Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit trojan


  • This topic is locked This topic is locked
25 replies to this topic

#1 hp1

hp1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 02 April 2009 - 07:55 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by hemrie at 19:30:28.53 on Thu 04/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.411 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\nvraidservice.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\spm\spmd.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\sesinetd.exe
D:\WINDOWS\system32\hserver.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
D:\WINDOWS\system32\IoctlSvc.exe
D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Trend Micro\BM\TMBMSRV.exe
D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
D:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\hemrie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: IGMONObj Class: {02464ddc-3187-11d8-8004-0020ed227566} - d:\program files\igetter\integration\IGMON.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: CSShell.BHO: {e6b64f67-b100-4636-8d51-d113e1f5ff93} - d:\program files\contentsaver\CSShell.dll
TB: ContentSaver Toolbar: {4d63cebe-b169-426c-b092-c130c498b6e6} - d:\program files\contentsaver\CSShell.dll
TB: ContentSaver Editing Bar: {86b09c4e-4137-4863-b585-380205f1f774} - d:\program files\contentsaver\CSShell.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {1FEA1109-9F65-4FDC-AEC5-033F6CC60641} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [NVRaidService] d:\windows\system32\nvraidservice.exe
mRun: [NVIDIA nTune] "d:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [ATICCC] "d:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Launch Ai Booster] "d:\program files\asus\ai booster\OverClk.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: ContentSaver: Save Link Address As... - d:\progra~1\conten~1\csshell.dll/#110
IE: ContentSaver: Save Page Area (Frame) - d:\progra~1\conten~1\csshell.dll/#102
IE: ContentSaver: Save Page Area (Frame) As... - d:\progra~1\conten~1\csshell.dll/#106
IE: ContentSaver: Save Picture - d:\progra~1\conten~1\csshell.dll/#101
IE: ContentSaver: Save Picture As... - d:\progra~1\conten~1\csshell.dll/#108
IE: ContentSaver: Save Selected Targets As... - d:\progra~1\conten~1\csshell.dll/#111
IE: ContentSaver: Save Selection - d:\progra~1\conten~1\csshell.dll/#104
IE: ContentSaver: Save Selection As... - d:\progra~1\conten~1\csshell.dll/#109
IE: ContentSaver: Save Target - d:\progra~1\conten~1\csshell.dll/#103
IE: ContentSaver: Save Target As... - d:\progra~1\conten~1\csshell.dll/#107
IE: Convert link target to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download all with iGetter - d:\program files\igetter\integration\igetall.html
IE: Download FLV video content with IDM - d:\program files\internet download manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - d:\program files\megaupload\mega manager\mm_file.htm
IE: Download with &FileFactory Turbo - d:\program files\filefactory turbo\plugins\ie\FileFactoryIE.html
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: Download with iGetter - d:\program files\igetter\integration\iget.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206154871327
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206154858483
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} - hxxp://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cs - {CF429874-C894-496D-A310-9BB12C16BE3C} - d:\program files\contentsaver\CSProtocol.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\program files\webarchiver pro\SspNG.dll
Notify: !saswinlogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\hemrie\applic~1\mozilla\firefox\profiles\i4wm33t6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: d:\documents and settings\hemrie\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\documents and settings\hemrie\application data\mozilla\firefox\profiles\i4wm33t6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: d:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 saskutil;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;d:\program files\common files\nero\nero backitup 4\NBService.exe [2008-11-25 935208]
R2 NProtectService;Norton Unerase Protection;d:\progra~1\norton~1\norton~1\NPROTECT.EXE [2004-8-30 95328]
R2 Symantec Core LC;Symantec Core LC;d:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-9 819352]
R2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2008-6-20 52240]
R2 tmpreflt;tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2007-9-17 36368]
R3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\drivers\TM_CFW.sys [2007-9-17 333328]
R3 TmPfw;Trend Micro Personal Firewall;d:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-6-20 488768]
R3 tmproxy;Trend Micro Proxy Service;d:\program files\trend micro\internet security\TmProxy.exe [2008-6-20 648456]
S0 ryjaixb;ryjaixb; [x]
S2 ccEvtMgr;Symantec Event Manager;d:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-27 197752]
S2 hyizbeus;HyizbEus;d:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S3 pcwe;pcwe;d:\documents and settings\hemrie\my documents\my overclock files\pc wizard 2005\pcwizard.sys [2004-12-4 6528]
S3 sasenum;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S4 ccPwdSvc;Symantec Password Validation;d:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-27 78968]
S4 ccSetMgr;Symantec Settings Manager;d:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-27 164984]
S4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;d:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent" --> d:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]

