Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan horse dowloader agent2.bhk/xpshield


  • This topic is locked This topic is locked
18 replies to this topic

#1 mymaus1

mymaus1

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 April 2009 - 05:24 PM

Last night I received the following error message before I shut down:

sysguard: tracking process found

malicious code found at "ox17DA839A" address sata interception cannot be stopped.

This morning when I turned on my XP sp3 system I received an error:

services.exe has stopped working. Click OK to fix this problem.

When I click OK it opens Firefox (my default browser) and goes to a site wanting me to install XPshield.

Also, I immediately received a note from AVG virus software that I had the following infections:

sysnotifier
zilabivi.dll
nelozeyu.dll

I am using IE to access this forum (I usually use foxfire for browsing). Another thing that I am noticing is that IE and google toolbar are not blocking any pop ups like they used to. I am now getting a lot of them.

I went to your site and folowed your directions to backup and run dds. I have attached the attach.txt and the dds.txt is shown below.

Thanks for any help!!!!



DDS (Ver_09-03-16.01) - NTFSx86
Run by Tom at 18:05:39.40 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2198 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc504.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=42384469&da=0
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {68cdc921-df6b-4acd-b74e-c0e486ee468f} - c:\windows\system32\bugudesi.dll
BHO: {74fa5d99-38cd-4e3e-b765-54fad4bda166} - c:\documents and settings\tom\application data\identities\udpurn.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\simple~1\photos~1\data\xtras\mssysmgr.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Katie's EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S53.tmp" /EF "HKCU"
uRun: [EPSON Stylus Photo R1800] c:\windows\system32\spool\drivers\w32x86\3\e_fati9la.exe /fu "c:\windows\temp\E_S1B6.tmp" /EF "HKCU"
uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [EssSpkPhone] essspk.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [DNS7reminder] "c:\program files\scansoft\naturallyspeaking8\program\ereg.exe" -r "c:\program files\scansoft\naturallyspeaking8\program\ereg.ini"
mRun: [CPM1f0e4195] Rundll32.exe "c:\windows\system32\memibubu.dll",a
mRun: [bajetijesu] Rundll32.exe "c:\windows\system32\pisefire.dll",s
mRun: [1c3d7209] rundll32.exe "c:\windows\system32\bidifetu.dll",b
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\autoba~1.lnk - c:\program files\memeo\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\dragon~1.lnk - c:\program files\scansoft\naturallyspeaking8\program\natspeak.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\tadpole.lnk - c:\docume~1\tom\applic~1\microsoft\installer\{eb4f95b1-8a54-436e-abea-2fa48befff2a}\_97D2975C00146ED2FEA919.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.smugmug.com/photos/activex/ImageUploader5.cab
DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198470667625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://www.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
Notify: udpurn - c:\documents and settings\tom\application data\identities\udpurn.dll
AppInit_DLLs: c:\windows\system32\memibubu.dll,c:\windows\system32\yatehaje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\memibubu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\memibubu.dll
LSA: Notification Packages = scecli mpsald32.dll c:\windows\system32\yatehaje.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\owb6hbj2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://us.mc360.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=1519649135&da=0
FF - plugin: c:\documents and settings\tom\application data\mozilla\firefox\profiles\owb6hbj2.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-4 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-4 27656]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-1-8 14592]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-23 353672]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-28 47640]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2008-12-15 185640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-21 12:04 1,399,323 ---sh--- c:\windows\system32\utefidib.ini
2009-04-21 00:05 5,495 ---sh--- c:\windows\system32\dugewupu.dll
2009-04-21 00:04 5,495 ---sh--- c:\windows\system32\kudegovu.exe
2009-04-20 14:12 <DIR> --d----- C:\IR2
2009-04-20 13:51 821 a------- C:\irlocks.out
2009-04-19 21:35 <DIR> --d----- c:\program files\Zards software
2009-04-14 15:05 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 15:05 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 15:05 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 15:05 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 15:05 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 15:05 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 15:05 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 15:05 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 15:05 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 15:04 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 15:04 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 15:04 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-10 00:00 <DIR> --d----- c:\program files\MP3 Converter
2009-03-29 14:11 0 a------- c:\windows\plclient.INI
2009-03-29 14:11 <DIR> --d----- c:\program files\common files\Scansoft Shared
2009-03-29 14:09 <DIR> --d----- c:\program files\ScanSoft
2009-03-29 14:09 <DIR> --d----- c:\windows\speech
2009-03-29 00:17 <DIR> --d----- c:\program files\AskBarDis
2009-03-26 00:59 <DIR> --d----- c:\docume~1\tom\applic~1\Advanced Audio Recorder
2009-03-26 00:58 <DIR> --d----- c:\program files\Advanced Audio Recorder
2009-03-25 22:58 <DIR> --d----- c:\program files\Auction Inquisitor
2009-03-25 22:06 <DIR> --d----- c:\program files\Elite Minds

==================== Find3M ====================

2009-04-21 12:04 50,688 a--sh--- c:\windows\system32\ratijipe.dll
2009-04-21 12:03 80,896 a--sh--- c:\windows\system32\bidifetu.dll
2009-04-21 12:03 88,576 a--sh--- c:\windows\system32\memibubu.dll
2009-04-21 12:03 46,592 a--sh--- c:\windows\system32\zigehuze.exe
2009-04-21 00:03 354,842 a--sh--- c:\windows\system32\motopoki.exe
2009-03-29 00:17 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-10 18:32 66,360 a------- c:\documents and settings\tom\g2ax_customer_downloadhelper_win32_x86.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-01 15:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-30 01:37 195,204 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-01-27 15:52 53,248 a------- c:\windows\system32\dnssd.dll
2009-01-16 20:16 87,608 a------- c:\docume~1\tom\applic~1\inst.exe
2009-01-16 20:16 47,360 a------- c:\docume~1\tom\applic~1\pcouffin.sys
2008-05-13 10:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 18:06:02.60 ===============

Attached Files


Edited by mymaus1, 21 April 2009 - 06:57 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:38 AM

Posted 04 May 2009 - 11:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 12:25 PM

Thank you very much for responding!!

