Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sounds like Virtumonde? Pop-ups, Hijacked Browser, "SpywareRemover2009"


  • This topic is locked This topic is locked
14 replies to this topic

#1 SuB-ZeD

SuB-ZeD

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 06 April 2009 - 08:15 PM

Hey guys,

I seem to have picked up a really bad virus on my laptop. I'm usually pretty decent at fixing these things but this is just something else... I ran a housecall scan and clean out anything it finds though that doesn't help. I've ran ATFcleaner as well. Also, when I run superantispyware and scan the whole system, the scanning part works find but half way through the REMOVAL process my computer crashes and goes to a "fatal error" blue screen (no doubt the virus has something to do with this).

Anyways I'd really appreciate any help you guys can provide. Here's the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by singhsu1 at 20:51:02.08 on Mon 04/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.511.49 [GMT -4:00]


============== Running Processes ===============

C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\keyacc32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\System32\TPHDEXLG.EXE
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINNT\system32\TpShocks.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\TpScrLk.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program Files\zepsoft\Wallpaper Calendar\WallCal3.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Downloads\SoftwareAPPS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = hxxp://www.sheridaninstitute.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: : {02dca195-602b-4b1f-83ff-381b7e804bdb} - c:\winnt\system32\HDBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {292245b8-6f7a-40a5-a4ef-5f49e32fcc32} - c:\winnt\system32\opnnnnKb.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winnt\system32\dla\tfswshx.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\winnt\system32\pmNfedDV.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {dfd6c8f1-a487-e0b9-be94-cd5c4f19cf9b}: {b9fc91f4-c5dc-49eb-9b0e-784a1f8c6dfd} - c:\winnt\system32\awjwbp.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NGClient] c:\program files\symantec\ghost\ngctw32.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [TpShocks] TpShocks.exe
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPKBDLED] c:\winnt\system32\TpScrLk.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [dla] c:\winnt\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [LXBTCATS] rundll32 c:\winnt\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [NWEReboot]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [Ykatoboz] rundll32.exe "c:\winnt\axifivutamuxu.dll",e
mRun: [KeyAccess] keyacc32.exe
mRun: [ebe9ceb6] rundll32.exe "c:\winnt\system32\rtowvvwr.dll",b
dRun: [CTFMON.EXE] c:\winnt\system32\CTFMON.EXE
dRunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi"
dRunOnce: [supportdir] cmd /c "rmdir /q /s "c:\winnt\temp\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}""
StartupFolder: c:\docume~1\singhsu1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\zepsoft\wallpaper calendar\WallCal3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\miniey~1.lnk - c:\program files\infinite mind lc\eyeq\ARLaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan.lnk - c:\program files\zydas\zd1211 802.11g utility\ZDWlan.exe
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 3600 (0xe10)
IE: Download All Files by HiDownload - c:\progra~1\hidown~1\HDGetAll.htm
IE: Download by HiDownload - c:\progra~1\hidown~1\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - c:\progra~1\hidown~1\hidownload.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38058.3427546296
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.140,85.255.112.132
TCP: {26B22661-4A55-4D3B-BD7E-0AD533E27D47} = 85.255.112.140,85.255.112.132
TCP: {72DC7523-74C3-47E6-8387-6BC9CB0A0BAF} = 85.255.112.140,85.255.112.132
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: pmNfedDV - pmNfedDV.dll
Notify: QConGina - QConGina.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: KATRACK.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\winnt\system32\pmNfedDV.dll
SEH: {43c6e218-973a-c96a-8ff4-216eeceef85e}: {e58feece-e612-4ff8-a69c-a379812e6c34} - c:\winnt\system32\awjwbp.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\opnnnnKb
LSA: Notification Packages = scecli av2sfx3d.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\singhsu1\applic~1\mozilla\firefox\profiles\d1mzet1q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - HiddenExtension: XUL Cache: {7FD3CFF8-6E90-4AF9-B489-6712ACB0D43E} - c:\documents and settings\singhsu1\local settings\application data\{7FD3CFF8-6E90-4AF9-B489-6712ACB0D43E}