=============== Created Last 30 ================

2009-04-02 18:25 61,440 a------- d:\windows\system32\drivers\hfopk.sys
2009-04-02 09:36 0 a------- d:\windows\system32\drivers\jzuy.sys
2009-04-01 23:12 <DIR> --d----- D:\ComboFix
2009-04-01 20:29 161,792 a------- d:\windows\SWREG.exe
2009-04-01 20:29 98,816 a------- d:\windows\sed.exe
2009-03-20 20:58 <DIR> --d----- d:\program files\Uniblue
2009-03-20 20:57 <DIR> -cd-h--- d:\docume~1\alluse~1\applic~1\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-03-20 19:07 <DIR> --d----- d:\docume~1\hemrie\applic~1\Uniblue
2009-03-20 07:41 0 a------- d:\windows\system32\drivers\cmqpg.sys
2009-03-19 18:53 <DIR> --d----- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-19 18:53 <DIR> --d----- d:\program files\SUPERAntiSpyware
2009-03-19 18:53 <DIR> --d----- d:\docume~1\hemrie\applic~1\SUPERAntiSpyware.com
2009-03-19 18:52 <DIR> --d----- d:\program files\common files\Wise Installation Wizard
2009-03-19 18:41 <DIR> --d----- d:\docume~1\hemrie\applic~1\Malwarebytes
2009-03-19 18:41 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-03-19 18:41 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 18:41 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-03-19 18:41 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-19 04:49 2,713 ---sh--- d:\windows\system32\bodonope.exe
2009-03-15 00:08 <DIR> --d----- d:\program files\JDownloader
2009-03-05 21:41 <DIR> --d----- d:\windows\system32\log

==================== Find3M ====================

2009-03-19 17:20 104,960 a------- d:\windows\system32\userinit.exe
2009-03-19 17:16 14,336 a------- d:\windows\system32\svchost.exe
2009-03-15 18:20 6,730 a--sh--- d:\windows\system32\rahozaye.dll
2009-03-15 18:20 6,730 a--sh--- d:\windows\system32\legiyaye.dll
2009-03-15 18:20 6,730 a--sh--- d:\windows\system32\lavetidi.dll
2009-03-15 06:20 6,730 a--sh--- d:\windows\system32\magohupa.dll
2009-03-15 06:20 6,730 a--sh--- d:\windows\system32\fetijonu.dll
2009-03-15 06:20 6,730 a--sh--- d:\windows\system32\bevefime.dll
2009-03-14 18:20 6,730 a--sh--- d:\windows\system32\pabipihe.dll
2009-02-09 06:13 1,846,784 a------- d:\windows\system32\win32k.sys
2009-02-08 14:27 16,384 a------- d:\windows\DCEBoot.exe
2005-06-19 23:27 87 a------- d:\documents and settings\hemrie\aw.dat
2008-10-11 10:13 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 19:30:50.28 ===============

This is what Malwarebytes says:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: d:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Of course after restart and another scan the same trojan shows up again.

The computer will start up fine 4 or 5 times then the userinit.exe error will show up when I log on to windows after a start-up. I have to go to SAFE MODE and use CCleaner, Malwarebytes, SuperAntispyware, and Registry Mechanic before I can get windows to launch successfully. Spybot does not find anything.

I should also say that when I get that userinit.exe error as windows is loading after I input my password, the computer is very slow to show the windows desktop and when it does I have to hit CTRL + ALT + DELETE for the taskmanger so that I can use the RUN command line to launch explorer.exe.

Thank you for any help that you can give me!

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 10 April 2009 - 05:02 PM

Hello.

Let's run Combofix.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 13 April 2009 - 12:25 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 13 April 2009 - 10:50 PM

Thanks.

Just got back in town.

I will try this tomorrow.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 14 April 2009 - 06:36 AM

Okay.

Thanks for letting me know :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 16 April 2009 - 03:06 PM

*Bump*
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 18 April 2009 - 12:55 PM

How's Everything Coming along?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 19 April 2009 - 10:55 AM

Thanks for being patient.

Here is the Combofix log:




ComboFix 09-04-19.05 - hemrie 04/19/2009 10:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.536 [GMT -5:00]
Running from: d:\documents and settings\hemrie\My Documents\Downloads\Programs\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of d:\windows\system32\userinit.exe was found and disinfected
Restored copy from - d:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTBOOT
-------\Legacy_NTLOAD