Please read my original post above for what happend at the beggining. After my post I did nothing to my computer. In fact, I left it on for fear that a reboot would screw things up even more. The only thing I had running was IE connected to your web site. As I refreshed to see if my question was answered yet, I got many pop ups. Many were what I assume were fake system messages like "Your computer might be at risk. Latest software update not installed. Internal system erroes are found. System appears to hang. Click OK to fix this problem." If course I didn't click OK. In fact these messages wer still up until I rebooted this morning.

AVG 8.0 kept running daily scans automatically and between that and the AVG resident preogram, it dedected and said it moved to the vault MANY viruses. I just reviewed yesterday's scan and variations of the following virus came up many times:

Trojan Horse Generic12.xxxx (where xxxx was different combinations of letters)

The scan also said udpurn.dll was infected "Potentially harmful Fake_AntiSpyware.BYT

I did reboot this just now before I ran DDS again. The DDS file is below and the attach file is attached.

After I rebooted Zone Alarm gave me the following message:

Firewall blocked Internet access to 207.46.197.32 (UDP Port 123) from your computer. Program: Generic Host Process for Win32 Services.

Since my last post Zone Alarm warned me MANY times that various programs (e.g. haseneza.exe, dirasawu.exe, bejuyurie.exe etc.) were trying to access the internet. I denied them all.

A related question.... Zone Alarm also said that gtbxx.tmp.exe (where xx is number) was trying to access the internet. My other computers also had this message pop up. I did a little research. Is this a valid program from Google Toolbar or should I keep denying it?

I will be monitoring this thread constantly from 9:30am - 11:30pm Eastern Time. I am hoping to get this resolved ASAP so I will do whatever you tell me almost immediately. My life has not been the same without access to my main computer. THANKS IN ADVANCE FOR ANY HELP!!!!!

Tom

Here is the DDS.TXT file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tom at 12:41:35.95 on Tue 05/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2474 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc504.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=42384469&da=0
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {68cdc921-df6b-4acd-b74e-c0e486ee468f} - c:\windows\system32\vigutovi.dll
BHO: {74fa5d99-38cd-4e3e-b765-54fad4bda166} - c:\documents and settings\tom\application data\identities\udpurn.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\simple~1\photos~1\data\xtras\mssysmgr.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Katie's EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S53.tmp" /EF "HKCU"
uRun: [EPSON Stylus Photo R1800] c:\windows\system32\spool\drivers\w32x86\3\e_fati9la.exe /fu "c:\windows\temp\E_S1B6.tmp" /EF "HKCU"
uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [EssSpkPhone] essspk.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [DNS7reminder] "c:\program files\scansoft\naturallyspeaking8\program\ereg.exe" -r "c:\program files\scansoft\naturallyspeaking8\program\ereg.ini"
mRun: [bajetijesu] Rundll32.exe "c:\windows\system32\tivuyeto.dll",s
mRun: [CPM1f0e4195] Rundll32.exe "c:\windows\system32\lunawetu.dll",a
mRun: [1c3d7209] rundll32.exe "c:\windows\system32\tohomove.dll",b
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\autoba~1.lnk - c:\program files\memeo\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\dragon~1.lnk - c:\program files\scansoft\naturallyspeaking8\program\natspeak.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\tadpole.lnk - c:\docume~1\tom\applic~1\microsoft\installer\{eb4f95b1-8a54-436e-abea-2fa48befff2a}\_97D2975C00146ED2FEA919.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.smugmug.com/photos/activex/ImageUploader5.cab
DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198470667625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://www.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
Notify: udpurn - c:\documents and settings\tom\application data\identities\udpurn.dll
AppInit_DLLs: c:\windows\system32\yafenufa.dll c:\windows\system32\fotifufu.dll c:\windows\system32\lunawetu.dll c:\windows\system32\dakaveja.dll c:\windows\system32\tukatiza.dll c:\windows\system32\kitamiwe.dll c:\windows\system32\tofuvugo.dll c:\windows\system32\murewozi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\murewozi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lunawetu.dll
LSA: Notification Packages = scecli mpsald32.dll c:\windows\system32\fotifufu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\owb6hbj2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://us.mc360.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=1519649135&da=0
FF - plugin: c:\documents and settings\tom\application data\mozilla\firefox\profiles\owb6hbj2.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-4 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-4 27656]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-1-8 14592]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-23 353672]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-28 47640]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2008-12-15 185640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-05-05 12:06 1,437,001 ---sh--- c:\windows\system32\evomohot.ini
2009-05-05 00:06 1,437,001 ---sh--- c:\windows\system32\asepukan.ini
2009-05-04 12:06 1,437,001 ---sh--- c:\windows\system32\uvazafip.ini
2009-05-04 00:06 1,437,001 ---sh--- c:\windows\system32\uvafasin.ini
2009-05-03 00:05 1,437,001 ---sh--- c:\windows\system32\idefitun.ini
2009-05-02 00:05 1,437,001 ---sh--- c:\windows\system32\elomejig.ini
2009-05-01 12:05 1,437,001 ---sh--- c:\windows\system32\owizulek.ini
2009-05-01 00:05 1,437,001 ---sh--- c:\windows\system32\amelurab.ini
2009-04-30 12:05 1,437,001 ---sh--- c:\windows\system32\avawigos.ini
2009-04-30 00:07 1,437,001 ---sh--- c:\windows\system32\ajiyuber.ini
2009-04-29 12:05 1,437,001 ---sh--- c:\windows\system32\ozinenud.ini
2009-04-29 00:05 1,437,001 ---sh--- c:\windows\system32\otamoyom.ini
2009-04-28 12:05 1,437,001 ---sh--- c:\windows\system32\udagabon.ini
2009-04-28 00:05 1,430,458 ---sh--- c:\windows\system32\obevupel.ini
2009-04-27 12:05 1,430,458 ---sh--- c:\windows\system32\awolefog.ini
2009-04-27 00:05 1,409,679 ---sh--- c:\windows\system32\afopegon.ini
2009-04-26 12:06 1,409,679 ---sh--- c:\windows\system32\idufurif.ini
2009-04-26 12:06 80,384 -------- c:\windows\system32\firufudi.dll
2009-04-26 00:04 1,409,679 ---sh--- c:\windows\system32\esugeseg.ini
2009-04-25 12:05 5,498 ---sh--- c:\windows\system32\komafubi.dll
2009-04-25 12:05 5,498 ---sh--- c:\windows\system32\favogeta.dll
2009-04-25 00:04 1,409,679 ---sh--- c:\windows\system32\ekonezem.ini
2009-04-24 12:04 1,409,399 ---sh--- c:\windows\system32\usigiweh.ini
2009-04-24 00:04 1,409,322 ---sh--- c:\windows\system32\agajowut.ini
2009-04-23 12:04 1,409,322 ---sh--- c:\windows\system32\oposimat.ini
2009-04-23 00:04 1,408,586 ---sh--- c:\windows\system32\afutuvos.ini
2009-04-22 12:04 1,408,586 ---sh--- c:\windows\system32\ajikofij.ini
2009-04-22 00:04 1,399,336 ---sh--- c:\windows\system32\unuzuzuy.ini
2009-04-21 12:04 1,399,323 ---sh--- c:\windows\system32\utefidib.ini
2009-04-21 00:05 5,495 ---sh--- c:\windows\system32\dugewupu.dll
2009-04-21 00:04 5,495 ---sh--- c:\windows\system32\kudegovu.exe
2009-04-20 14:12 <DIR> --d----- C:\IR2
2009-04-20 13:51 821 a------- C:\irlocks.out
2009-04-19 21:35 <DIR> --d----- c:\program files\Zards software
2009-04-14 15:05 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 15:05 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 15:05 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 15:05 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 15:05 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 15:05 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 15:05 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 15:05 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 15:05 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 15:04 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 15:04 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 15:04 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-10 00:00 <DIR> --d----- c:\program files\MP3 Converter