============= SERVICES / DRIVERS ===============

R0 EFlashAssist;EFlashAssist;c:\winnt\system32\drivers\EFLASHAS.SYS [2006-1-19 8476]
R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\winnt\system32\drivers\GhMon.sys [2003-10-3 6784]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [2009-2-17 15172]
R0 Shockprf;Shockprf;c:\winnt\system32\drivers\shockprf.sys [2005-7-14 69632]
R1 ANC;ANC;c:\winnt\system32\drivers\ANC.sys [2005-7-14 11520]
R1 IBMTPCHK;IBMTPCHK;c:\winnt\system32\drivers\IBMBLDID.SYS [2005-7-14 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 ShockMgr;ShockMgr;c:\winnt\system32\drivers\ShockMgr.sys [2005-7-14 4736]
R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2005-7-14 16384]
R2 KeyAccess;KeyAccess;c:\winnt\keyacc32.exe [2005-6-1 331776]
R2 NGClient;Symantec Ghost Client Agent;c:\program files\symantec\ghost\ngctw32.exe [2003-10-3 431272]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-3 199328]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-3 199328]
S3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;c:\winnt\system32\drivers\aeiwlnds.sys --> c:\winnt\system32\drivers\AEIWLNDS.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2005-8-2 32512]
S3 QCNDISIF;QCNDISIF;c:\winnt\system32\drivers\qcndisif.sys [2005-7-14 12288]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-06 18:19 1,414,394 ---sh--- c:\winnt\system32\rwvvwotr.ini
2009-04-06 18:19 75,776 a------- c:\winnt\system32\rtowvvwr.dll
2009-04-06 18:16 98,816 a------- c:\winnt\system32\awjwbp.dll
2009-04-06 18:16 98,816 a------- c:\winnt\system32\jojlvstj.dll
2009-04-06 06:19 1,414,074 ---sh--- c:\winnt\system32\xususwdy.ini
2009-04-06 06:16 98,816 a------- c:\winnt\system32\kcdqla.dll
2009-04-06 06:16 98,816 a------- c:\winnt\system32\bqkvlaeo.dll
2009-04-05 18:22 98,816 a------- c:\winnt\system32\tmpeqx.dll
2009-04-05 18:22 98,816 a------- c:\winnt\system32\hsexnyia.dll
2009-04-05 18:19 1,414,083 ---sh--- c:\winnt\system32\tmyjufix.ini
2009-04-04 19:13 99,840 a------- c:\winnt\system32\wkrpie.dll
2009-04-04 19:13 99,840 a------- c:\winnt\system32\jscykgfr.dll
2009-04-04 19:10 1,414,092 ---sh--- c:\winnt\system32\aikgnkdg.ini
2009-04-04 19:10 74,752 a------- c:\winnt\system32\gdkngkia.dll
2009-04-04 01:25 664 a------- c:\winnt\system32\d3d9caps.dat
2009-04-03 19:09 1,414,092 ---sh--- c:\winnt\system32\tlubpobg.ini
2009-04-03 19:09 99,840 a------- c:\winnt\system32\olpisv.dll
2009-04-03 19:09 99,840 a------- c:\winnt\system32\mtificuu.dll
2009-04-03 19:08 9,984 a--sh--- c:\winnt\system32\bKnnnnpo.ini2
2009-04-03 19:08 9,984 a--sh--- c:\winnt\system32\bKnnnnpo.ini
2009-04-03 19:08 237,568 a------- c:\winnt\system32\opnnnnKb.dll
2009-04-03 18:55 83,456 a------- c:\winnt\system32\drivers\ovfsthxbjwivjiionfhxslxydeespdhcgoribp.sys
2009-04-03 18:55 60,928 a------- c:\winnt\system32\ovfsthvqcsviuxnuvrembcrrvxtrqqhentxngc.dll
2009-04-03 18:53 36,864 a------- c:\winnt\system32\pmNfedDV.dll
2009-04-03 18:53 385 ---shr-- C:\autorun.inf
2009-04-02 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-02 19:01 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-02 19:01 <DIR> --d----- c:\docume~1\singhsu1\applic~1\SUPERAntiSpyware.com
2009-03-21 09:34 <DIR> --d----- c:\program files\Nox
2009-03-20 18:50 2,048 a------- c:\winnt\system32\win32xml.TX1

==================== Find3M ====================

2009-02-17 20:45 15,172 a------- c:\winnt\system32\drivers\PzWDM.sys
2008-01-22 21:26 65,312 a------- c:\docume~1\singhsu1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:54:01.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 07 April 2009 - 05:55 AM

Hi,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
Then, * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 07 April 2009 - 07:13 PM

Alright, I've done everything. I actually ran a quickscan with Malwarebytes twice because the first time around it wouldnt update. Ill post both logs.

GOORED FIX LOG:

GooredFix v1.92 by jpshortstuff
Log created at 19:01 on 07/04/2009 running Option #2 (singhsu1)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{7FD3CFF8-6E90-4AF9-B489-6712ACB0D43E}"="C:\Documents and Settings\singhsu1\Local Settings\Application Data\{7FD3CFF8-6E90-4AF9-B489-6712ACB0D43E}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\singhsu1\Local Settings\Application Data\{7FD3CFF8-6E90-4AF9-B489-6712ACB0D43E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

MALWAREBYTES LOG #1:


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/7/2009 7:45:57 PM
mbam-log-2009-04-07 (19-45-57).txt

Scan type: Quick Scan
Objects scanned: 73535
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 8
Registry Keys Infected: 21
Registry Values Infected: 7
Registry Data Items Infected: 18
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\ipfyxjsp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\opnnnnKb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\rtowvvwr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\nmmfdk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\pmNfedDV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ckedei.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\tgvfnssc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ujjcycyb.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnfeddv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{978eea49-97cc-44bb-84b1-b0257d4f81b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{978eea49-97cc-44bb-84b1-b0257d4f81b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9fded74b-6036-4282-a8a1-c6b5970b4856} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9fded74b-6036-4282-a8a1-c6b5970b4856} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19ceb6a4-cf9e-41ff-8575-6bb23f438d7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{978eea49-97cc-44bb-84b1-b0257d4f81b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9fded74b-6036-4282-a8a1-c6b5970b4856} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Convert2PlaySoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebe9ceb6 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19ceb6a4-cf9e-41ff-8575-6bb23f438d7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{19ceb6a4-cf9e-41ff-8575-6bb23f438d7b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykatoboz (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\opnnnnkb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: av2sfx3d.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\opnnnnkb -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26b22661-4a55-4d3b-bd7e-0ad533e27d47}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{26b22661-4a55-4d3b-bd7e-0ad533e27d47}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{26b22661-4a55-4d3b-bd7e-0ad533e27d47}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{72dc7523-74c3-47e6-8387-6bc9cb0a0baf}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.140,85.255.112.132 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\pmNfedDV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\nmmfdk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\opnnnnKb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\bKnnnnpo.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\bKnnnnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\gdkngkia.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\aikgnkdg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\ipfyxjsp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\psjxyfpi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\rtowvvwr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\rwvvwotr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\av2sfx3d.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\HDBHO.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINNT\system32\ckedei.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\tgvfnssc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ujjcycyb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\mtificuu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\olpisv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhsu1\Local Settings\Temporary Internet Files\Content.IE5\2Q6R9ZMM\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\singhsu1\Local Settings\Temporary Internet Files\Content.IE5\RW50I576\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\axifivutamuxu.dll (Trojan.Agent) -> Delete on reboot.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-3-3-24-100031087-100013563-100022289-8597.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINNT\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\ovfsthxbjwivjiionfhxslxydeespdhcgoribp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\ovfsthvqcsviuxnuvrembcrrvxtrqqhentxngc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