((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-05 01:57 . 2009-04-07 01:30 -------- d-----w d:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-05 01:57 . 2009-04-05 01:57 -------- d-----w d:\documents and settings\hemrie\Application Data\Yahoo!
2009-04-02 14:36 . 2009-04-02 14:36 0 ----a-w d:\windows\system32\drivers\jzuy.sys
2009-03-22 00:10 . 2009-03-22 00:10 -------- d-----w d:\program files\Microsoft Silverlight
2009-03-21 01:58 . 2009-03-21 01:58 -------- d-----w d:\program files\Uniblue
2009-03-21 01:57 . 2009-03-21 01:58 -------- dc-h--w d:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-03-21 00:07 . 2009-03-21 00:07 -------- d-----w d:\documents and settings\hemrie\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 15:25 . 2006-03-27 02:13 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 01:29 . 2009-03-19 23:41 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2009-03-19 23:41 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-19 23:41 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-04-06 01:55 . 2009-03-20 03:17 -------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-04-05 01:57 . 2007-02-17 06:17 -------- d-----w d:\program files\Yahoo!
2009-04-02 03:13 . 2005-11-24 17:41 -------- d-----w d:\program files\Terragen
2009-03-21 23:05 . 2008-09-23 01:27 -------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-21 06:51 . 2005-06-04 18:19 -------- d-----w d:\program files\Trend Micro
2009-03-21 05:12 . 2005-04-25 02:27 -------- d-----w d:\documents and settings\hemrie\Application Data\MSN6
2009-03-20 12:41 . 2009-03-20 12:41 0 ----a-w d:\windows\system32\drivers\cmqpg.sys
2009-03-20 03:20 . 2008-10-12 00:59 -------- d-----w d:\documents and settings\hemrie\Application Data\GetRightToGo
2009-03-20 02:48 . 2009-01-23 04:54 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\program files\SUPERAntiSpyware
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\documents and settings\hemrie\Application Data\SUPERAntiSpyware.com
2009-03-19 23:52 . 2009-03-19 23:52 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-03-19 23:41 . 2009-03-19 23:41 -------- d-----w d:\documents and settings\hemrie\Application Data\Malwarebytes
2009-03-19 23:41 . 2009-03-19 23:41 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-19 22:16 . 2001-08-23 12:00 14336 ----a-w d:\windows\system32\svchost.exe
2009-03-19 09:49 . 2009-03-19 09:49 2713 --sh--w d:\windows\system32\bodonope.exe
2009-03-19 03:02 . 2007-04-19 00:30 -------- d-----w d:\documents and settings\hemrie\Application Data\DMCache
2009-03-17 03:34 . 2009-03-17 03:34 -------- d-----w d:\windows\system32\config\systemprofile\Application Data\ContentSaver
2009-03-15 23:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\rahozaye.dll
2009-03-15 23:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\legiyaye.dll
2009-03-15 23:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\lavetidi.dll
2009-03-15 16:29 . 2009-03-15 05:08 -------- d-----w d:\program files\JDownloader
2009-03-15 11:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\magohupa.dll
2009-03-15 11:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\fetijonu.dll
2009-03-15 11:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\bevefime.dll
2009-03-14 23:20 . 1601-01-01 00:12 6730 --sha-w d:\windows\system32\pabipihe.dll
2009-03-01 16:30 . 2008-01-26 18:43 -------- d-----w d:\documents and settings\hemrie\Application Data\dvdcss
2009-02-27 05:03 . 2009-02-27 05:03 -------- d-----w d:\documents and settings\hemrie\Application Data\vlc
2009-02-27 05:02 . 2005-04-25 04:03 -------- d-----w d:\program files\VideoLAN
2009-02-24 00:26 . 2006-05-10 03:24 -------- d-----w d:\program files\Norton SystemWorks
2009-02-23 04:48 . 2005-06-01 23:45 -------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-22 16:00 . 2009-01-28 03:01 -------- d-----w d:\program files\Flock
2009-02-22 04:20 . 2006-07-18 23:25 -------- d-----w d:\program files\DivX
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w d:\windows\system32\win32k.sys
2009-02-08 19:27 . 2009-02-08 19:24 16384 ----a-w d:\windows\DCEBoot.exe
2009-01-04 21:43 . 2005-04-24 21:36 76976 ----a-w d:\documents and settings\hemrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-04 20:33 . 2009-01-04 20:33 170656 ----a-w d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-06-20 04:27 . 2005-06-20 04:05 87 ----a-w d:\documents and settings\hemrie\aw.dat
2005-04-24 21:50 . 2005-04-24 21:50 129 ----a-w d:\documents and settings\hemrie\Local Settings\Application Data\fusioncache.dat
2008-10-11 15:13 . 2008-10-11 15:13 32768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101120081012\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ccleaner"="d:\program files\CCleaner\CCleaner.exe" [2009-03-24 1488112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="d:\windows\System32\nvraidservice.exe" [2004-11-04 84480]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-09 532480]
"ATICCC"="d:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Launch Ai Booster"="d:\program files\ASUS\Ai Booster\OverClk.exe" [2004-11-19 3503616]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=d:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=d:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=d:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
backup=d:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^hemrie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"maya70docserver"=2 (0x2)
"maya65docserver"=2 (0x2)
"iPod Service"=3 (0x3)
"ColdFusion MX ODBC Server"=2 (0x2)
"ColdFusion MX ODBC Agent"=2 (0x2)
"ColdFusion MX Application Server"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Norton Ghost"=2 (0x2)
"DCPFLICS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\iView Catalog Reader3\\iViewCatalogReader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Luxology\\modo 302\\modo.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Java\\jre1.5.0_06\\launch4j-tmp\\JDownloader.exe"=
"d:\\WINDOWS\\system32\\java.exe"=
"d:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"d:\\Program Files\\Common Files\\Nero\\Nero BackItUp 4\\NBService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R0 ryjaixb;ryjaixb; [x]
R2 hyizbeus;hyizbeus;d:\windows\System32\svchost.exe [2009-03-19 14336]
R3 pcwe;pcwe;d:\documents and settings\hemrie\My Documents\My Overclock Files\PC Wizard 2005\pcwizard.sys [2004-12-04 6528]
R3 sasenum;sasenum;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent; [x]
S1 sasdifsv;sasdifsv;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 saskutil;saskutil;d:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 NProtectService;Norton Unerase Protection;d:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2004-08-31 95328]
S2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2007-12-24 52240]
S2 tmpreflt;tmpreflt;d:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
S3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
S3 TmPfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2009-01-31 488768]
S3 tmproxy;Trend Micro Proxy Service;d:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-31 648456]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
HyizbEus
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-02-24 d:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- d:\program files\Norton SystemWorks\OBC.exe [2004-09-02 06:03]

