Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Pentagon Data Breach Exposes up to 30,000 Travel Records

Featured Deal: Get 97% off The Complete Learn to Code Masterclass Bundle Deal

Virus keeps reappearing after removing

Started by Phyll_durt , Apr 10 2009 07:25 PM

This topic is locked

14 replies to this topic

#1 Phyll_durt

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 10 April 2009 - 07:25 PM

Hi. I recently - within the last week - appealed for help here for a virus problem. Everything seemed to be fine after the help but it is apparently not. Previously I was told to run MalwareBytes to resolve the issue. It found the culprits and removed them and things were well for a short time. But it is back. I no sooner go on the internet and within a few minutes I start getting popups again. I recognize the virus when I run the HJT program. I then update then run MalwareBytes. MalwareBytes removes them, prompts me to reboot to delete one of the files. After reboot I run HJT again and the virus doesn't appear. Within minutes of going online, popups again. I run HJT again, see the virus, run MalwareBytes, it deletes it, reboots, it's gone....then the same thing again. I have went through this several times this evening. Somehow this thing is hiding or replicating or something. The file is always the same. The Run32/XXXXX.dll is always a different name when it is captured. Before I posted any logs, I was wondering if you have any suggestions - or should I post logs again?

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 10 April 2009 - 08:38 PM

Here is an update...I ran HJT again after everything was supposed to be gone - according to MalwareBytes - and it is showing up again in the log. And I didn't even go online. This is really bizzare. I am pasting my most current HJT log with the problem highlighted. Like I said previously, the .dll keeps changing names.

DDS.txt 10KB 5 downloads

***HJT Log***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:47 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
E:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RunDll32.exe
E:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pyuyenafidac] rundll32.exe "C:\WINDOWS\ubogarobifam.dll",e
(MalwareBytes will catch this and delete it. It tells me it has to reboot to completely remove it. Upon reboot and running HJT again to verify...it comes back again with a different .dll name.)

O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184716127546
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 9648 bytes

Edited by Phyll_durt, 10 April 2009 - 08:45 PM.

#3 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 11 April 2009 - 03:05 AM

Hi,

Can you run malwarebytes again and post the log? Because something doesn't make sense here...From your previous log, the mpmonac.dll (which is the reloader) got deleted already. So it shouldn't come back, unless you got reinfected again (same way how you got infected in the first place, probably launched the same bad file, visited same bad site etc..)

Edited by miekiemoes, 11 April 2009 - 03:07 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 11 April 2009 - 10:55 AM

Ok...Just to summarize the problem...I'll boot up and run an HJT scan. (I haven't gone online yet) The scan is clean at first. I will check my hard drives and other stuff - all without going online yet - and then I'll run an HJT scan again. Everything will continue to be fine. I will continue messing around - trying to find a pattern - all without going online yet. I will then run a HJT scan again (just to see if anything happened yet) and BAM! There is that virus appearing in the scan again. And I haven't even gone online yet. I will then run MalwareBytes to get rid of it. During the MalwareBytes scan my Avira Antivirus will catch a trojan in the Sytem Volume Information file. The name of the trojan is -TR/Drop.Softmat.AN - and Avira will prompt me to quarantine it. (It is in the restore file) The infection in the System Volume Information file is a .dll that keeps changing its name as well. After quarantining it, I continue running MalwareBytes..it catches the virus..deletes them..posts a clean log..I reboot... and then the same stinking thing all over again. (All without going online yet) One thing I tried was going into my System Volume Information file and deleting everything in it. It dosen't matter. There will be a new restore file in the System Volume Information file after reboot and it will contain a new .dll name but the same trojan name. (TR/Drop.Softmat.AN) Like I said before all of this and I haven't even gone online yet. I could send you a whole stack of MalwareBytes logs from lastnight trying to stop this thing. MalwareBytes will catch it and delete it...but it will come back with a new .dll name.

Here is the most recent logs:

***MalwareBytes before reboot***

Malwarebytes' Anti-Malware 1.36
Database version: 1964
Windows 5.1.2600 Service Pack 2

4/11/2009 11:27:38 AM
mbam-log-2009-04-11 (11-27-26).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 181265
Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyuyenafidac (Trojan.Agent) -> No action taken.
(Always the same name here: pyuyenafidac (Trojan.Agent))

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ujogogagimogoyi.dll (Trojan.Agent) -> No action taken.
(NOTICE NEW .dll NAME HERE)

***MalwareBytes log Prompting me to reboot***

Malwarebytes' Anti-Malware 1.36
Database version: 1964
Windows 5.1.2600 Service Pack 2

4/11/2009 11:27:54 AM
mbam-log-2009-04-11 (11-27-54).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 181265
Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyuyenafidac (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ujogogagimogoyi.dll (Trojan.Agent) -> Delete on reboot.