MALWAREBYTES LOG #2:

Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 2

4/7/2009 8:00:59 PM
mbam-log-2009-04-07 (20-00-59).txt

Scan type: Quick Scan
Objects scanned: 72645
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\awjwbp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\jojlvstj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:02 PM, on 4/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\keyacc32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\TPHDEXLG.EXE
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINNT\system32\TpShocks.exe
C:\WINNT\system32\TpScrLk.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
C:\Program Files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program Files\zepsoft\Wallpaper Calendar\WallCal3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\singhsu1\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sheridaninstitute.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [KeyAccess] keyacc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
O4 - Startup: Wallpaper Calendar.lnk = C:\Program Files\zepsoft\Wallpaper Calendar\WallCal3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MediaChecker.lnk = C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shernet.sheridanc.ca
O17 - HKLM\Software\..\Telephony: DomainName = shernet.sheridanc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shernet.sheridanc.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KeyAccess - Sassafras Software Inc. - C:\WINNT\keyacc32.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

--
End of file - 10635 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 08 April 2009 - 01:41 AM

Hi,

Let's see what's still present...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 08 April 2009 - 06:53 PM

Hey, I just wanted to thank you for all your help so far. You guys are great!

Here's the COMBOFIX Log:

ComboFix 09-04-04.01 - singhsu1 2009-04-08 18:50:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.511.293 [GMT -4:00]
Running from: c:\documents and settings\singhsu1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\winnt\system32\bqkvlaeo.dll
c:\winnt\system32\drivers\UACvotkyibq.sys
c:\winnt\system32\hsexnyia.dll
c:\winnt\system32\jscykgfr.dll
c:\winnt\system32\kcdqla.dll
c:\winnt\system32\tlubpobg.ini
c:\winnt\system32\tmpeqx.dll
c:\winnt\system32\tmyjufix.ini
c:\winnt\system32\UACdgrqlxcd.dll
c:\winnt\system32\UAChooyodlm.log
c:\winnt\system32\UACitumjjka.dat
c:\winnt\system32\UACjnpjinbd.log
c:\winnt\system32\UACkinciyer.log
c:\winnt\system32\UACoylvmyfd.dll
c:\winnt\system32\UACpmppjcvv.dll
c:\winnt\system32\UACpxyrqjwp.dll
c:\winnt\system32\UACsjbmhwuy.dll
c:\winnt\system32\wkrpie.dll
c:\winnt\system32\xususwdy.ini
c:\winnt\Tasks\zhplmavc.job
c:\winnt\winhelp.ini
D:\Autorun.inf
d:\recycler\S-0-4-30-100022062-100022924-100013358-8776.com
d:\recycler\S-3-3-24-100031087-100013563-100022289-8597.com
d:\recycler\S-4-5-41-100007597-100017518-100023656-5773.com
d:\recycler\S-4-8-58-100026689-100009286-100026233-8669.com
d:\recycler\S-6-7-89-100013923-100008286-100005561-4763.com

----- BITS: Possible infected sites -----

hxxp://drm.wippiespace.com
hxxp://wsus.sheridanc.on.ca
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_PASSWORD


((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-07 19:13 . 2009-04-07 19:13 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-07 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 19:11 . 2009-04-07 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-06 15:32 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-07 19:11 . 2009-04-06 15:32 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-04-04 01:25 . 2009-04-04 01:26 664 --a------ c:\winnt\system32\d3d9caps.dat
2009-04-02 19:01 . 2009-04-04 16:26 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\SUPERAntiSpyware.com
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-21 09:34 . 2009-03-21 12:13 <DIR> d-------- c:\program files\Nox
2009-03-20 18:50 . 2009-03-20 18:50 2,048 --a------ c:\winnt\system32\win32xml.TX1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 05:08 --------- d-----w c:\documents and settings\singhsu1\Application Data\U3
2009-04-03 22:59 --------- d-----w c:\program files\LimeWire
2009-04-03 22:53 --------- d-----w c:\documents and settings\singhsu1\Application Data\Azureus
2009-04-03 22:40 --------- d-----w c:\program files\Soulseek
2009-04-02 23:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-02 00:13 --------- d-----w c:\program files\Lx_cats
2009-03-15 21:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 22:44 --------- d-----w c:\program files\HOTALBUMMyBOX
2009-03-03 01:28 --------- d-----w c:\program files\UFile 2007
2009-02-18 00:45 15,172 ----a-w c:\winnt\system32\drivers\PzWDM.sys
2009-02-18 00:45 --------- d-----w c:\program files\CASIO
2009-02-15 22:11 --------- d-----w c:\program files\iTunes
2009-02-15 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-15 22:10 --------- d-----w c:\program files\iPod
2009-02-15 22:09 --------- d-----w c:\program files\Bonjour
2009-02-15 22:08 --------- d-----w c:\program files\QuickTime
2009-02-15 22:06 --------- d-----w c:\program files\Apple Software Update
2009-02-11 04:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-01-23 01:26 65,312 ----a-w c:\documents and settings\singhsu1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2003-10-03 431272]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-12-15 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-12-15 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPKBDLED"="c:\winnt\system32\TpScrLk.exe" [2002-10-08 40960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-09-01 237568]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-09-06 86016]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-09-06 745472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\winnt\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-08-24 c:\winnt\system32\TP4EX.exe]
"KeyAccess"="keyacc32.exe" [2005-06-01 c:\winnt\keyacc32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