2009-04-07 d:\windows\Tasks\Symantec Drmc.job
- d:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-08-31 05:40]

2009-04-07 d:\windows\Tasks\Symantec NetDetect.job
- d:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-04-24 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: ContentSaver: Save Link Address As... - d:\progra~1\CONTEN~1\csshell.dll/#110
IE: ContentSaver: Save Page Area (Frame) - d:\progra~1\CONTEN~1\csshell.dll/#102
IE: ContentSaver: Save Page Area (Frame) As... - d:\progra~1\CONTEN~1\csshell.dll/#106
IE: ContentSaver: Save Picture - d:\progra~1\CONTEN~1\csshell.dll/#101
IE: ContentSaver: Save Picture As... - d:\progra~1\CONTEN~1\csshell.dll/#108
IE: ContentSaver: Save Selected Targets As... - d:\progra~1\CONTEN~1\csshell.dll/#111
IE: ContentSaver: Save Selection - d:\progra~1\CONTEN~1\csshell.dll/#104
IE: ContentSaver: Save Selection As... - d:\progra~1\CONTEN~1\csshell.dll/#109
IE: ContentSaver: Save Target - d:\progra~1\CONTEN~1\csshell.dll/#103
IE: ContentSaver: Save Target As... - d:\progra~1\CONTEN~1\csshell.dll/#107
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download all with iGetter - d:\program files\iGetter\Integration\igetall.html
IE: Download FLV video content with IDM - d:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - d:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with &FileFactory Turbo - d:\program files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
IE: Download with iGetter - d:\program files\iGetter\Integration\iget.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{ADFCCE65-DF10-46fd-B04A-53CCBE2A0795}
Handler: cs - {CF429874-C894-496D-A310-9BB12C16BE3C} - d:\program files\ContentSaver\CSProtocol.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\program files\WebArchiver Pro\SspNG.dll
DPF: Microsoft XML Parser for Java
FF - ProfilePath - d:\documents and settings\hemrie\Application Data\Mozilla\Firefox\Profiles\i4wm33t6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: d:\documents and settings\hemrie\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\documents and settings\hemrie\Application Data\Mozilla\Firefox\Profiles\i4wm33t6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{155676d3-35a3-4fb1-9a09-045e8450e115}]
@Denied: (Full) (Everyone)
"Model"=dword:00000089
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,5e,47,40,e8,4d,7f,cb,bf,99,8c,b0,99,f2,6a,ab,9e,2c,fd,f1,78,d9,1d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53632417-5dba-4a91-8397-7adfdfe1d1b3}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b4
"Therad"=dword:0000000f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):8b,9f,bd,6f,2a,ee,3d,a0,e4,45,dd,a7,d3,c8,6b,c0,15,aa,d7,e6,0b,
4f,b8,b8,4f,25,be,16,d5,a1,60,56,46,0b,0b,b6,01,bf,db,69,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):33,67,47,8f,9f,8d,f3,fe,67,0e,b2,d2,23,8f,08,14,ec,b5,85,d0,c8,
d5,6b,e7,0e,16,3d,40,19,24,30,e7,ac,50,ff,34,48,f2,45,a3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"91A14B995DF7C0B42ABAA16065968F3A"="d:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"8804D69E5CAAF734E993CEE08387794B"="d:\\Program Files\\Autodesk\\3ds Max 9\\ASMOPER120A.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(652)
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\savedump.exe
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\windows\system32\spm\spmd.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\system32\sesinetd.exe
d:\windows\system32\hserver.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
d:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\windows\system32\IoctlSvc.exe
d:\program files\Trend Micro\Internet Security\SfCtlCom.exe
d:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
d:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\program files\Trend Micro\BM\TMBMSRV.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-19 10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 15:46
ComboFix2.txt 2009-04-02 12:44

Pre-Run: 68,360,179,712 bytes free
Post-Run: 68,345,352,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff

Current=1 Default=1 Failed=3 LastKnownGood=4 Sets=1,3,4,5
303 --- E O F --- 2009-04-07 06:11

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 19 April 2009 - 12:40 PM

Hello.

I should of mentioned this earlier of the userinit.exe infection. You have a backdoor/rootkit infection.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

If you wish to continue follow the steps below please.