***HJT log after reboot***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:38 AM, on 4/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
E:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184716127546
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 8717 bytes

#5 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 11 April 2009 - 11:01 AM

While posting the previous reply...a popup came up. I logged out...ran an HJT scan...here is the log from that.
Notice the .dll changed names again. I haven't done anything else.

***HJT log***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:24 AM, on 4/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
E:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pyuyenafidac] rundll32.exe "C:\WINDOWS\ixebiqobacagayus.dll",e
(Yet another new .dll name)
(I'm about to frag my PC :/)

O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184716127546
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 8744 bytes

#6 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 11 April 2009 - 11:08 AM

Hi,

I know it's there again - it's the mpmonac.dll that reloads it again, but it doesn't make sense since malwarebytes already deleted it previously. Unless a new variant is present there..
From your log I see it's present again, but mbam should detect it - it did in your other thread. Unless it's targetting mbam as well now.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited by miekiemoes, 11 April 2009 - 11:09 AM.

#7 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 11 April 2009 - 06:14 PM

ComboFix Log

ComboFix 09-04-04.01 - Phrog 2009-04-11 19:03:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2814.2235 [GMT -4:00]
Running from: c:\documents and settings\Phrog\Desktop\ComboFix.exe
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated)
FW: Avira Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-09 16:05 . 2009-04-09 16:05 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-04-08 08:51 . 2009-04-08 08:51 <DIR> d-------- c:\program files\Bonjour
2009-04-08 08:02 . 2009-04-08 08:02 <DIR> d-------- c:\program files\iPod
2009-04-08 08:02 . 2009-04-08 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 08:01 . 2009-04-08 08:02 <DIR> d-------- c:\program files\Common Files\Apple
2009-04-08 08:01 . 2009-04-08 08:01 <DIR> d-------- c:\program files\Apple Software Update
2009-04-08 07:21 . 2009-04-08 07:21 <DIR> d-------- c:\documents and settings\Phrog\Application Data\Apple Computer
2009-04-07 15:45 . 2009-04-07 15:45 <DIR> d-------- c:\documents and settings\Phrog\Application Data\Malwarebytes
2009-04-07 15:45 . 2009-04-07 15:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 15:45 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 15:45 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-05 11:07 . 2009-04-07 14:47 <DIR> d-------- c:\documents and settings\Administrator.PHR0G-3F7CE7C45.000
2009-04-01 08:43 . 2009-04-11 18:48 1,366 --a------ c:\windows\Obopuregadagakus.dat
2009-04-01 08:43 . 2009-04-11 18:49 16 --a------ c:\windows\Hgevifemeyudafaw.bin
2009-03-27 14:37 . 2009-03-27 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 18:32 . 2009-03-20 18:32 <DIR> d-------- c:\documents and settings\Phrog\Application Data\Windows Search
2009-03-13 18:51 . 2009-03-13 18:54 <DIR> d-------- c:\windows\NV2880404.TMP
2009-03-13 16:46 . 2009-03-13 17:36 <DIR> d-------- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 13:10 --------- d-----w c:\program files\SpywareDetector
2009-04-05 14:50 --------- d-----w c:\documents and settings\Phrog\Application Data\Desktopicon
2009-04-04 12:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-28 23:18 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-19 20:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 22:51 --------- d-----w c:\program files\AGEIA Technologies
2009-03-11 23:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 00:28 --------- d-----w c:\documents and settings\Phrog\Application Data\The Creative Assembly
2009-02-18 18:44 6,308,224 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-29 20:37 22,328 ----a-w c:\documents and settings\Phrog\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-07 1364944]
"avgnt"="e:\program files\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-12 266497]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"VolPanel"="e:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Pyuyenafidac"="c:\windows\ixebiqobacagayus.dll" [2007-03-08 157184]
"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\system32\Ctxfihlp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-08-07 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
2008-12-01 12:15 475136 c:\program files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mpmonac.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"e:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2008-08-05 71592]
R1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-01-12 13696]
R2 AntiVirFirewallService;Avira Premium Security Suite Firewall;e:\program files\Avira\Avira Premium Security Suite\avfwsvc.exe [2008-08-05 344321]
R2 AVEService;Avira Premium Security Suite MailGuard helper service;e:\program files\Avira\Avira Premium Security Suite\avesvc.exe [2008-08-05 41217]
R2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe [2008-07-31 1713616]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2008-08-05 71464]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-09-30 120960]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2005-07-25 348352]
S3 athena;athena;c:\windows\system32\drivers\athena.sys [2006-01-18 107392]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-07-25 43392]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-08 79360]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-11-08 96256]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2004-07-30 56576]
S3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [2008-07-31 21888]
S3 SDAntiRtKt;SDAntiRtKt;c:\program files\SpywareDetector\SDAntiRtKt.sys [2008-07-31 11264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\Crysis Wars® Updates.job
- c:\windows\Installer\Crysis Wars® Updates for All Users.lnk [2008-10-25 08:24]