c:\documents and settings\singhsu1\Start Menu\Programs\Startup\
Wallpaper Calendar.lnk - c:\program files\zepsoft\Wallpaper Calendar\WallCal3.exe [2002-10-19 1227776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-19 24576]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-04-01 83360]
MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-06-25 323584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-12-14 811008]
ZDWlan.lnk - c:\program files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-08-28 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 3600 (0xe10)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 04:08 262144 c:\winnt\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\winnt\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-16 23:23 24576 c:\winnt\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3147950943-2271782263-395470419-44226\Scripts\Logon\0\0]
"Script"=Logon.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\keyacc32.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINNT\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=

R0 EFlashAssist;EFlashAssist;c:\winnt\system32\drivers\EFLASHAS.SYS [2006-01-19 8476]
R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\winnt\system32\drivers\GhMon.sys [2003-10-03 6784]
R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [2009-02-17 15172]
R0 Shockprf;Shockprf;c:\winnt\system32\drivers\shockprf.sys [2005-07-14 69632]
R1 ANC;ANC;c:\winnt\system32\drivers\ANC.sys [2005-07-14 11520]
R1 IBMTPCHK;IBMTPCHK;c:\winnt\system32\drivers\IBMBLDID.SYS [2005-07-14 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R1 ShockMgr;ShockMgr;c:\winnt\system32\drivers\ShockMgr.sys [2005-07-14 4736]
R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2005-07-14 16384]
R2 KeyAccess;KeyAccess;c:\winnt\keyacc32.exe [2005-06-01 331776]
R2 NGClient;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2003-10-03 431272]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
S3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;c:\winnt\system32\DRIVERS\AEIWLNDS.sys --> c:\winnt\system32\DRIVERS\AEIWLNDS.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2005-08-02 32512]
S3 QCNDISIF;QCNDISIF;c:\winnt\system32\drivers\qcndisif.sys [2005-07-14 12288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\winnt\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-4-30-100022062-100022924-100013358-8776.com c:\
\Shell\Open\command - c:\recycler\S-0-4-30-100022062-100022924-100013358-8776.com c:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\winnt\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-4-30-100022062-100022924-100013358-8776.com d:\
\Shell\Open\command - d:\recycler\S-0-4-30-100022062-100022924-100013358-8776.com d:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac039-74e4-11db-9c4f-0012f0d33bab}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af267750-62d2-11dc-9d68-0012f0d33bab}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2006-05-04 c:\winnt\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = hxxp://www.sheridaninstitute.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download All Files by HiDownload - c:\progra~1\HIDOWN~1\HDGetAll.htm
IE: Download by HiDownload - c:\progra~1\HIDOWN~1\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\singhsu1\Application Data\Mozilla\Firefox\Profiles\d1mzet1q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 19:43:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxtbijoenalmkvpabobvctedhmmlrskylq.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ibmpmsvc.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\winnt\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\winnt\system32\TPHDEXLG.exe
c:\winnt\system32\TpKmpSvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Lexmark 5200 Series\lxbtbmon.exe
c:\winnt\system32\rundll32.exe
c:\winnt\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-08 19:46:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-08 23:46:37

Pre-Run: 11,598,475,264 bytes free
Post-Run: 11,716,767,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

286 --- E O F --- 2009-01-15 08:01:58

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 08 April 2009 - 06:58 PM

Hi,

Go to start > run and copy and paste next command in the field:

sc delete gaopdxserv.sys

Hit enter.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 09 April 2009 - 06:34 AM

Hey, here's the Avira Report:



Avira AntiVir Personal
Report file date: April 8, 2009 22:26

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : L-SINGHSU1

Version information:
BUILD.DAT : 9.0.0.386 17962 Bytes 11/03/2009 15:55:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 24/02/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 00:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 03/03/2009 11:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 05/03/2009 18:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 27/01/2009 21:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 27/02/2009 00:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 12/02/2009 15:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 22:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 04/03/2009 17:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 27/02/2009 00:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 25/02/2009 19:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 27/02/2009 00:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 04/03/2009 17:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 18:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 17/02/2009 18:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 09/02/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 11/03/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: April 8, 2009 22:26

