Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Vundo Trojan Virus?


  • This topic is locked This topic is locked
29 replies to this topic

#1 ChallerS

ChallerS

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 28 April 2009 - 03:50 PM

I believe I have a vundo trojan virus that I can't get rid of. I have scanned my computer with MalawareBytes and Microsoft's Live Scan - each finds infected files, but fails to remove them upon reboot. I have run a hijackthis scan (log file below) and each time I try to fix the two files I believe are part of the problem (underlines in the log file) the same files show up in the next scan I perform. I turned off the System Restore function thinking that would help, but no luck as of yet.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:49 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {A811F389-145D-4DA5-AFB9-0AE5301B059F} - c:\windows\system32\oxpytmg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199853271779
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O20 - Winlogon Notify: vfdavqki - C:\WINDOWS\SYSTEM32\oxpytmg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5432 bytes

BC AdBot (Login to Remove)

 


#2 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 28 April 2009 - 04:01 PM

Also, here is the latest log from my MalawareBytes program - each time I reboot and run MalawareBytes again it still comes back with 1 file infected and 3 Registry Keys infected. Thanks for the help in advance.


Malwarebytes' Anti-Malware 1.34
Database version: 1811
Windows 5.1.2600 Service Pack 3

4/28/2009 1:21:38 PM
mbam-log-2009-04-28 (13-21-38).txt

Scan type: Quick Scan
Objects scanned: 66429
Time elapsed: 14 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a811f389-145d-4da5-afb9-0ae5301b059f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vfdavqki (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a811f389-145d-4da5-afb9-0ae5301b059f} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\oxpytmg.dll (Trojan.Vundo.H) -> Delete on reboot.

#3 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 28 April 2009 - 04:59 PM

Just to be as thorough as possible here is my DDS log that I just ran:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jess & Christian at 14:56:33.45 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.530 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Jess & Christian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: : {a811f389-145d-4da5-afb9-0ae5301b059f} - c:\windows\system32\oxpytmg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199853271779
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Notify: igfxcui - igfxsrvc.dll
Notify: vfdavqki - oxpytmg.dll
LSA: Notification Packages = scecli delbuns.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jess&c~1\applic~1\mozilla\firefox\profiles\chkvk1ri.default\
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {C7176137-A554-4038-918C-8049D3466E01} - c:\documents and settings\jess & christian\local settings\application data\{C7176137-A554-4038-918C-8049D3466E01}

============= SERVICES / DRIVERS ===============

R0 bhhpkons;bhhpkons;c:\windows\system32\drivers\bhhpkons.sys [2001-8-18 23424]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\belkin\belkin wireless network utility\WLService.exe [2008-1-8 49152]
R2 gnryrrjs;Volume Manager Controller;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [2008-1-8 140416]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-27 38496]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-12-4 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2008-12-4 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-12-4 170368]
S0 ati0lrxx;ati0lrxx;c:\windows\system32\drivers\ati0lrxx.sys --> c:\windows\system32\drivers\ati0lrxx.sys [?]

=============== Created Last 30 ================

2009-04-28 12:35 <DIR> --d----- C:\VundoFix Backups
2009-04-28 12:31 389,120 a------- c:\windows\system32\CF24941.exe
2009-04-27 17:20 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-27 17:19 <DIR> --d----- c:\docume~1\jess&c~1\applic~1\HouseCall 6.6
2009-04-27 16:40 <DIR> --d----- c:\program files\Trend Micro
2009-04-17 13:34 134,083 a------- c:\windows\system32\rn.tmp
2009-04-15 16:48 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:48 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 16:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:47 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 16:47 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 16:47 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-12 10:41 <DIR> --d----- c:\docume~1\jess&c~1\applic~1\rjnukzpm
2009-04-10 03:01 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-10 00:10 <DIR> --d----- c:\windows\system32\KB905474
2009-04-10 00:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-09 23:59 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 23:59 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-09 23:59 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 23:59 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 23:59 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-09 23:59 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 23:59 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-09 18:00 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-04-09 17:59 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-04-09 17:57 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-04-09 17:45 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-08-31 14:43 42,768 a------- c:\docume~1\jess&c~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:57:41.39 ===============

#4 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 03:24 PM

Any help out there? I'm not sure what to do. Thanks.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 04:17 PM

Hello ChallerS,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 04:26 PM

Thanks Teacup - here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:24 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {A811F389-145D-4DA5-AFB9-0AE5301B059F} - c:\windows\system32\oxpytmg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199853271779
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O20 - Winlogon Notify: vfdavqki - C:\WINDOWS\SYSTEM32\oxpytmg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5731 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 04:30 PM

You're welcome. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.