Please Delete Combofix.exe you currently have on your desktop. Re-Download it from one of those links in my first post to you and save it to your desktop like last time. Do NOT run it yet. This time it will be different.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/216265/userinit-trojan/
    
    KillAll::
    
    Collect::
    d:\windows\system32\rahozaye.dll
    d:\windows\system32\legiyaye.dll
    d:\windows\system32\lavetidi.dll
    d:\windows\system32\magohupa.dll
    d:\windows\system32\fetijonu.dll
    d:\windows\system32\bevefime.dll
    d:\windows\system32\pabipihe.dll
    File::
    d:\windows\system32\drivers\jzuy.sys
    d:\windows\system32\drivers\cmqpg.sys
    d:\windows\system32\bodonope.exe
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{155676d3-35a3-4fb1-9a09-045e8450e115}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{53632417-5dba-4a91-8397-7adfdfe1d1b3}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    NetSvc::
    HyizbEus
    Driver::
    ryjaixb
    hyizbeus
    ColdFusion MX ODBC Agent
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Please run GMER for me now.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

For your next reply post back with:
-Combofix log
-GMER log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 20 April 2009 - 07:45 PM

Attached is the new ComboFix log

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 20 April 2009 - 07:54 PM

Hello.

You didn't attach the Combofix log! That is the infected compressed zip file that Combofix quarantined... :thumbup2:

The Combofix log should be at "C:\ComboFix.txt <- This file

I would like to see the Combofix log in your next reply please..

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 20 April 2009 - 07:56 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 20 April 2009 - 08:08 PM

Here is the combofix log:

ComboFix 09-04-21.06 - hemrie 04/20/2009 19:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.548 [GMT -5:00]
Running from: d:\documents and settings\hemrie\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\hemrie\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

FILE ::
d:\windows\system32\bodonope.exe
d:\windows\system32\drivers\cmqpg.sys
d:\windows\system32\drivers\jzuy.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\bevefime.dll
d:\windows\system32\bodonope.exe
d:\windows\system32\drivers\cmqpg.sys
d:\windows\system32\drivers\jzuy.sys
d:\windows\system32\fetijonu.dll
d:\windows\system32\lavetidi.dll
d:\windows\system32\legiyaye.dll
d:\windows\system32\magohupa.dll
d:\windows\system32\pabipihe.dll
d:\windows\system32\rahozaye.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COLDFUSION_MX_ODBC_AGENT
-------\Legacy_hyizbeus
-------\Service_ColdFusion MX ODBC Agent
-------\Service_hyizbeus
-------\Service_ryjaixb