Initiating scan of system files:
Signed -> 'C:\WINNT\system32\svchost.exe'
Signed -> 'C:\WINNT\system32\winlogon.exe'
Signed -> 'C:\WINNT\explorer.exe'
Signed -> 'C:\WINNT\system32\smss.exe'
Signed -> 'C:\WINNT\system32\wininet.DLL'
Signed -> 'C:\WINNT\system32\wsock32.DLL'
Signed -> 'C:\WINNT\system32\ws2_32.DLL'
Signed -> 'C:\WINNT\system32\services.exe'
Signed -> 'C:\WINNT\system32\lsass.exe'
Signed -> 'C:\WINNT\system32\csrss.exe'
Signed -> 'C:\WINNT\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINNT\system32\spoolsv.exe'
Signed -> 'C:\WINNT\system32\alg.exe'
Signed -> 'C:\WINNT\system32\wuauclt.exe'
Signed -> 'C:\WINNT\system32\advapi32.DLL'
Signed -> 'C:\WINNT\system32\user32.DLL'
Signed -> 'C:\WINNT\system32\gdi32.DLL'
Signed -> 'C:\WINNT\system32\kernel32.DLL'
Signed -> 'C:\WINNT\system32\ntdll.DLL'
Signed -> 'C:\WINNT\system32\ntoskrnl.exe'
Signed -> 'C:\WINNT\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
c:\winnt\system32\gaopdxcounter
[INFO] The file is not visible.
[NOTE] A backup was created as '4a4c5e98.qua' ( QUARANTINE )
c:\winnt\system32\gaopdxgoxubrqowytqnpqohaleurqrqjiyqjik.dll
[INFO] The file is not visible.
[NOTE] A backup was created as '4b34fbf9.qua' ( QUARANTINE )
c:\winnt\system32\drivers\gaopdxjnsrpcqrvsnbmrlimdodppupthkduxbr.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4b3693d9.qua' ( QUARANTINE )
c:\winnt\system32\drivers\gaopdxkomguiqubrqtewnvyvvrdofgyvppjxvi.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4b30abb9.qua' ( QUARANTINE )
c:\winnt\system32\drivers\gaopdxprwnnajnteduvgdxpmxuchpwgtlxfvym.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4b334399.qua' ( QUARANTINE )
c:\winnt\system32\drivers\gaopdxtbijoenalmkvpabobvctedhmmlrskylq.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4bcd1a79.qua' ( QUARANTINE )
c:\winnt\system32\drivers\gaopdxwuwpybburuhrgqumlmlkturquyiwewfr.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4bcf3259.qua' ( QUARANTINE )
c:\documents and settings\singhsu1\local settings\temp\gaopdx000
[INFO] The file is not visible.
[NOTE] A backup was created as '4ee36dc9.qua' ( QUARANTINE )
c:\documents and settings\singhsu1\local settings\temp\gaopdxserv.sys000
[INFO] The file is not visible.
[NOTE] A backup was created as '4efd05a9.qua' ( QUARANTINE )
\systemroot\system32\drivers\gaopdxtbijoenalmkvpabobvctedhmmlrskylq.sys
[INFO] The registry entry is invisible.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] Error in ARK library
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys
[INFO] The registry entry is invisible.
'53600' objects were checked, '11' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'WallCal3.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'MediaChecker.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'QCTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'QCWLICON.EXE' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'lxbtbmon.exe' - '1' Module(s) have been scanned
Scan process 'lxbtbmgr.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'TpScrLk.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'SMax4PNP.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'TPHKMGR.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'TpKmpSvc.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'QCONSVC.EXE' - '1' Module(s) have been scanned
Scan process 'ngctw32.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'keyacc32.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
61 processes with 61 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '103' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\A0091002.exe.bac_a01160
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\A0091002.exe.bac_a01160
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\A0091002.exe.bac_a01160
[1] Archive type: RAR SFX (self extracting)
--> trainer.exe
[DETECTION] Is the TR/Virtl.18802 Trojan
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\cbaxw.dll.bad.bac_a02140
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\euvnhhpt.dll.bac_a02848
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\euvnhhpt.dll.bac_a02848
[DETECTION] Is the TR/PCK.Klone.K.5 Trojan
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\opnnkHYS.dll.bac_a02188
[DETECTION] Is the TR/Dldr.ConHook.Gen Trojan
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Setup(2).exe.bac_a02848
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Setup.exe.bac_a02848
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ShoppingReport.dll.bac_a02848
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ShoppingReport.dll.bac_a02848
[DETECTION] Contains recognition pattern of the ADSPY/MartSho.dll.3 adware or spyware
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ticjohhs.exe.bac_a02576
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ticjohhs.exe.bac_a02576
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the ADSPY/SearchColours.A adware or spyware
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\trainer.exe.bac_a02848
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\trainer.exe.bac_a02848
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\trainer.exe.bac_a02848
[1] Archive type: RAR SFX (self extracting)
--> trainer.exe
[DETECTION] Is the TR/Virtl.18802 Trojan
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Uninst.exe.bac_a02848
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Uninst.exe.bac_a02848
[1] Archive type: NSIS
--> [PluginsDir]/InstallerHelperPlugin.dll
[DETECTION] Contains recognition pattern of the ADSPY/MartSho.dll.2 adware or spyware
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\WallCal302_kg-tsrh.exe.bac_a02848
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\WallCal302_kg-tsrh.exe.bac_a02848
[DETECTION] Is the TR/Agent.7908 Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{2112728F-6B92-452B-9C5E-98D9A8C67E9D}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{A9479F80-6AEE-4444-9A0A-C45492C3275D}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{B3DD4FD1-AE95-4EDF-BC0F-353104879720}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{CF2B3476-7684-4BDD-B4E9-6AEBEB1E6FF0}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{EA04A93C-F080-4697-933E-BC468D466EF4}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{00BFC6AD-0A94-4988-9CB5-330A99B32E32}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{04A6C297-5260-42A7-B32A-CA511252B017}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{7747102C-BEF5-4310-B548-C3D966746BF7}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{9BB1A118-7049-49B6-A716-683764C3CD09}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{D549EA3E-61E6-41D7-A873-572098F0DBF0}
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\fireburner\tno_fb23.exe
[DETECTION] Is the TR/Spy.Gampass.LP Trojan
C:\Shared\Benassi Bros. - Benassi Bros. feat Naan - Feel Alive (Original Extended).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Shared\kanye west - love locked down .mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Shared\love lock down(unplugged version).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
Begin scan in 'D:\'