==================== Find3M ====================

2009-05-05 12:06 81,408 a--sh--- c:\windows\system32\tohomove.dll
2009-05-04 00:06 80,896 -------- c:\windows\system32\nisafavu.dll
2009-05-03 00:05 47,104 a--sh--- c:\windows\system32\lekuladi.exe
2009-05-03 00:05 80,896 -------- c:\windows\system32\nutifedi.dll
2009-05-02 12:05 47,104 a--sh--- c:\windows\system32\zohoduna.exe
2009-05-02 00:05 80,384 -------- c:\windows\system32\gijemole.dll
2009-05-01 12:05 80,896 -------- c:\windows\system32\keluziwo.dll
2009-05-01 00:05 47,104 a--sh--- c:\windows\system32\kogafosi.exe
2009-05-01 00:05 81,408 -------- c:\windows\system32\barulema.dll
2009-04-30 12:06 50,176 a--sh--- c:\windows\system32\najiyiso.dll
2009-04-30 12:05 81,920 -------- c:\windows\system32\sogiwava.dll
2009-04-30 12:05 47,104 a--sh--- c:\windows\system32\yolowepi.exe
2009-04-30 00:07 88,576 a--sh--- c:\windows\system32\feteleta.dll
2009-04-29 12:05 89,088 a--sh--- c:\windows\system32\wikuwefe.dll
2009-04-29 00:05 88,576 a--sh--- c:\windows\system32\siwusego.dll
2009-04-28 12:05 89,088 a--sh--- c:\windows\system32\mabatofe.dll
2009-04-28 00:05 88,064 a--sh--- c:\windows\system32\jamehuso.dll
2009-04-27 12:05 88,064 a--sh--- c:\windows\system32\tukatiza.dll
2009-04-27 00:05 89,088 a--sh--- c:\windows\system32\pozureka.dll
2009-04-26 12:05 88,576 a--sh--- c:\windows\system32\kitamiwe.dll
2009-04-26 00:04 88,576 a--sh--- c:\windows\system32\huvizuba.dll
2009-04-25 00:04 88,576 a--sh--- c:\windows\system32\tofuvugo.dll
2009-04-24 00:04 89,600 a--sh--- c:\windows\system32\lunawetu.dll
2009-04-23 12:04 89,088 a--sh--- c:\windows\system32\gisufevu.dll
2009-04-22 12:04 88,576 a--sh--- c:\windows\system32\rilihezo.dll
2009-04-22 00:04 88,576 a--sh--- c:\windows\system32\murewozi.dll
2009-04-21 12:04 50,688 a--sh--- c:\windows\system32\ratijipe.dll
2009-03-29 00:17 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-10 18:32 66,360 a------- c:\documents and settings\tom\g2ax_customer_downloadhelper_win32_x86.exe
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-05 12:06 89,600 a--sh--- c:\windows\system32\ruvubene.dll
2009-02-05 00:06 89,600 a--sh--- c:\windows\system32\tazihidu.dll
2009-01-16 20:16 87,608 a------- c:\docume~1\tom\applic~1\inst.exe
2009-01-16 20:16 47,360 a------- c:\docume~1\tom\applic~1\pcouffin.sys
2009-01-30 12:06 50,176 a--sh--- c:\windows\system32\fotifufu.dll
2009-01-30 12:06 50,176 a--sh--- c:\windows\system32\tivuyeto.dll
2009-01-30 12:06 50,176 a--sh--- c:\windows\system32\vigutovi.dll
2008-05-13 10:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 12:42:03.25 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:38 AM