2009-04-11 c:\windows\Tasks\User_Feed_Synchronization-{1BF35C0D-7D42-4398-A0DA-086795D423B3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Pyuyenafidac - c:\windows\iboguhim.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 19:07:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:c4,24,83,0e,7e,54,02,7d,35,6b,b0,87,79,4b,4b,22,2b,f1,1e,ea,af,
23,53,12,47,93,0c,6d,a8,da,85,da,5a,d1,42,84,92,e1,26,4e,ed,8a,bd,f1,8f,05,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SpywareDetector\SDNotify.dll

- - - - - - - > 'lsass.exe'(1064)
c:\windows\mpmonac.dll
c:\windows\system32\nvLsp.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Avira\Avira Premium Security Suite\sched.exe
c:\windows\system32\rundll32.exe
e:\program files\Avira\Avira Premium Security Suite\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
e:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
e:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\iPod\bin\iPodService.exe
e:\program files\Avira\Avira Premium Security Suite\avwsc.exe
.
**************************************************************************
.
Completion time: 2009-04-11 19:10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 23:10:29
ComboFix2.txt 2009-04-07 17:31:46

Pre-Run: 16,977,379,328 bytes free
Post-Run: 16,967,815,168 bytes free

190 --- E O F --- 2009-03-13 22:59:54

I ran the HJT scan after everything was done. Below is the log from that.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:34 PM, on 4/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
E:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
E:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pyuyenafidac] rundll32.exe "C:\WINDOWS\ixebiqobacagayus.dll",e
O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184716127546
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 8982 bytes

#8 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 12 April 2009 - 05:12 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\ixebiqobacagayus.dll
c:\windows\Obopuregadagakus.dat
c:\windows\Hgevifemeyudafaw.bin
Collect::[8]
c:\windows\mpmonac.dll
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pyuyenafidac"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#9 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 12 April 2009 - 07:02 AM

Hi again. I inadvertently ran MalwareBytes again after the ComboFix and HJT run. The .dll changed names again. Sorry. Can I just change the name in the first line of the script to the new .dll name or did I screw this up?

#10 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 12 April 2009 - 10:17 AM

Hi,

If you change it or not, malwarebytes deletes it anyway, so it will be a new one again.
Just perform my steps and don't change anything - then we'll see in the new combofixlog what still needs to be removed or not.
So, don't run any other scans in between.

#11 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 12 April 2009 - 03:01 PM

Greetings again. I submitted the file you requested for analysis.

Thanks for your continued help in resolving this.