Beginning disinfection:
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\A0091002.exe.bac_a01160
[NOTE] The file was moved to '4a0dda0c.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\cbaxw.dll.bad.bac_a02140
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a3eda3f.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\euvnhhpt.dll.bac_a02848
[NOTE] The file was moved to '4a53da52.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\opnnkHYS.dll.bac_a02188
[DETECTION] Is the TR/Dldr.ConHook.Gen Trojan
[NOTE] The file was moved to '4a4bda4d.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Setup(2).exe.bac_a02848
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4a51da42.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Setup.exe.bac_a02848
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '42111a9b.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ShoppingReport.dll.bac_a02848
[NOTE] The file was moved to '4a4cda45.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\ticjohhs.exe.bac_a02576
[NOTE] The file was moved to '4a40da46.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\trainer.exe.bac_a02848
[NOTE] The file was moved to '4a3eda4f.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\Uninst.exe.bac_a02848
[NOTE] The file was moved to '4a46da4b.qua'!
C:\Documents and Settings\singhsu1\.housecall6.6\Quarantine\WallCal302_kg-tsrh.exe.bac_a02848
[NOTE] The file was moved to '4a49da3e.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{2112728F-6B92-452B-9C5E-98D9A8C67E9D}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a0eda0f.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{A9479F80-6AEE-4444-9A0A-C45492C3275D}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a16da1f.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{B3DD4FD1-AE95-4EDF-BC0F-353104879720}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a10da20.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{CF2B3476-7684-4BDD-B4E9-6AEBEB1E6FF0}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a23da21.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-03-2009 - 19-59-06\{EA04A93C-F080-4697-933E-BC468D466EF4}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a1eda23.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{00BFC6AD-0A94-4988-9CB5-330A99B32E32}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a0dda0e.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{04A6C297-5260-42A7-B32A-CA511252B017}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a11da0e.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{7747102C-BEF5-4310-B548-C3D966746BF7}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a14da15.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{9BB1A118-7049-49B6-A716-683764C3CD09}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a1fda17.qua'!
C:\Documents and Settings\singhsu1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 04-04-2009 - 18-03-40\{D549EA3E-61E6-41D7-A873-572098F0DBF0}
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a12da22.qua'!
C:\fireburner\tno_fb23.exe
[DETECTION] Is the TR/Spy.Gampass.LP Trojan
[NOTE] The file was moved to '4a4cda4d.qua'!
C:\Shared\Benassi Bros. - Benassi Bros. feat Naan - Feel Alive (Original Extended).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4a4bda44.qua'!
C:\Shared\kanye west - love locked down .mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4a4bda42.qua'!
C:\Shared\love lock down(unplugged version).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4a53da50.qua'!


End of the scan: April 9, 2009 07:20
Used time: 1:00:00 Hour(s)

The scan has been done completely.

9646 Scanned directories
487998 Files were scanned
25 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
34 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
487971 Files not concerned
9640 Archives were scanned
3 Warnings
36 Notes
53600 Objects were scanned with rootkit scan
11 Hidden objects were found

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 09 April 2009 - 07:02 AM

Hi,

Just to be sure, can you rescan with Combofix again?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 10 April 2009 - 04:34 PM

Hi,

Computer has been acting very odd lately. For one my sound wouldn't work in anything but itunes (even after having rebooted several times). The sound thing seems to be fixed now after running combofix again. Also, I'm also having this problem where if I right click on anything on my desktop, the computer just freezes and I have to reboot. Not sure if that's fixed yet, I dare not right click until I post this message lol.

Combofix Log:

ComboFix 09-04-04.01 - singhsu1 2009-04-10 17:19:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.511.203 [GMT -4:00]
Running from: c:\downloads\SoftwareAPPS\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\gaopdxjnsrpcqrvsnbmrlimdodppupthkduxbr.sys
c:\winnt\system32\drivers\gaopdxkomguiqubrqtewnvyvvrdofgyvppjxvi.sys
c:\winnt\system32\drivers\gaopdxprwnnajnteduvgdxpmxuchpwgtlxfvym.sys
c:\winnt\system32\drivers\gaopdxwuwpybburuhrgqumlmlkturquyiwewfr.sys
.
---- Previous Run -------
.
c:\winnt\system32\drivers\gaopdxtbijoenalmkvpabobvctedhmmlrskylq.sys
c:\winnt\system32\gaopdxcounter
c:\winnt\system32\gaopdxgoxubrqowytqnpqohaleurqrqjiyqjik.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:20 . 2009-04-10 14:20 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-04-08 22:22 . 2009-04-08 22:22 <DIR> d-------- c:\program files\Avira
2009-04-08 22:22 . 2009-04-08 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-08 22:22 . 2009-02-13 11:31 55,640 --a------ c:\winnt\system32\drivers\avgntflt.sys
2009-04-07 19:13 . 2009-04-07 19:13 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-07 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 19:11 . 2009-04-07 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-06 15:32 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-07 19:11 . 2009-04-06 15:32 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-04-04 01:25 . 2009-04-04 01:26 664 --a------ c:\winnt\system32\d3d9caps.dat
2009-04-02 19:01 . 2009-04-04 16:26 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\SUPERAntiSpyware.com
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-21 09:34 . 2009-03-21 12:13 <DIR> d-------- c:\program files\Nox
2009-03-20 18:50 . 2009-03-20 18:50 2,048 --a------ c:\winnt\system32\win32xml.TX1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 17:58 --------- d-----w c:\program files\MSN Messenger
2009-04-04 05:08 --------- d-----w c:\documents and settings\singhsu1\Application Data\U3
2009-04-03 22:59 --------- d-----w c:\program files\LimeWire
2009-04-03 22:53 --------- d-----w c:\documents and settings\singhsu1\Application Data\Azureus
2009-04-03 22:40 --------- d-----w c:\program files\Soulseek
2009-04-02 23:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-02 00:13 --------- d-----w c:\program files\Lx_cats
2009-03-15 21:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 22:44 --------- d-----w c:\program files\HOTALBUMMyBOX
2009-03-03 01:28 --------- d-----w c:\program files\UFile 2007
2009-02-18 00:45 15,172 ----a-w c:\winnt\system32\drivers\PzWDM.sys
2009-02-18 00:45 --------- d-----w c:\program files\CASIO
2009-02-15 22:11 --------- d-----w c:\program files\iTunes
2009-02-15 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-15 22:10 --------- d-----w c:\program files\iPod
2009-02-15 22:09 --------- d-----w c:\program files\Bonjour
2009-02-15 22:08 --------- d-----w c:\program files\QuickTime
2009-02-15 22:06 --------- d-----w c:\program files\Apple Software Update
2009-02-11 04:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-01-23 01:26 65,312 ----a-w c:\documents and settings\singhsu1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2003-10-03 431272]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-12-15 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-12-15 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPKBDLED"="c:\winnt\system32\TpScrLk.exe" [2002-10-08 40960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-09-01 237568]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-09-06 86016]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-09-06 745472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\winnt\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-08-24 c:\winnt\system32\TP4EX.exe]
"KeyAccess"="keyacc32.exe" [2005-06-01 c:\winnt\keyacc32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