Posted 05 May 2009 - 12:47 PM

Hi mymaus1,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    • The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.
    • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#5 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 01:25 PM

I did what you requested. Should I leave the HijackThis results window open? I have done nothing with that window.

FYI - during this time Free AVG 8.0 real time monitor detected the Trojan Horse Generic virus in tazihidu.dll and ruvubene.dll. Also, I'm still getting popups from IE.

Thanks for your quick response!!!!!

Here is the MBAM log:
Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 5.1.2600 Service Pack 3

5/5/2009 2:08:26 PM
mbam-log-2009-05-05 (14-08-26).txt

Scan type: Quick Scan
Objects scanned: 97675
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 10
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tohomove.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tivuyeto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vigutovi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fotifufu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tofuvugo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lunawetu.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68cdc921-df6b-4acd-b74e-c0e486ee468f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{68cdc921-df6b-4acd-b74e-c0e486ee468f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{68cdc921-df6b-4acd-b74e-c0e486ee468f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{74fa5d99-38cd-4e3e-b765-54fad4bda166} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{74fa5d99-38cd-4e3e-b765-54fad4bda166} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74fa5d99-38cd-4e3e-b765-54fad4bda166} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c3d7209 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bajetijesu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f0e4195 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fotifufu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fotifufu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tofuvugo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\lunawetu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\barulema.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amelurab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\firufudi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idufurif.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gijemole.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\elomejig.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\keluziwo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owizulek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nisafavu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uvafasin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nutifedi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idefitun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sogiwava.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avawigos.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tohomove.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\evomohot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tivuyeto.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tofuvugo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vigutovi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fotifufu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lunawetu.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\najiyiso.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tukatiza.dll (Trojan.Agent) -> Delete on reboot.

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:40 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc504.mail.yahoo.com/mc/showFold...384469&da=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [CPM1f0e4195] Rundll32.exe "c:\windows\system32\murewozi.dll",a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Katie's EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S53.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1B6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-19\..\Run: [bajetijesu] Rundll32.exe "C:\WINDOWS\system32\tivuyeto.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bajetijesu] Rundll32.exe "C:\WINDOWS\system32\tivuyeto.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Startup: Tadpole.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.smugmug.com/photos/activex/ImageUploader5.cab
O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198470667625
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.smugmug.com/photos/activex/Imag...30.0-080212.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\yafenufa.dll c:\windows\system32\dakaveja.dll c:\windows\system32\tukatiza.dll c:\windows\system32\kitamiwe.dll c:\windows\system32\murewozi.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: udpurn - C:\Documents and Settings\Tom\Application Data\Identities\udpurn.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\murewozi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\murewozi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13809 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:38 AM

Posted 05 May 2009 - 01:42 PM

Well done. :thumbup2:

You may close any open window after fixes.
MBAM got most of them but we have to finish them off.
  • Open your Malwarebytes' Anti-Malware, run a "quick scan" once more, let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The log of MBAM.
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#7 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 02:50 PM

I'm running combofix on the infected computer (I'm posting this from a different computer) and zone alarm pops up with: tcp/ip ping command is trying to access trusted zone. Should I allow this? Should I have run combofix with zone alarm turned off? I'm waiting for your reply before I allow access to let it finish.
Thanks,
Tom

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:38 AM

Posted 05 May 2009 - 03:00 PM

No problem with ZA on but allow any changes ComboFix makes. Combofix needs connection to download the Recovery Console and to check the update status, then it disconnects the internet and reconnect it after it finished.

#9 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 03:29 PM

I did everything you said.
FYI - during MBAM run AVG dected Generic13.AIGH.

Also, I thought I had turned off AVG by right clicking systray icon and selecting exit. Combofix still detected it running. I went to your web site and found that I needed to do more to turn off AVG. I did that and then continued to run combofix, but, this made me thing that AVG wasn't turned off correctly when I first ran DDS. Does that matter?

I also notice that windows automatic updates got turned off somewhere in the process. Is that normal?

After combofix rebooted it instructed me to not run any programs while it finished. There were a couple of minor programs that I have automatically run at start. They ran while combofix was giving me this message. Will that matter?

Before I opened IE to post this reply, I restarted AVG. Is that OK? Also, the HijackThis dialog is still open.

Thanks, Tom

Here are the results:

First MBAM:
Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 5.1.2600 Service Pack 3

5/5/2009 3:14:53 PM
mbam-log-2009-05-05 (15-14-53).txt

Scan type: Quick Scan
Objects scanned: 97107
Time elapsed: 8 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\murewozi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f0e4195 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\murewozi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\kitamiwe.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\murewozi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kitamiwe.dll (Trojan.BHO) -> Delete on reboot.