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-19 16:14 . 2009-04-19 16:14 -------- d-----w d:\program files\Common Files\DivX Shared
2009-04-05 01:57 . 2009-04-07 01:30 -------- d-----w d:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-05 01:57 . 2009-04-05 01:57 -------- d-----w d:\documents and settings\hemrie\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 00:17 . 2006-03-27 02:13 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-19 16:15 . 2006-07-18 23:25 -------- d-----w d:\program files\DivX
2009-04-19 16:07 . 2007-08-14 04:01 -------- d-----w d:\program files\Common Files\Apple
2009-04-07 01:29 . 2009-03-19 23:41 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2009-03-19 23:41 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-19 23:41 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-04-06 01:55 . 2009-03-20 03:17 -------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-04-05 01:57 . 2007-02-17 06:17 -------- d-----w d:\program files\Yahoo!
2009-04-02 03:13 . 2005-11-24 17:41 -------- d-----w d:\program files\Terragen
2009-03-22 00:10 . 2009-03-22 00:10 -------- d-----w d:\program files\Microsoft Silverlight
2009-03-21 23:05 . 2008-09-23 01:27 -------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-21 06:51 . 2005-06-04 18:19 -------- d-----w d:\program files\Trend Micro
2009-03-21 05:12 . 2005-04-25 02:27 -------- d-----w d:\documents and settings\hemrie\Application Data\MSN6
2009-03-21 01:58 . 2009-03-21 01:57 -------- dc-h--w d:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-03-21 01:58 . 2009-03-21 01:58 -------- d-----w d:\program files\Uniblue
2009-03-21 00:07 . 2009-03-21 00:07 -------- d-----w d:\documents and settings\hemrie\Application Data\Uniblue
2009-03-20 03:20 . 2008-10-12 00:59 -------- d-----w d:\documents and settings\hemrie\Application Data\GetRightToGo
2009-03-20 02:48 . 2009-01-23 04:54 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\program files\SUPERAntiSpyware
2009-03-19 23:53 . 2009-03-19 23:53 -------- d-----w d:\documents and settings\hemrie\Application Data\SUPERAntiSpyware.com
2009-03-19 23:52 . 2009-03-19 23:52 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-03-19 23:41 . 2009-03-19 23:41 -------- d-----w d:\documents and settings\hemrie\Application Data\Malwarebytes
2009-03-19 23:41 . 2009-03-19 23:41 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-19 22:16 . 2001-08-23 12:00 14336 ----a-w d:\windows\system32\svchost.exe
2009-03-19 03:02 . 2007-04-19 00:30 -------- d-----w d:\documents and settings\hemrie\Application Data\DMCache
2009-03-17 03:34 . 2009-03-17 03:34 -------- d-----w d:\windows\system32\config\systemprofile\Application Data\ContentSaver
2009-03-15 16:29 . 2009-03-15 05:08 -------- d-----w d:\program files\JDownloader
2009-03-01 16:30 . 2008-01-26 18:43 -------- d-----w d:\documents and settings\hemrie\Application Data\dvdcss
2009-02-27 05:03 . 2009-02-27 05:03 -------- d-----w d:\documents and settings\hemrie\Application Data\vlc
2009-02-27 05:02 . 2005-04-25 04:03 -------- d-----w d:\program files\VideoLAN
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w d:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w d:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w d:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w d:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w d:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w d:\windows\system32\DivX.dll
2009-02-24 00:26 . 2006-05-10 03:24 -------- d-----w d:\program files\Norton SystemWorks
2009-02-23 04:48 . 2005-06-01 23:45 -------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-22 16:00 . 2009-01-28 03:01 -------- d-----w d:\program files\Flock
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w d:\windows\system32\win32k.sys
2009-02-08 19:27 . 2009-02-08 19:24 16384 ----a-w d:\windows\DCEBoot.exe
2009-01-04 21:43 . 2005-04-24 21:36 76976 ----a-w d:\documents and settings\hemrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-04 20:33 . 2009-01-04 20:33 170656 ----a-w d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-06-20 04:27 . 2005-06-20 04:05 87 ----a-w d:\documents and settings\hemrie\aw.dat
2005-04-24 21:50 . 2005-04-24 21:50 129 ----a-w d:\documents and settings\hemrie\Local Settings\Application Data\fusioncache.dat
2009-02-24 19:2009-02-24 19:34 34:32 . d:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . d:\program files\mozilla firefox\plugins\ssldivx.dll
2008-10-11 15:13 . 2008-10-11 15:13 32768 --sha-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101120081012\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_15.44.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 00:33 . 2009-04-21 00:33 16384 d:\windows\Temp\Perflib_Perfdata_fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ccleaner"="d:\program files\CCleaner\CCleaner.exe" [2009-03-24 1488112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="d:\windows\System32\nvraidservice.exe" [2004-11-04 84480]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-09 532480]
"ATICCC"="d:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Launch Ai Booster"="d:\program files\ASUS\Ai Booster\OverClk.exe" [2004-11-19 3503616]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=d:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=d:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=d:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
backup=d:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^hemrie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"maya70docserver"=2 (0x2)
"maya65docserver"=2 (0x2)
"iPod Service"=3 (0x3)
"ColdFusion MX ODBC Server"=2 (0x2)
"ColdFusion MX ODBC Agent"=2 (0x2)
"ColdFusion MX Application Server"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Norton Ghost"=2 (0x2)
"DCPFLICS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\iView Catalog Reader3\\iViewCatalogReader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Luxology\\modo 302\\modo.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Java\\jre1.5.0_06\\launch4j-tmp\\JDownloader.exe"=
"d:\\WINDOWS\\system32\\java.exe"=
"d:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"d:\\Program Files\\Common Files\\Nero\\Nero BackItUp 4\\NBService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R3 pcwe;pcwe;d:\documents and settings\hemrie\My Documents\My Overclock Files\PC Wizard 2005\pcwizard.sys [2004-12-04 6528]
R3 sasenum;sasenum;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S1 sasdifsv;sasdifsv;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 saskutil;saskutil;d:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 NProtectService;Norton Unerase Protection;d:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2004-08-31 95328]
S2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2007-12-24 52240]
S2 tmpreflt;tmpreflt;d:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
S3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
S3 TmPfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2009-01-31 488768]
S3 tmproxy;Trend Micro Proxy Service;d:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-31 648456]

.
Contents of the 'Scheduled Tasks' folder

2009-04-05 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-02-24 d:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- d:\program files\Norton SystemWorks\OBC.exe [2004-09-02 06:03]

2009-04-07 d:\windows\Tasks\Symantec Drmc.job
- d:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-08-31 05:40]

2009-04-19 d:\windows\Tasks\Symantec NetDetect.job
- d:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-04-24 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: ContentSaver: Save Link Address As... - d:\progra~1\CONTEN~1\csshell.dll/#110
IE: ContentSaver: Save Page Area (Frame) - d:\progra~1\CONTEN~1\csshell.dll/#102
IE: ContentSaver: Save Page Area (Frame) As... - d:\progra~1\CONTEN~1\csshell.dll/#106
IE: ContentSaver: Save Picture - d:\progra~1\CONTEN~1\csshell.dll/#101
IE: ContentSaver: Save Picture As... - d:\progra~1\CONTEN~1\csshell.dll/#108
IE: ContentSaver: Save Selected Targets As... - d:\progra~1\CONTEN~1\csshell.dll/#111
IE: ContentSaver: Save Selection - d:\progra~1\CONTEN~1\csshell.dll/#104
IE: ContentSaver: Save Selection As... - d:\progra~1\CONTEN~1\csshell.dll/#109
IE: ContentSaver: Save Target - d:\progra~1\CONTEN~1\csshell.dll/#103
IE: ContentSaver: Save Target As... - d:\progra~1\CONTEN~1\csshell.dll/#107
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - d:\program files\Internet Download Manager\IEGetAll.htm
IE: Download all with iGetter - d:\program files\iGetter\Integration\igetall.html
IE: Download FLV video content with IDM - d:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - d:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with &FileFactory Turbo - d:\program files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html
IE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htm
IE: Download with iGetter - d:\program files\iGetter\Integration\iget.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{ADFCCE65-DF10-46fd-B04A-53CCBE2A0795}
Handler: cs - {CF429874-C894-496D-A310-9BB12C16BE3C} - d:\program files\ContentSaver\CSProtocol.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\program files\WebArchiver Pro\SspNG.dll
DPF: Microsoft XML Parser for Java
FF - ProfilePath - d:\documents and settings\hemrie\Application Data\Mozilla\Firefox\Profiles\i4wm33t6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: d:\documents and settings\hemrie\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\documents and settings\hemrie\Application Data\Mozilla\Firefox\Profiles\i4wm33t6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: d:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 19:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"91A14B995DF7C0B42ABAA16065968F3A"="d:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"8804D69E5CAAF734E993CEE08387794B"="d:\\Program Files\\Autodesk\\3ds Max 9\\ASMOPER120A.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3944)
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\savedump.exe
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\windows\system32\spm\spmd.exe
d:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\system32\sesinetd.exe
d:\windows\system32\hserver.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
d:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\windows\system32\IoctlSvc.exe
d:\program files\Trend Micro\Internet Security\SfCtlCom.exe
d:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
d:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\program files\Trend Micro\BM\TMBMSRV.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-21 19:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 00:35
ComboFix2.txt 2009-04-02 12:44

