
2009-03-22 18:30 --------- d-----w c:\program files\Apple Software Update
2009-03-22 17:49 --------- d-----w c:\program files\iTunes
2009-03-22 17:49 --------- d-----w c:\program files\Common Files\Apple
2009-03-22 17:47 --------- d-----w c:\program files\Bonjour
2009-03-22 17:46 --------- d-----w c:\program files\QuickTime
2009-03-21 20:57 --------- d-----w c:\program files\GameSpy Arcade
2009-03-17 14:10 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\Azureus
2009-03-07 23:55 --------- d-----w c:\program files\Azureus
2009-03-06 05:43 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\U3
2009-02-25 12:19 --------- d-----w c:\program files\RealPlayer
2009-02-16 21:41 --------- d-----w c:\program files\Eudora
2009-02-16 21:25 --------- d-----w c:\program files\Yahoo!
2009-02-16 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-16 21:24 --------- d-----w c:\documents and settings\Jeremy Friedman\Application Data\Yahoo!
2009-02-16 21:24 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-16 19:19 --------- d-----w c:\program files\ACW
2009-02-16 06:16 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-16 05:41 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-16 03:59 --------- d-sh--w c:\documents and settings\Jeremy Friedman\Application Data\twain32
2009-02-06 13:18 10,520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
2008-09-12 00:24 213,368 ----a-w c:\documents and settings\Jeremy Friedman\Application Data\GDIPFONTCACHEV1.DAT
2005-11-13 00:03 6,052,174 ----a-w c:\program files\Pocket Tanks Deluxe.zip
2005-09-30 21:53 37 ----a-w c:\documents and settings\Jeremy Friedman\getfile.dat
2005-01-21 07:10 6,312 ----a-w c:\program files\Uninst.isu
2004-08-04 12:00 67,072 ----a-r c:\documents and settings\Jeremy Friedman\Application Data\twex.exe
2005-11-03 21:18 1,682 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edison"="c:\program files\Verdiem\Edison\Edison.exe" [2008-10-24 1799424]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
"MXOBG"="c:\windows\MXOALDR.EXE" [2005-10-05 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2007-06-29 81920]

c:\documents and settings\Jeremy Friedman\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\documents and settings\Jeremy Friedman\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe [2009-04-01 801032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 09:18 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sasfpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"vidc.mxmc"= MimicICM.DLL
"msacm.divxa32"= DivXa32.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.ap41"= DivXc32f.dll
"vidc.dvx4"= divx4.dll
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BOINC.lnk]
backup=c:\windows\pss\BOINC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"c:\\Program Files\\Yahoo Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo Messenger\\YServer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype Beta\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\OutSite-In_Standard\\OutSiteIn.exe"=
"c:\\Program Files\\OutSite-In_Standard\\silamp\\apache\\1.3.35\\Apache.exe"=
"c:\\Program Files\\OutSite-In_Standard\\silamp\\mysql\\4.0.27\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [2006-08-17 156800]
R0 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [2006-08-17 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-10-26 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-10-26 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2009-03-19 24336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-26 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 298264]
R2 edsvc;Edison Power Management Service;c:\program files\Verdiem\Edison\edsvc.exe [2008-10-24 75008]
R3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\SYSTEM32\DRIVERS\DELUSB_51.sys [2007-03-25 606208]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [2005-12-15 10379]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12c69d86-ada3-11dd-9746-0014a50661db}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2732706b-133e-11dd-9708-0014a50661db}]
\Shell\AutoRun\command - g:\win32\autorun\m4ck.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af7c408d-e236-11dd-974d-0014a5066171}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f116145e-16c4-11db-878e-0007e97044d5}]
\Shell\AutoRun\command - g:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
Trusted Zone: aol.com\free
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
FF - ProfilePath - c:\documents and settings\Jeremy Friedman\Application Data\Mozilla\Firefox\Profiles\n0msgkqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Jeremy Friedman\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-671870412-4013097036-2377719393-1006\Software\SecuROM\License information*]
"datasecu"=hex:0b,88,cc,29,ff,32,d4,da,f6,dc,3e,68,a2,82,36,c8,8f,3d,4a,ab,86,
28,d7,af,a8,50,80,0e,ef,9a,31,33,1d,75,35,8c,0b,87,15,77,b9,87,f1,f5,75,a9,\
"rkeysecu"=hex:98,72,df,55,b0,9d,4a,93,bb,69,5b,45,3d,5f,47,56

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,b5,83,67,be,03,
3b,c0,74,e2,63,26,f1,3f,c8,ff,68,c6,78,82,ad,d4,fa,90,20,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c6,e3,ee,d2,6e,
15,44,08,6a,9c,d6,61,af,45,84,18,ad,76,d9,6e,62,9b,d1,18,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,83,28,25,90,b2,
1c,06,70,ff,7c,85,e0,43,d4,0e,fe,dd,5c,5e,a9,47,30,48,fe,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,c0,7d,80,31,ea,
6a,49,ad,86,8c,21,01,be,91,eb,e7,04,59,49,78,e3,a0,0b,d9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,dd,fe,b6,fa,aa,
15,75,f0,f5,1d,4d,73,a8,13,5c,05,04,d8,94,f8,41,72,08,63,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,23,5a,27,58,a1,
af,6e,8f,df,20,58,62,78,6b,cf,c8,cb,e3,1d,a5,a4,b3,a3,3f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,05,bb,5b,f5,6e,
a2,af,e6,fb,a7,78,e6,12,2f,9a,ea,ec,12,61,35,24,dc,be,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,1c,b4,f9,3b,ce,
ee,a4,3b,01,3a,48,fc,e8,04,4a,f1,5c,0e,1b,f4,59,dc,d5,de,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,5e,59,ea,fd,6e,
d9,a1,80,f6,0f,4e,58,98,5b,89,c9,88,c6,7a,0a,e8,33,24,e3,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,0d,b4,77,12,fd,
7a,04,fc,3d,ce,ea,26,2d,45,aa,78,50,c3,93,5d,d4,5b,3e,c1,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,11,d4,13,e4,95,
e0,a1,3d,2a,b7,cc,b5,b9,7f,41,e7,4a,3b,1a,6c,af,8e,5b,d3,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,f2,d5,df,2d,98,
25,d1,e4,6c,43,2d,1e,aa,22,2f,9c,45,13,1e,18,26,dc,81,51,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\guard32.dll

- - - - - - - > 'Explorer.EXE'(2024)
c:\windows\system32\guard32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\CDANTSRV.EXE
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\documents and settings\Jeremy Friedman\Desktop\UltraVNC_1.0.5.6_Setup.exe
c:\docume~1\JEREMY~1\LOCALS~1\temp\is-V0AN9.tmp\UltraVNC_1.0.5.6_Setup.tmp
.
**************************************************************************
.
Completion time: 2009-04-11 22:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 02:58:50
ComboFix2.txt 2009-04-11 18:54:07

Pre-Run: 17,515,732,992 bytes free
Post-Run: 17,638,363,136 bytes free

346

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 PM

Posted 11 April 2009 - 11:27 PM

Hi Jeremy,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 PM

Posted 17 April 2009 - 07:33 AM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users