Now combofix:
ComboFix 09-05-05.02 - Tom 05/05/2009 16:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2609 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Tom\Application Data\inst.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\afopegon.ini
c:\windows\system32\afutuvos.ini
c:\windows\system32\agajowut.ini
c:\windows\system32\ajikofij.ini
c:\windows\system32\ajiyuber.ini
c:\windows\system32\asepukan.ini
c:\windows\system32\awolefog.ini
c:\windows\system32\ekonezem.ini
c:\windows\system32\esugeseg.ini
c:\windows\system32\feteleta.dll
c:\windows\system32\gisufevu.dll
c:\windows\system32\huvizuba.dll
c:\windows\system32\jamehuso.dll
c:\windows\system32\kogafosi.exe
c:\windows\system32\lekuladi.exe
c:\windows\system32\mabatofe.dll
c:\windows\system32\obevupel.ini
c:\windows\system32\oposimat.ini
c:\windows\system32\otamoyom.ini
c:\windows\system32\ozinenud.ini
c:\windows\system32\pozureka.dll
c:\windows\system32\ratijipe.dll
c:\windows\system32\rilihezo.dll
c:\windows\system32\ruvubene.dll
c:\windows\system32\siwusego.dll
c:\windows\system32\tazihidu.dll
c:\windows\system32\udagabon.ini
c:\windows\system32\unuzuzuy.ini
c:\windows\system32\usigiweh.ini
c:\windows\system32\utefidib.ini
c:\windows\system32\uvazafip.ini
c:\windows\system32\wikuwefe.dll
c:\windows\system32\yolowepi.exe
c:\windows\system32\zohoduna.exe

----- BITS: Possible infected sites -----

hxxp://83.149.105.228
hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 18:16 . 2009-05-05 18:16 -------- d-----w c:\program files\Trend Micro
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\Tom\Application Data\Malwarebytes
2009-05-05 17:58 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:58 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 16:05 . 2009-04-25 16:05 5498 --sh--w c:\windows\system32\komafubi.dll
2009-04-25 16:05 . 2009-04-25 16:05 5498 --sh--w c:\windows\system32\favogeta.dll
2009-04-21 04:05 . 2009-04-21 04:05 5495 --sh--w c:\windows\system32\dugewupu.dll
2009-04-21 04:04 . 2009-04-21 04:04 5495 --sh--w c:\windows\system32\kudegovu.exe
2009-04-20 18:12 . 2009-04-20 18:12 -------- d-----w C:\IR2
2009-04-20 01:35 . 2009-04-20 01:35 -------- d-----w c:\program files\Zards software
2009-04-14 19:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 19:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 19:04 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 04:00 . 2009-04-10 04:00 -------- d-----w c:\program files\MP3 Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 18:12 . 2009-01-01 03:33 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-05 16:26 . 2008-12-30 14:16 4572093 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-05-05 16:18 . 2008-03-28 23:44 -------- d-----w c:\program files\LogMeIn
2009-04-10 23:37 . 2009-04-10 23:38 1803264 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-10 16:15 . 2009-04-10 16:16 1802752 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-10 15:25 . 2009-04-10 15:45 1802240 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-05 20:49 . 2009-04-05 21:46 1789440 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-05 20:10 . 2009-04-05 20:11 1788928 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-29 18:11 . 2009-03-29 18:11 -------- d-----w c:\program files\Common Files\Scansoft Shared
2009-03-29 18:11 . 2007-01-02 03:51 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-29 18:09 . 2009-03-29 18:09 -------- d-----w c:\program files\ScanSoft
2009-03-29 04:17 . 2009-03-29 04:17 -------- d-----w c:\program files\AskBarDis
2009-03-29 04:17 . 2008-07-04 16:22 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-27 17:11 . 2009-03-26 02:58 -------- d-----w c:\program files\Auction Inquisitor
2009-03-26 04:58 . 2009-03-26 04:58 -------- d-----w c:\program files\Advanced Audio Recorder
2009-03-26 02:06 . 2007-12-23 09:14 46976 ----a-w c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 02:06 . 2009-03-26 02:06 -------- d-----w c:\program files\Elite Minds
2009-03-26 00:39 . 2007-01-02 03:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 04:03 . 2009-03-19 04:03 -------- d-----w c:\program files\Common Files\Bcgsoft
2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\program files\PearlMountain Soft
2009-03-16 04:15 . 2009-03-16 04:15 -------- d-----w c:\program files\Bonjour
2009-03-16 04:15 . 2009-01-14 06:26 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-03-14 12:50 . 2009-03-14 12:50 141225 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_14_08_50_06_small.dmp.zip
2009-03-10 22:53 . 2009-03-10 22:32 -------- d-----w c:\program files\Citrix
2009-03-10 22:32 . 2009-03-10 22:32 66360 ----a-w c:\documents and settings\Tom\g2ax_customer_downloadhelper_win32_x86.exe
2009-03-08 05:10 . 2009-03-08 05:10 142303 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_08_00_10_23_small.dmp.zip
2009-03-07 12:20 . 2009-03-07 12:20 20089936 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_07_07_20_16_full.dmp.zip
2009-03-07 01:23 . 2009-03-07 01:22 -------- d-----w c:\program files\Driver Magician
2009-03-06 14:22 . 2004-08-04 04:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:59 . 2009-03-05 18:59 143622 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_05_13_59_10_small.dmp.zip
2009-03-05 00:31 . 2009-03-05 00:31 142216 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_04_19_31_11_small.dmp.zip
2009-03-04 04:22 . 2008-12-29 00:43 140 ----a-w c:\windows\system32\09wutili.sys
2009-03-03 00:18 . 2004-08-04 04:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 00:46 . 2009-03-02 00:46 145996 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_01_19_46_23_small.dmp.zip
2009-02-26 00:37 . 2009-02-26 00:37 137687 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_25_19_37_07_small.dmp.zip
2009-02-24 16:24 . 2009-02-24 16:24 150159 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_24_11_24_09_small.dmp.zip
2009-02-21 00:12 . 2009-02-21 00:12 137527 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_20_19_12_09_small.dmp.zip
2009-02-20 18:09 . 2004-08-04 04:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 14:25 . 2009-02-17 14:25 137374 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_17_09_25_47_small.dmp.zip
2009-02-16 04:10 . 2008-12-23 17:14 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2004-08-04 04:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 04:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 04:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-04 03:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 04:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 03:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 15:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\bugudesi.dll.tmp
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\pisefire.dll.tmp
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\yatehaje.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2003-12-03 180224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 68856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-27 1867776]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Katie's EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]
"EPSON Stylus Photo R1800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE" [2007-01-12 177664]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1957888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" [2004-10-16 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"EssSpkPhone"="essspk.exe" - c:\windows\essspk.exe [2002-05-31 167936]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
AutoBackup Launcher.lnk - c:\program files\Memeo\AutoBackup\MemeoLauncher.exe [2007-2-14 211992]
Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-4-4 1994752]
Tadpole.lnk - c:\documents and settings\Tom\Application Data\Microsoft\Installer\{EB4F95B1-8A54-436E-ABEA-2FA48BEFFF2A}\_97D2975C00146ED2FEA919.exe [2009-3-25 2238]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-7-11 97320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 19:33 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 14:57 87352 ----a-w c:\windows\system32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\Seagate\\SystemTray\\StxMenuMgr.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/4/2008 12:15 PM 325128]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [1/8/2007 1:43 PM 14592]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 3:33 PM 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/28/2008 7:45 PM 47640]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [12/10/2008 7:05 PM 88576]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [12/15/2008 1:11 PM 185640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d605d2a-ef02-11dc-b9de-00508db59e0d}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f65e400d-ea59-11dd-8b1d-00508db59e0d}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC8B4D35-FC70-4A52-9655-E8784FDEEB87}]
msiexec /fu {FC8B4D35-FC70-4A52-9655-E8784FDEEB87}
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-13 22:02]
.
- - - - ORPHANS REMOVED - - - -