Pre-Run: 74,224,812,032 bytes free
Post-Run: 74,230,308,864 bytes free

Current=1 Default=1 Failed=3 LastKnownGood=4 Sets=1,3,4,5
292 --- E O F --- 2009-04-07 06:11


_____________________________________________________________________________________________________

Here is the gmer:


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-20 20:01:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spnw.sys ZwEnumerateKey [0xF7612CA2]
SSDT spnw.sys ZwEnumerateValueKey [0xF7613030]

Code \??\D:\DOCUME~1\hemrie\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8736B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat 8701A500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----


Thank you for all your help so far.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 20 April 2009 - 08:24 PM

Thank you :)

That looks good. Please continue with the following:

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-MBAM log
-Kaspersky log
-New DDS logs

Thanks. These instructions may take some time, so don't worry if it takes 1-3 days to complete. MBAM should only take less than 10 minutes. The Kaspersky may take a while (may be up to 5-6 hours) so you might want to leave it running at night. I won't close this topic unless I don't hear from you for 5 days. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 21 April 2009 - 06:13 PM

Kaspersky Log:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 01:45:46
Records in database: 2064606
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 589334
Threat name 6
Infected objects 9
Suspicious objects 0
Duration of the scan 04:05:31

File name Threat name Threats count
D:\Documents and Settings\hemrie\.housecall6.6\Quarantine\crack-inf.exe.bac_a01972 Infected: Trojan-Clicker.Win32.VB.jy 1
D:\Documents and Settings\hemrie\.housecall6.6\Quarantine\data.bac_a01972 Infected: Trojan-Downloader.Win32.IstBar.kc 1
D:\Documents and Settings\hemrie\.housecall6.6\Quarantine\ntauth.dll.bac_a01972 Infected: Backdoor.IRC.Zapchast 1
D:\Documents and Settings\hemrie\.housecall6.6\Quarantine\setup.bat.bac_a01972 Infected: Trojan.BAT.Zapchast 1
D:\Program Files\Trend Micro\Internet Security\Quarantine\hqnabbpcdd[1].htm Infected: Trojan.Win32.Agent2.hoc 1
D:\Program Files\Trend Micro\Internet Security\Quarantine\mstpqdre[1].htm Infected: Trojan.Win32.Agent2.hoc 1
D:\Program Files\Trend Micro\Internet Security\Quarantine\mttghh[1].htm Infected: Trojan.Win32.Agent2.hoc 1
D:\Program Files\Trend Micro\Internet Security\Quarantine\xuree[1].htm Infected: Trojan.Win32.Agent2.hoc 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\userinit.exe.vir Infected: Trojan.Win32.Agent.bvws 1
The selected area was scanned.