If ComboFix will not run the first time, then rename ComboFix.exe to ChallerS.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 05:20 PM

Ok I ran the program and here is the log it generated for me:

ComboFix 09-05-03.6 - Jess & Christian 05/04/2009 15:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.604 [GMT -7:00]
Running from: c:\documents and settings\Jess & Christian\Desktop\Challers.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys
c:\windows\wiaserviv.log
c:\windows\system32\oxpytmg.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GNRYRRJS
-------\Legacy_TCPSR
-------\Service_gnryrrjs
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-28 19:35 . 2009-04-28 19:35 -------- d-----w C:\VundoFix Backups
2009-04-28 00:20 . 2007-12-25 00:37 138384 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-28 00:19 . 2009-04-28 06:35 -------- d-----w c:\documents and settings\Jess & Christian\Application Data\HouseCall 6.6
2009-04-27 23:40 . 2009-04-27 23:40 -------- d-----w c:\program files\Trend Micro
2009-04-15 23:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 23:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 17:41 . 2009-04-12 17:41 -------- d-----w c:\documents and settings\Jess & Christian\Application Data\rjnukzpm
2009-04-12 17:41 . 2009-04-12 17:41 -------- d-----w c:\documents and settings\Jess & Christian\Local Settings\Application Data\rjnukzpm
2009-04-10 07:10 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:10 . 2009-04-10 07:10 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:10 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\windows\system32\XPSViewer
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\MSBuild
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\Reference Assemblies
2009-04-10 06:59 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-10 06:59 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-10 06:59 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-10 06:59 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-10 01:00 . 2007-11-28 05:56 91328 ----a-w c:\windows\system32\drivers\msfwdrv.sys
2009-04-10 00:59 . 2007-11-28 05:56 116416 ----a-w c:\windows\system32\drivers\msfwhlpr.sys
2009-04-10 00:57 . 2008-05-15 23:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys
2009-04-10 00:45 . 2009-05-04 20:38 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Application Data\rjnukzpm
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\rjnukzpm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 21:08 . 2009-02-27 18:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:57 . 2009-02-28 19:21 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 01:15 . 2009-04-17 20:34 134083 ----a-w c:\windows\system32\rn.tmp
2009-04-10 15:59 . 2008-01-15 02:25 42768 ----a-w c:\documents and settings\Jess & Christian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 22:32 . 2009-02-27 18:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-02-27 18:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 01:11 . 2001-08-18 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-27 04:49 . 2009-02-27 04:49 1152 ----a-w c:\windows\system32\windrv.sys
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-01-09 04:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2001-08-18 12:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2008-12-21 17:31 . 2008-01-09 04:58 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 17:31 . 2008-01-09 04:58 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 17:31 . 2008-01-09 04:58 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 17:31 . 2008-01-09 04:58 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 17:31 . 2008-01-09 04:58 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A811F389-145D-4DA5-AFB9-0AE5301B059F}]
2001-08-18 12:00 102912 ----a-w c:\windows\system32\oxpytmg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0lrxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 ati0lrxx;ati0lrxx; [x]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\Drivers\V0350Afx.sys [2007-06-10 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\DRIVERS\V0350VFx.sys [2007-03-05 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\DRIVERS\V0350Vid.sys [2007-05-10 170368]
S0 bhhpkons;bhhpkons;c:\windows\system32\drivers\bhhpkons.sys [2001-08-18 23424]
S2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-30 49152]
S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-152049171-682003330-1003.job
- c:\documents and settings\Jess & Christian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-22 21:44]

2009-04-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jess & Christian\Application Data\Mozilla\Firefox\Profiles\chkvk1ri.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 22:17

Pre-Run: 7,540,051,968 bytes free
Post-Run: 7,685,550,080 bytes free

184 --- E O F --- 2009-04-23 10:01

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 05:33 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\oxpytmg.dll

Folder::
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm
c:\documents and settings\Jess & Christian\Local Settings\Application Data\rjnukzpm

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A811F389-145D-4DA5-AFB9-0AE5301B059F}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 05:57 PM

Tea:

The new ComboFix log is first and then below that is a new HijackThis log. Thanks.