c:\documents and settings\singhsu1\Start Menu\Programs\Startup\
Wallpaper Calendar.lnk - c:\program files\zepsoft\Wallpaper Calendar\WallCal3.exe [2002-10-19 1227776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-19 24576]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-04-01 83360]
MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-06-25 323584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-12-14 811008]
ZDWlan.lnk - c:\program files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-08-28 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 3600 (0xe10)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 04:08 262144 c:\winnt\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\winnt\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-16 23:23 24576 c:\winnt\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3147950943-2271782263-395470419-44226\Scripts\Logon\0\0]
"Script"=Logon.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\keyacc32.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINNT\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=

R0 EFlashAssist;EFlashAssist;c:\winnt\system32\drivers\EFLASHAS.SYS [2006-01-19 8476]
R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\winnt\system32\drivers\GhMon.sys [2003-10-03 6784]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [2009-02-17 15172]
R0 Shockprf;Shockprf;c:\winnt\system32\drivers\shockprf.sys [2005-07-14 69632]
R1 ANC;ANC;c:\winnt\system32\drivers\ANC.sys [2005-07-14 11520]
R1 IBMTPCHK;IBMTPCHK;c:\winnt\system32\drivers\IBMBLDID.SYS [2005-07-14 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R1 ShockMgr;ShockMgr;c:\winnt\system32\drivers\ShockMgr.sys [2005-07-14 4736]
R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2005-07-14 16384]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-08 108289]
R2 KeyAccess;KeyAccess;c:\winnt\keyacc32.exe [2005-06-01 331776]
R2 NGClient;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2003-10-03 431272]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
S3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;c:\winnt\system32\DRIVERS\AEIWLNDS.sys --> c:\winnt\system32\DRIVERS\AEIWLNDS.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2005-08-02 32512]
S3 QCNDISIF;QCNDISIF;c:\winnt\system32\drivers\qcndisif.sys [2005-07-14 12288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac039-74e4-11db-9c4f-0012f0d33bab}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af267750-62d2-11dc-9d68-0012f0d33bab}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2006-05-04 c:\winnt\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Connection Wizard,ShellNext = hxxp://www.sheridaninstitute.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download All Files by HiDownload - c:\progra~1\HIDOWN~1\HDGetAll.htm
IE: Download by HiDownload - c:\progra~1\HIDOWN~1\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\singhsu1\Application Data\Mozilla\Firefox\Profiles\d1mzet1q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 17:23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\tphklock.dll
.
Completion time: 2009-04-10 17:26:40
ComboFix-quarantined-files.txt 2009-04-10 21:25:45
ComboFix2.txt 2009-04-08 23:46:41

Pre-Run: 11,549,663,232 bytes free
Post-Run: 11,573,649,408 bytes free

228 --- E O F --- 2009-01-15 08:01:58

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 10 April 2009 - 04:37 PM

Hi,

Please reboot, then run Combofix once again and post the log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 10 April 2009 - 05:54 PM

Alright, here's the new log:

ComboFix 09-04-04.01 - singhsu1 2009-04-10 18:37:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.511.205 [GMT -4:00]
Running from: c:\downloads\SoftwareAPPS\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:20 . 2009-04-10 14:20 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-04-08 22:22 . 2009-04-08 22:22 <DIR> d-------- c:\program files\Avira
2009-04-08 22:22 . 2009-04-08 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-08 22:22 . 2009-02-13 11:31 55,640 --a------ c:\winnt\system32\drivers\avgntflt.sys
2009-04-07 19:13 . 2009-04-07 19:13 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-07 19:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 19:11 . 2009-04-07 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 19:11 . 2009-04-06 15:32 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-07 19:11 . 2009-04-06 15:32 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-04-04 01:25 . 2009-04-04 01:26 664 --a------ c:\winnt\system32\d3d9caps.dat
2009-04-02 19:01 . 2009-04-04 16:26 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\singhsu1\Application Data\SUPERAntiSpyware.com
2009-04-02 19:01 . 2009-04-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-21 09:34 . 2009-03-21 12:13 <DIR> d-------- c:\program files\Nox
2009-03-20 18:50 . 2009-03-20 18:50 2,048 --a------ c:\winnt\system32\win32xml.TX1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 17:58 --------- d-----w c:\program files\MSN Messenger
2009-04-04 05:08 --------- d-----w c:\documents and settings\singhsu1\Application Data\U3
2009-04-03 22:59 --------- d-----w c:\program files\LimeWire
2009-04-03 22:53 --------- d-----w c:\documents and settings\singhsu1\Application Data\Azureus
2009-04-03 22:40 --------- d-----w c:\program files\Soulseek
2009-04-02 23:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-02 00:13 --------- d-----w c:\program files\Lx_cats
2009-03-15 21:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 22:44 --------- d-----w c:\program files\HOTALBUMMyBOX
2009-03-03 01:28 --------- d-----w c:\program files\UFile 2007
2009-02-18 00:45 15,172 ----a-w c:\winnt\system32\drivers\PzWDM.sys
2009-02-18 00:45 --------- d-----w c:\program files\CASIO
2009-02-15 22:11 --------- d-----w c:\program files\iTunes
2009-02-15 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-15 22:10 --------- d-----w c:\program files\iPod
2009-02-15 22:09 --------- d-----w c:\program files\Bonjour
2009-02-15 22:08 --------- d-----w c:\program files\QuickTime
2009-02-15 22:06 --------- d-----w c:\program files\Apple Software Update
2009-02-11 04:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-01-23 01:26 65,312 ----a-w c:\documents and settings\singhsu1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2003-10-03 431272]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-12-15 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-12-15 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPKBDLED"="c:\winnt\system32\TpScrLk.exe" [2002-10-08 40960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-09-01 237568]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-09-06 86016]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-09-06 745472]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\winnt\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-08-24 c:\winnt\system32\TP4EX.exe]
"KeyAccess"="keyacc32.exe" [2005-06-01 c:\winnt\keyacc32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

c:\documents and settings\singhsu1\Start Menu\Programs\Startup\
Wallpaper Calendar.lnk - c:\program files\zepsoft\Wallpaper Calendar\WallCal3.exe [2002-10-19 1227776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-19 24576]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-02-13 915096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-04-01 83360]
MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-06-25 323584]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-12-14 811008]
ZDWlan.lnk - c:\program files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-08-28 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 3600 (0xe10)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 04:08 262144 c:\winnt\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\winnt\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-16 23:23 24576 c:\winnt\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3147950943-2271782263-395470419-44226\Scripts\Logon\0\0]
"Script"=Logon.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\keyacc32.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINNT\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=

R0 EFlashAssist;EFlashAssist;c:\winnt\system32\drivers\EFLASHAS.SYS [2006-01-19 8476]
R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\winnt\system32\drivers\GhMon.sys [2003-10-03 6784]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [2009-02-17 15172]
R0 Shockprf;Shockprf;c:\winnt\system32\drivers\shockprf.sys [2005-07-14 69632]
R1 ANC;ANC;c:\winnt\system32\drivers\ANC.sys [2005-07-14 11520]
R1 IBMTPCHK;IBMTPCHK;c:\winnt\system32\drivers\IBMBLDID.SYS [2005-07-14 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R1 ShockMgr;ShockMgr;c:\winnt\system32\drivers\ShockMgr.sys [2005-07-14 4736]
R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2005-07-14 16384]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-08 108289]
R2 KeyAccess;KeyAccess;c:\winnt\keyacc32.exe [2005-06-01 331776]
R2 NGClient;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2003-10-03 431272]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\winnt\system32\drivers\ghpcw2k.sys [2003-10-03 199328]
S3 AEIWL;IBM High Rate Wireless LAN MiniPCI Combo Card Driver;c:\winnt\system32\DRIVERS\AEIWLNDS.sys --> c:\winnt\system32\DRIVERS\AEIWLNDS.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2005-08-02 32512]
S3 QCNDISIF;QCNDISIF;c:\winnt\system32\drivers\qcndisif.sys [2005-07-14 12288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac039-74e4-11db-9c4f-0012f0d33bab}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af267750-62d2-11dc-9d68-0012f0d33bab}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2006-05-04 c:\winnt\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://www.sheridaninstitute.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download All Files by HiDownload - c:\progra~1\HIDOWN~1\HDGetAll.htm
IE: Download by HiDownload - c:\progra~1\HIDOWN~1\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\singhsu1\Application Data\Mozilla\Firefox\Profiles\d1mzet1q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 18:41:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\tphklock.dll
.
Completion time: 2009-04-10 18:44:41
ComboFix-quarantined-files.txt 2009-04-10 22:43:58
ComboFix2.txt 2009-04-10 21:26:43
ComboFix3.txt 2009-04-08 23:46:41

Pre-Run: 11,587,043,328 bytes free
Post-Run: 11,571,253,248 bytes free

213 --- E O F --- 2009-01-15 08:01:58

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 11 April 2009 - 04:19 AM

Hi,

This looks OK again. :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 13 April 2009 - 05:36 PM

Hi again,

Things are working perfect as far as I can tell now! Thank you so much for your help! I was afraid I might have had to format.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 13 April 2009 - 05:43 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:33 PM

Posted 16 April 2009 - 07:09 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users