***ComboFix Log***

ComboFix 09-04-13.04 - Phrog 2009-04-12 15:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2814.2330 [GMT -4:00]
Running from: c:\documents and settings\Phrog\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phrog\Desktop\CFScript.txt
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated)
FW: Avira Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Hgevifemeyudafaw.bin
c:\windows\ixebiqobacagayus.dll
c:\windows\Obopuregadagakus.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hgevifemeyudafaw.bin
c:\windows\mpmonac.dll
c:\windows\Obopuregadagakus.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-11 01:34 . 2009-04-11 01:34 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\{123D569F-AF26-46DD-94C0-0A4AF5A2A266}
2009-04-09 20:05 . 2009-04-09 20:05 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-04-08 12:51 . 2009-04-08 12:51 -------- d-----w c:\program files\Bonjour
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\program files\iPod
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\Apple
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\program files\Apple Software Update
2009-04-08 12:01 . 2009-04-08 12:02 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 11:21 . 2009-04-08 11:21 -------- d-----w c:\documents and settings\Phrog\Application Data\Apple Computer
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\Phrog\Application Data\Malwarebytes
2009-04-07 19:45 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-07 19:45 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 18:42 . 2009-04-05 18:42 -------- d-----w c:\documents and settings\Administrator.PHR0G-3F7CE7C45.000\Local Settings\Application Data\{E8839C00-FEEB-4F19-88D7-C35624E30515}
2009-03-27 18:37 . 2009-03-27 18:37 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-24 01:04 . 2009-04-05 01:04 214832 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-20 22:32 . 2009-03-20 22:32 -------- d-----w c:\documents and settings\Phrog\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 13:10 . 2007-07-23 14:59 -------- d-----w c:\program files\SpywareDetector
2009-04-06 00:16 . 2009-04-05 14:51 2908 ----a-w C:\aaw7boot.log
2009-04-05 18:46 . 2007-10-01 16:25 4942742 --sha-r C:\SDSignature.txt
2009-04-05 18:44 . 2008-12-11 01:38 6691277 --sh--r C:\SDVirus.txt
2009-04-05 18:44 . 2008-03-20 00:00 2867966 --sha-r C:\ExecSignature.txt
2009-04-05 14:50 . 2008-11-25 16:01 -------- d-----w c:\documents and settings\Phrog\Application Data\Desktopicon
2009-04-04 12:46 . 2007-07-18 23:12 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-28 23:18 . 2008-10-27 00:25 139280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 23:18 . 2008-10-27 00:25 202000 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-22 12:50 . 2007-07-17 21:14 86888 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 22:51 . 2007-09-30 19:17 -------- d-----w c:\program files\AGEIA Technologies
2009-03-11 23:14 . 2008-06-19 21:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 00:28 . 2009-03-09 00:28 -------- d-----w c:\documents and settings\Phrog\Application Data\The Creative Assembly
2009-02-17 03:17 . 2007-07-17 21:01 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-22 15:29 . 2008-08-01 02:25 1060864 ----a-w c:\windows\system32\CheckDll.dll
2009-01-16 22:24 . 2009-01-16 22:24 70936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-11-29 20:37 . 2007-11-06 20:15 22328 ----a-w c:\documents and settings\Phrog\Application Data\PnkBstrK.sys
2008-06-20 21:23 . 2008-06-20 21:23 128 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-07 1364944]
"avgnt"="e:\program files\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-12 266497]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"VolPanel"="e:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-07-11 c:\windows\system32\Ctxfihlp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-08-07 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
2008-12-01 12:15 475136 c:\program files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"e:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2005-07-25 348352]
R3 athena;athena;c:\windows\system32\DRIVERS\athena.sys [2006-01-18 107392]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-07-25 43392]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-08 79360]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2001-08-17 96256]
R3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2004-07-30 56576]
R3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [2008-12-10 21888]
R3 SDAntiRtKt;SDAntiRtKt;c:\program files\SpywareDetector\SDAntiRtKt.sys [2008-07-15 11264]
S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2008-05-07 71592]
S1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-01-05 13696]
S2 AntiVirFirewallService;Avira Premium Security Suite Firewall;e:\program files\Avira\Avira Premium Security Suite\avfwsvc.exe [2008-05-16 344321]
S2 AVEService;Avira Premium Security Suite MailGuard helper service;e:\program files\Avira\Avira Premium Security Suite\avesvc.exe [2008-05-09 41217]
S2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe [2009-01-08 1713616]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2008-05-07 71464]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-04-28 120960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\Crysis Wars® Updates.job
- c:\windows\Installer\Crysis Wars® Updates for All Users.lnk [2008-10-25 08:24]

2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{1BF35C0D-7D42-4398-A0DA-086795D423B3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 15:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:c4,24,83,0e,7e,54,02,7d,35,6b,b0,87,79,4b,4b,22,2b,f1,1e,ea,af,
23,53,12,47,93,0c,6d,a8,da,85,da,5a,d1,42,84,92,e1,26,4e,ed,8a,bd,f1,8f,05,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SpywareDetector\SDNotify.dll

- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Avira\Avira Premium Security Suite\sched.exe
e:\program files\Avira\Avira Premium Security Suite\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
e:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
e:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 19:51
ComboFix2.txt 2009-04-11 23:10
ComboFix3.txt 2009-04-07 17:31

Pre-Run: 16,939,323,392 bytes free
Post-Run: 16,925,810,688 bytes free

209 --- E O F --- 2009-03-13 22:59

****NOTE****

I just wanted to say that the only thing I did different from the last time we thought this was resolved was log onto FaceBook. It seems that after that login event the problem came back. I could be wrong but it is the only thing I can think of. Thanks again.

#12 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 13 April 2009 - 02:00 AM

Hi,

Well, the problem is resolved again and the loader was deleted. Please give it a day or so and watch carefully what you are doing, because if you get reinfected, it's not because there was a leftover present, but because one of the sites you visited loads the infection (for example via an exploit present)
This may indeed happen on facebook , for example when one of your friends account got compromised and load an infected script on their wall, for example linked to a video while it's not a video.

In anyway, please update your Windows to SP3 as well.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#13 Phyll_durt

Topic Starter

Members
14 posts
OFFLINE

Local time:11:16 AM

Posted 13 April 2009 - 06:42 AM

OK. Thankyou friend :thumbup2:

#14 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 13 April 2009 - 06:58 AM

You're most welcome :thumbup2:

#15 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:05:16 PM

Posted 16 April 2009 - 07:09 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.