ComboFix 09-05-03.6 - Jess & Christian 05/04/2009 15:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.648 [GMT -7:00]
Running from: c:\documents and settings\Jess & Christian\Desktop\Challers.exe
Command switches used :: c:\documents and settings\Jess & Christian\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*

FILE ::
c:\windows\system32\oxpytmg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jess & Christian\Application Data\rjnukzpm
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\profiles.ini
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\cert8.db
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\compatibility.ini
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\compreg.dat
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\cookies.sqlite
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\formhistory.sqlite
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\key3.db
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\localstore.rdf
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\permissions.sqlite
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\places.sqlite-journal
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\places.sqlite
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\pluginreg.dat
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\prefs.js
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\secmod.db
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\webappsstore.sqlite
c:\documents and settings\Jess & Christian\Application Data\rjnukzpm\Profiles\7ai84raj.default\xpti.dat
c:\documents and settings\Jess & Christian\Local Settings\Application Data\rjnukzpm
c:\documents and settings\Jess & Christian\Local Settings\Application Data\rjnukzpm\Profiles\7ai84raj.default\urlclassifier3.sqlite
c:\documents and settings\Jess & Christian\Local Settings\Application Data\rjnukzpm\Profiles\7ai84raj.default\XPC.mfl
c:\windows\system32\oxpytmg.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-28 19:35 . 2009-04-28 19:35 -------- d-----w C:\VundoFix Backups
2009-04-28 00:20 . 2007-12-25 00:37 138384 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-28 00:19 . 2009-04-28 06:35 -------- d-----w c:\documents and settings\Jess & Christian\Application Data\HouseCall 6.6
2009-04-27 23:40 . 2009-04-27 23:40 -------- d-----w c:\program files\Trend Micro
2009-04-15 23:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 23:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 07:10 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:10 . 2009-04-10 07:10 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:10 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\windows\system32\XPSViewer
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\MSBuild
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\Reference Assemblies
2009-04-10 06:59 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-10 06:59 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-10 06:59 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-10 06:59 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-10 01:00 . 2007-11-28 05:56 91328 ----a-w c:\windows\system32\drivers\msfwdrv.sys
2009-04-10 00:59 . 2007-11-28 05:56 116416 ----a-w c:\windows\system32\drivers\msfwhlpr.sys
2009-04-10 00:57 . 2008-05-15 23:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys
2009-04-10 00:45 . 2009-05-04 20:38 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Application Data\rjnukzpm
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\rjnukzpm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 21:08 . 2009-02-27 18:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:57 . 2009-02-28 19:21 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 01:15 . 2009-04-17 20:34 134083 ----a-w c:\windows\system32\rn.tmp
2009-04-10 15:59 . 2008-01-15 02:25 42768 ----a-w c:\documents and settings\Jess & Christian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 22:32 . 2009-02-27 18:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-02-27 18:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 01:11 . 2001-08-18 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-27 04:49 . 2009-02-27 04:49 1152 ----a-w c:\windows\system32\windrv.sys
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-01-09 04:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2001-08-18 12:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2008-12-21 17:31 . 2008-01-09 04:58 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 17:31 . 2008-01-09 04:58 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 17:31 . 2008-01-09 04:58 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 17:31 . 2008-01-09 04:58 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 17:31 . 2008-01-09 04:58 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_22.13.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 22:44 . 2009-05-04 22:44 16384 c:\windows\temp\Perflib_Perfdata_680.dat
+ 2009-05-04 22:49 . 2009-05-04 22:49 16384 c:\windows\temp\Perflib_Perfdata_1bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A811F389-145D-4DA5-AFB9-0AE5301B059F}]
2001-08-18 12:00 102912 ----a-w c:\windows\system32\oxpytmg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0lrxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 ati0lrxx;ati0lrxx; [x]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\Drivers\V0350Afx.sys [2007-06-10 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\DRIVERS\V0350VFx.sys [2007-03-05 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\DRIVERS\V0350Vid.sys [2007-05-10 170368]
S0 bhhpkons;bhhpkons;c:\windows\system32\drivers\bhhpkons.sys [2001-08-18 23424]
S2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-30 49152]
S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-152049171-682003330-1003.job
- c:\documents and settings\Jess & Christian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-22 21:44]

2009-04-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jess & Christian\Application Data\Mozilla\Firefox\Profiles\chkvk1ri.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 15:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-04 15:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 22:53
ComboFix2.txt 2009-05-04 22:18

Pre-Run: 7,685,001,216 bytes free
Post-Run: 7,680,352,256 bytes free

202 --- E O F --- 2009-04-23 10:01





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:52 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {A811F389-145D-4DA5-AFB9-0AE5301B059F} - c:\windows\system32\oxpytmg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199853271779
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5021 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 06:07 PM

Hello,

Try this script again in Safe Mode :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\oxpytmg.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A811F389-145D-4DA5-AFB9-0AE5301B059F}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 06:43 PM

Tea:

It seems to be runner a bit smoother maybe, but I haven't really done too much on it for the past week or so. Thanks for your help on this - doesn't look like that file was deleted again!