Notify-udpurn - c:\documents and settings\Tom\Application Data\Identities\udpurn.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc504.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=42384469&da=0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://www.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\owb6hbj2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://us.mc360.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=1519649135&da=0
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\owb6hbj2.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\brss01a.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\ALCFDRTM.EXE
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\program files\Elite Minds\Tadpole Auction Watcher\Tadpole Auction Watcher.exe
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2009-05-05 16:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 20:12

Pre-Run: 4,182,138,880 bytes free
Post-Run: 5,152,374,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

300 --- E O F --- 2009-04-15 07:03

Now HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:42 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc504.mail.yahoo.com/mc/showFold...384469&da=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Katie's EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S53.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1B6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Startup: Tadpole.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.smugmug.com/photos/activex/ImageUploader5.cab
O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198470667625
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.smugmug.com/photos/activex/Imag...30.0-080212.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12636 bytes

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:38 AM

Posted 05 May 2009 - 03:51 PM

Good job.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    c:\documents and settings\Tom\g2ax_customer_downloadhelper_win32_x86.exe

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/221343/trojan-horse-dowloader-agent2bhkxpshield/?p=1251937
    
    Collect::[4]
    c:\windows\system32\komafubi.dll
    c:\windows\system32\favogeta.dll
    c:\windows\system32\dugewupu.dll
    c:\windows\system32\kudegovu.exe

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.


#11 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 04:24 PM

Here are the results....

First from virustotal:

File g2ax_customer_downloadhelper_win3 received on 05.05.2009 22:59:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/40 (5%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.05 -
AhnLab-V3 5.0.0.2 2009.05.05 -
AntiVir 7.9.0.160 2009.05.05 -
Antiy-AVL 2.0.3.1 2009.05.05 -
Authentium 5.1.2.4 2009.05.05 -
Avast 4.8.1335.0 2009.05.05 -
AVG 8.5.0.327 2009.05.05 -
BitDefender 7.2 2009.05.05 -
CAT-QuickHeal 10.00 2009.05.05 -
ClamAV 0.94.1 2009.05.05 -
Comodo 1151 2009.05.05 -
DrWeb 5.0.0.12182 2009.05.05 -
eSafe 7.0.17.0 2009.05.05 Suspicious File
eTrust-Vet 31.6.6490 2009.05.05 -
F-Prot 4.4.4.56 2009.05.05 -
F-Secure 8.0.14470.0 2009.05.05 -
Fortinet 3.117.0.0 2009.05.05 -
GData 19 2009.05.05 -
Ikarus T3.1.1.49.0 2009.05.05 -
K7AntiVirus 7.10.723 2009.05.05 -
Kaspersky 7.0.0.125 2009.05.05 -
McAfee 5606 2009.05.05 -
McAfee+Artemis 5606 2009.05.05 -
McAfee-GW-Edition 6.7.6 2009.05.05 -
Microsoft 1.4602 2009.05.05 -
NOD32 4054 2009.05.05 -
Norman 6.01.05 2009.05.05 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.05 -
PCTools 4.4.2.0 2009.05.05 -
Prevx1 3.0 2009.05.05 -
Rising 21.28.12.00 2009.05.05 -
Sophos 4.41.0 2009.05.05 -
Sunbelt 3.2.1858.2 2009.05.05 -
Symantec 1.4.4.12 2009.05.05 -
TheHacker 6.3.4.1.319 2009.05.05 -
TrendMicro 8.950.0.1092 2009.05.05 PAK_Generic.001
VBA32 3.12.10.4 2009.05.05 -
ViRobot 2009.5.4.1719 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.05 -
Additional information
File size: 66360 bytes
MD5...: f93e403d661be0b131660cc8e271b294
SHA1..: 007e4ac3b66ca0d5c4cfd8e156e1e449ec453ccf
SHA256: 3a9b2d28776fa8a55fe89d745d3462ed3e57cb1ee8f981ec0bb07c271452468c
SHA512: 595ac2bb03188953d638225902dcb594fd5534669ba0390de0beea599c9ca324
419f5df6d7953d180d338f7f36271043b840a4281e6247a42fc7df2c7c250d8b
ssdeep: 1536:TCioiEWUn2U/sU0YehTNJCJInDc4LRHrrfiNnh:TKiEXtmYGnDb9rrfOh

PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (43.8%)
Win32 EXE Yoda's Crypter (38.1%)
Win32 Executable Generic (12.2%)
Generic Win/DOS Executable (2.8%)
DOS Executable Generic (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x21fa0
timedatestamp.....: 0x498360a4 (Fri Jan 30 20:18:44 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x13000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x14000 0xf000 0xe200 7.90 509d921f00236a5b5d1292402181a32f
.rsrc 0x23000 0x1000 0x800 4.55 db263a7243c266342268158d5edf4bfd

( 9 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegOpenKeyA
> MSVCRT.dll: atof
> ole32.dll: CoUninitialize
> OLEAUT32.dll: -
> RPCRT4.dll: NdrOleFree
> SHELL32.dll: SHGetFileInfoA
> USER32.dll: MessageBoxA
> VERSION.dll: VerQueryValueA

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX

Now combofix:

ComboFix 09-05-05.02 - Tom 05/05/2009 17:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2642 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