_________________________________________________________

DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by hemrie at 17:38:07.57 on Tue 04/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.611 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spm\spmd.exe
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\sesinetd.exe
D:\WINDOWS\system32\hserver.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\System32\nvraidservice.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
D:\WINDOWS\system32\IoctlSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Documents and Settings\hemrie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: IGMONObj Class: {02464ddc-3187-11d8-8004-0020ed227566} - d:\program files\igetter\integration\IGMON.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: CSShell.BHO: {e6b64f67-b100-4636-8d51-d113e1f5ff93} - d:\program files\contentsaver\CSShell.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - d:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ContentSaver Toolbar: {4d63cebe-b169-426c-b092-c130c498b6e6} - d:\program files\contentsaver\CSShell.dll
TB: ContentSaver Editing Bar: {86b09c4e-4137-4863-b585-380205f1f774} - d:\program files\contentsaver\CSShell.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {1FEA1109-9F65-4FDC-AEC5-033F6CC60641} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [ccleaner] "d:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [NVRaidService] d:\windows\system32\nvraidservice.exe
mRun: [NVIDIA nTune] "d:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [ATICCC] "d:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Launch Ai Booster] "d:\program files\asus\ai booster\OverClk.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: ContentSaver: Save Link Address As... - d:\progra~1\conten~1\csshell.dll/#110
IE: ContentSaver: Save Page Area (Frame) - d:\progra~1\conten~1\csshell.dll/#102
IE: ContentSaver: Save Page Area (Frame) As... - d:\progra~1\conten~1\csshell.dll/#106
IE: ContentSaver: Save Picture - d:\progra~1\conten~1\csshell.dll/#101
IE: ContentSaver: Save Picture As... - d:\progra~1\conten~1\csshell.dll/#108
IE: ContentSaver: Save Selected Targets As... - d:\progra~1\conten~1\csshell.dll/#111
IE: ContentSaver: Save Selection - d:\progra~1\conten~1\csshell.dll/#104
IE: ContentSaver: Save Selection As... - d:\progra~1\conten~1\csshell.dll/#109
IE: ContentSaver: Save Target - d:\progra~1\conten~1\csshell.dll/#103
IE: ContentSaver: Save Target As... - d:\progra~1\conten~1\csshell.dll/#107
IE: Convert link target to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download all with iGetter - d:\program files\igetter\integration\igetall.html
IE: Download FLV video content with IDM - d:\program files\internet download manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - d:\program files\megaupload\mega manager\mm_file.htm
IE: Download with &FileFactory Turbo - d:\program files\filefactory turbo\plugins\ie\FileFactoryIE.html
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: Download with iGetter - d:\program files\igetter\integration\iget.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206154871327
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206154858483
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} - hxxp://www.fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cs - {CF429874-C894-496D-A310-9BB12C16BE3C} - d:\program files\contentsaver\CSProtocol.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - d:\program files\webarchiver pro\SspNG.dll
Notify: !saswinlogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\hemrie\applic~1\mozilla\firefox\profiles\i4wm33t6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: d:\documents and settings\hemrie\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: d:\documents and settings\hemrie\application data\mozilla\firefox\profiles\i4wm33t6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 sasdifsv;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 saskutil;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;d:\program files\common files\nero\nero backitup 4\NBService.exe [2008-11-25 935208]
R2 NProtectService;Norton Unerase Protection;d:\progra~1\norton~1\norton~1\NPROTECT.EXE [2004-8-30 95328]
R2 Symantec Core LC;Symantec Core LC;d:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-9 819352]
R2 tmpreflt;tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2007-9-17 36368]
R3 tmcfw;Trend Micro Common Firewall Service;d:\windows\system32\drivers\TM_CFW.sys [2007-9-17 333328]
S2 ccEvtMgr;Symantec Event Manager;d:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-27 197752]
S2 tmevtmgr;tmevtmgr;d:\windows\system32\drivers\tmevtmgr.sys [2008-6-20 52240]
S3 pcwe;pcwe;d:\documents and settings\hemrie\my documents\my overclock files\pc wizard 2005\pcwizard.sys [2004-12-4 6528]
S3 sasenum;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 TmPfw;Trend Micro Personal Firewall;d:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-6-20 488768]
S3 tmproxy;Trend Micro Proxy Service;d:\program files\trend micro\internet security\TmProxy.exe [2008-6-20 648456]
S4 ccPwdSvc;Symantec Password Validation;d:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-27 78968]
S4 ccSetMgr;Symantec Settings Manager;d:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-27 164984]

=============== Created Last 30 ================

2009-04-20 21:34 410,984 a------- d:\windows\system32\deploytk.dll
2009-04-20 21:34 73,728 a------- d:\windows\system32\javacpl.cpl
2009-04-20 19:55 <DIR> --d----- d:\program files\GMER
2009-04-19 11:14 <DIR> --d----- d:\program files\common files\DivX Shared
2009-04-01 20:29 161,792 a------- d:\windows\SWREG.exe
2009-04-01 20:29 98,816 a------- d:\windows\sed.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-03-19 17:16 14,336 a------- d:\windows\system32\svchost.exe
2009-02-24 14:34 90,112 a------- d:\windows\system32\dpl100.dll
2009-02-24 14:34 823,296 a------- d:\windows\system32\divx_xx0c.dll
2009-02-24 14:34 823,296 a------- d:\windows\system32\divx_xx07.dll
2009-02-24 14:34 815,104 a------- d:\windows\system32\divx_xx0a.dll
2009-02-24 14:34 802,816 a------- d:\windows\system32\divx_xx11.dll
2009-02-24 14:34 684,032 a------- d:\windows\system32\DivX.dll
2009-02-09 06:13 1,846,784 a------- d:\windows\system32\win32k.sys
2009-02-08 14:27 16,384 a------- d:\windows\DCEBoot.exe
2005-06-19 23:27 87 a------- d:\documents and settings\hemrie\aw.dat
2008-10-11 10:13 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 17:38:20.71 ===============

__________________________________________________________________


Thanks!!

Next Step?

Attached Files



#15 hp1

hp1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 21 April 2009 - 06:22 PM

As usual I forgot to add a log:

MBAM


Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

4/20/2009 9:09:53 PM
mbam-log-2009-04-20 (21-09-53).txt

Scan type: Quick Scan
Objects scanned: 82263
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users