Here are the new logs:

ComboFix 09-05-03.6 - Jess & Christian 05/04/2009 16:30.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.773 [GMT -7:00]
Running from: c:\documents and settings\Jess & Christian\Desktop\Challers.exe
Command switches used :: c:\documents and settings\Jess & Christian\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*

FILE ::
c:\windows\system32\oxpytmg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oxpytmg.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-28 19:35 . 2009-04-28 19:35 -------- d-----w C:\VundoFix Backups
2009-04-28 00:20 . 2007-12-25 00:37 138384 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-28 00:19 . 2009-04-28 06:35 -------- d-----w c:\documents and settings\Jess & Christian\Application Data\HouseCall 6.6
2009-04-27 23:40 . 2009-04-27 23:40 -------- d-----w c:\program files\Trend Micro
2009-04-15 23:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 23:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:47 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 07:10 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:10 . 2009-04-10 07:10 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:10 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\windows\system32\XPSViewer
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\MSBuild
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\Reference Assemblies
2009-04-10 06:59 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-10 06:59 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-10 06:59 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-10 06:59 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-10 06:59 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-10 01:00 . 2007-11-28 05:56 91328 ----a-w c:\windows\system32\drivers\msfwdrv.sys
2009-04-10 00:59 . 2007-11-28 05:56 116416 ----a-w c:\windows\system32\drivers\msfwhlpr.sys
2009-04-10 00:57 . 2008-05-15 23:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys
2009-04-10 00:45 . 2009-05-04 23:21 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Application Data\rjnukzpm
2009-04-09 01:25 . 2009-04-09 01:25 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\rjnukzpm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 21:08 . 2009-02-27 18:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:57 . 2009-02-28 19:21 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 01:15 . 2009-04-17 20:34 134083 ----a-w c:\windows\system32\rn.tmp
2009-04-10 15:59 . 2008-01-15 02:25 42768 ----a-w c:\documents and settings\Jess & Christian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 22:32 . 2009-02-27 18:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-02-27 18:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 01:11 . 2001-08-18 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-27 04:49 . 2009-02-27 04:49 1152 ----a-w c:\windows\system32\windrv.sys
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-01-09 04:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2001-08-18 12:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2008-12-21 17:31 . 2008-01-09 04:58 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 17:31 . 2008-01-09 04:58 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 17:31 . 2008-01-09 04:58 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 17:31 . 2008-01-09 04:58 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 17:31 . 2008-01-09 04:58 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A811F389-145D-4DA5-AFB9-0AE5301B059F}]
2001-08-18 12:00 102912 ----a-w c:\windows\system32\oxpytmg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0lrxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jess & Christian\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 ati0lrxx;ati0lrxx; [x]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-30 49152]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\Drivers\V0350Afx.sys [2007-06-10 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\DRIVERS\V0350VFx.sys [2007-03-05 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\DRIVERS\V0350Vid.sys [2007-05-10 170368]
S0 bhhpkons;bhhpkons;c:\windows\system32\drivers\bhhpkons.sys [2001-08-18 23424]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]

.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 00:57]

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-152049171-682003330-1003.job
- c:\documents and settings\Jess & Christian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-22 21:44]

2009-04-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jess & Christian\Application Data\Mozilla\Firefox\Profiles\chkvk1ri.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2009-05-04 16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 23:39
ComboFix2.txt 2009-05-04 23:25
ComboFix3.txt 2009-05-04 22:53
ComboFix4.txt 2009-05-04 22:18

Pre-Run: 7,674,253,312 bytes free
Post-Run: 7,664,340,992 bytes free

170 --- E O F --- 2009-04-23 10:01




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:10 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {A811F389-145D-4DA5-AFB9-0AE5301B059F} - c:\windows\system32\oxpytmg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199853271779
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4203 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 06:46 PM

Hello,

You're the second one I've had with a file like that today. :thumbup2:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\oxpytmg.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 ChallerS

ChallerS
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 May 2009 - 08:03 PM

Ok here is the log file for Avenger and a new HJT.


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\oxpytmg.dll"
Deletion of file "c:\windows\system32\oxpytmg.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:49 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {A811F389-145D-4DA5-AFB9-0AE5301B059F} - c:\windows\system32\oxpytmg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199853271779
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5123 bytes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:09 AM

Posted 04 May 2009 - 08:25 PM

Stubborn thing. :thumbup2:

Click Start>Run. Copy & paste the following and click OK:

regsvr32.exe /U oxpytmg.dll

You should get a message that it has been uninstalled succesfully.

Try it in Safe Mode if you have to. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users