file zipped: c:\windows\system32\dugewupu.dll
file zipped: c:\windows\system32\favogeta.dll
file zipped: c:\windows\system32\komafubi.dll
file zipped: c:\windows\system32\kudegovu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dugewupu.dll
c:\windows\system32\favogeta.dll
c:\windows\system32\komafubi.dll
c:\windows\system32\kudegovu.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 18:16 . 2009-05-05 18:16 -------- d-----w c:\program files\Trend Micro
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\Tom\Application Data\Malwarebytes
2009-05-05 17:58 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:58 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-05 17:58 . 2009-05-05 17:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 18:12 . 2009-04-20 18:12 -------- d-----w C:\IR2
2009-04-20 01:35 . 2009-04-20 01:35 -------- d-----w c:\program files\Zards software
2009-04-14 19:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 19:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 19:04 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 04:00 . 2009-04-10 04:00 -------- d-----w c:\program files\MP3 Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 18:12 . 2009-01-01 03:33 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-05 16:26 . 2008-12-30 14:16 4572093 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-05-05 16:18 . 2008-03-28 23:44 -------- d-----w c:\program files\LogMeIn
2009-04-10 23:37 . 2009-04-10 23:38 1803264 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-10 16:15 . 2009-04-10 16:16 1802752 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-10 15:25 . 2009-04-10 15:45 1802240 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-05 20:49 . 2009-04-05 21:46 1789440 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-05 20:10 . 2009-04-05 20:11 1788928 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-29 18:11 . 2009-03-29 18:11 -------- d-----w c:\program files\Common Files\Scansoft Shared
2009-03-29 18:11 . 2007-01-02 03:51 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-29 18:09 . 2009-03-29 18:09 -------- d-----w c:\program files\ScanSoft
2009-03-29 04:17 . 2009-03-29 04:17 -------- d-----w c:\program files\AskBarDis
2009-03-29 04:17 . 2008-07-04 16:22 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-27 17:11 . 2009-03-26 02:58 -------- d-----w c:\program files\Auction Inquisitor
2009-03-26 04:58 . 2009-03-26 04:58 -------- d-----w c:\program files\Advanced Audio Recorder
2009-03-26 02:06 . 2007-12-23 09:14 46976 ----a-w c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 02:06 . 2009-03-26 02:06 -------- d-----w c:\program files\Elite Minds
2009-03-26 00:39 . 2007-01-02 03:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 04:03 . 2009-03-19 04:03 -------- d-----w c:\program files\Common Files\Bcgsoft
2009-03-19 04:01 . 2009-03-19 04:01 -------- d-----w c:\program files\PearlMountain Soft
2009-03-16 04:15 . 2009-03-16 04:15 -------- d-----w c:\program files\Bonjour
2009-03-16 04:15 . 2009-01-14 06:26 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-03-14 12:50 . 2009-03-14 12:50 141225 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_14_08_50_06_small.dmp.zip
2009-03-10 22:53 . 2009-03-10 22:32 -------- d-----w c:\program files\Citrix
2009-03-10 22:32 . 2009-03-10 22:32 66360 ----a-w c:\documents and settings\Tom\g2ax_customer_downloadhelper_win32_x86.exe
2009-03-08 05:10 . 2009-03-08 05:10 142303 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_08_00_10_23_small.dmp.zip
2009-03-07 12:20 . 2009-03-07 12:20 20089936 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_07_07_20_16_full.dmp.zip
2009-03-07 01:23 . 2009-03-07 01:22 -------- d-----w c:\program files\Driver Magician
2009-03-06 14:22 . 2004-08-04 04:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:59 . 2009-03-05 18:59 143622 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_05_13_59_10_small.dmp.zip
2009-03-05 00:31 . 2009-03-05 00:31 142216 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_04_19_31_11_small.dmp.zip
2009-03-04 04:22 . 2008-12-29 00:43 140 ----a-w c:\windows\system32\09wutili.sys
2009-03-03 00:18 . 2004-08-04 04:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 00:46 . 2009-03-02 00:46 145996 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_01_19_46_23_small.dmp.zip
2009-02-26 00:37 . 2009-02-26 00:37 137687 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_25_19_37_07_small.dmp.zip
2009-02-24 16:24 . 2009-02-24 16:24 150159 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_24_11_24_09_small.dmp.zip
2009-02-21 00:12 . 2009-02-21 00:12 137527 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_20_19_12_09_small.dmp.zip
2009-02-20 18:09 . 2004-08-04 04:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 14:25 . 2009-02-17 14:25 137374 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_17_09_25_47_small.dmp.zip
2009-02-16 04:10 . 2008-12-23 17:14 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2004-08-04 04:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 04:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 04:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 04:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-04 03:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 04:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 03:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 15:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\bugudesi.dll.tmp
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\pisefire.dll.tmp
2009-01-21 16:04 . 2009-01-21 16:04 50688 --sha-w c:\windows\system32\yatehaje.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2003-12-03 180224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 68856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-27 1867776]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Katie's EPSON Stylus CX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 179200]
"EPSON Stylus Photo R1800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE" [2007-01-12 177664]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1957888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" [2004-10-16 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"EssSpkPhone"="essspk.exe" - c:\windows\essspk.exe [2002-05-31 167936]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
AutoBackup Launcher.lnk - c:\program files\Memeo\AutoBackup\MemeoLauncher.exe [2007-2-14 211992]
Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-4-4 1994752]
Tadpole.lnk - c:\documents and settings\Tom\Application Data\Microsoft\Installer\{EB4F95B1-8A54-436E-ABEA-2FA48BEFFF2A}\_97D2975C00146ED2FEA919.exe [2009-3-25 2238]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-7-11 97320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 19:33 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 14:57 87352 ----a-w c:\windows\system32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\Seagate\\SystemTray\\StxMenuMgr.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/4/2008 12:15 PM 325128]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [1/8/2007 1:43 PM 14592]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 3:33 PM 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/28/2008 7:45 PM 47640]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [12/10/2008 7:05 PM 88576]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [12/15/2008 1:11 PM 185640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d605d2a-ef02-11dc-b9de-00508db59e0d}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f65e400d-ea59-11dd-8b1d-00508db59e0d}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FC8B4D35-FC70-4A52-9655-E8784FDEEB87}]
msiexec /fu {FC8B4D35-FC70-4A52-9655-E8784FDEEB87}
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-13 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc504.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=42384469&da=0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://www.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\owb6hbj2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://us.mc360.mail.yahoo.com/mc/showFolder?fid=Inbox&.rand=1519649135&da=0
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\owb6hbj2.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 17:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-05-05 17:12
ComboFix-quarantined-files.txt 2009-05-05 21:12
ComboFix2.txt 2009-05-05 20:12

Pre-Run: 5,195,784,192 bytes free
Post-Run: 5,181,812,736 bytes free

221 --- E O F --- 2009-04-15 07:03
Upload was successful

Now mbam:

Malwarebytes' Anti-Malware 1.36
Database version: 2079
Windows 5.1.2600 Service Pack 3

5/5/2009 5:16:55 PM
mbam-log-2009-05-05 (17-16-55).txt

Scan type: Quick Scan
Objects scanned: 80747
Time elapsed: 1 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:38 AM

Posted 05 May 2009 - 04:31 PM

  • Your version of ZoneAlarm Firewall comes with ZoneAlarm Spyblocker toolbar and this is not highly recommended. See here to find out why.

    I recommend you to uninstall ZoneAlarm Spyblocker toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    ZoneAlarm Spyblocker

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Please copy and paste a fresh Hijackthis log to your reply for a final review and tell me how is the computer running.


#13 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 05:13 PM

I did all that you recommneded. Computer seems to be running well. Fast -- no more popups.

Here are the HijackThis results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:32 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc504.mail.yahoo.com/mc/showFold...384469&da=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking8\Program\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Katie's EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S53.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1B6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
O4 - Startup: Tadpole.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.smugmug.com/photos/activex/ImageUploader5.cab
O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198470667625
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.smugmug.com/photos/activex/Imag...30.0-080212.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12293 bytes

#14 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 05:37 PM

Oh No!!!!!!

AVG 8.0 just detected another virus generic13.abcx in

c:\system volume information\_restore{CB77C3F2-911C-4651-896E-F7BD8C7BD8C7B6293}\RP521\A0090878.dll

detected on open

Now what??????? Should I heal or move to vault or what?

#15 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 05 May 2009 - 07:02 PM

I need to go. I'll be back tomorrow at 9:30a eastern. What is your schedule tomorrow? Thanks for your help. Tom




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users