Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Vundo virus?


  • Please log in to reply
15 replies to this topic

#1 Ry1973

Ry1973

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 02 May 2009 - 11:46 AM

Hi, I'm a busy graduate student finishing my thesis and my one and only laptop was infected earlier this week with Spyware Protect 2009 even though I have Trend Micro PC-cillin. I already use MBAM because you never know what comes through the school network, so following advice I found here I got rid of the Spyware Protect 2009. However, when I rebooted I ran PC-cillin manually, it even updated definitions OK, but as it was running it found a Vundo Trojan and couldn't quarentine it. I ran MBAM again, and tried to update it and it wouldn't let me so I tried to open IE and download the database manually but my browser wasn't loading anything but down in the lower left corner I could see it scrolling through all sorts of random addresses so I killed the network connection. I was at school so I downloaded the database on another computer and manually updated MBAM and ran it and it found 6 malicious items linked to a .dll in the system32 folder. While scanning, Trend popped up indicating a Vundo Trojan again. MBAM needed to reboot to delete the files, but once my computer rebooted they were back! I did this several times, including in safe mode, and at best all that has happened is that one malicious .dll is removed and replaced by another one with another nonsense name like the tfswshx.dll you'll see in my log (always 7 characters too)... I searched here and downloaded and ran VundoFix, but it didn't find any Vundo!

HELP PLEASE!!! My laptop is everything - grad work, banking, everything... I hope I don't need a rebuid... I have my husband's laptop that I can access the internet with.

I followed the tutorial to here for posting (hope I did it all right)! Here is the DDS info and the Attach.txt is attached:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Nikki at 12:17:19.17 on Sat 05/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1216 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\DOCUME~1\Nikki\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Nikki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: : {7eb34400-0b36-4626-8eb8-96677f966c78} - c:\windows\system32\rvbwqsb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\nikki\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://usvpn.golder.com/vdesk/terminal/urxvpn.cab#version=6030,2008,1031,2121
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://usvpn.golder.com/vdesk/terminal/f5tunsrv.cab#version=6030,2008,1112,2313
DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTtodg8.CAB
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\rob\locals~1\temp\ixp000.tmp\InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://usvpn.golder.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228574522453
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeReportsCE11.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://usvpn.golder.com/vdesk/terminal/urxshost.cab#version=6030,2008,1031,2112
DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeDepFiles.CAB
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://usvpn.golder.com/vdesk/terminal/urxhost.cab#version=6030,2008,1031,2108
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/AuroraShell.CAB
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ejmlndzn - rvbwqsb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 clcduged;clcduged;c:\windows\system32\drivers\clcduged.sys [2005-8-16 23424]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-10-31 33408]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-3-15 10752]
UnknownUnknown ujmncuq;ujmncuq; [x]

=============== Created Last 30 ================

2009-05-02 11:50 <DIR> --d----- c:\docume~1\nikki\applic~1\Online Solutions
2009-04-29 08:00 <DIR> --d----- C:\VundoFix Backups
2009-04-28 08:29 50,688 a------- C:\ATF-Cleaner.exe
2009-04-04 09:05 <DIR> --d----- c:\windows\Prefs
2009-04-04 09:05 42,631,657 a------- c:\windows\Xena.exe
2009-04-04 09:05 272,384 a------- c:\windows\Xena.scr
2009-04-04 09:05 40,960 a------- c:\windows\Xena.dll

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-05-04 10:06 46,614 a------- c:\docume~1\nikki\applic~1\wklnhst.dat
2006-10-31 23:13 32 a----r-- c:\documents and settings\all users\hash.dat
2007-02-19 08:59 88 ---shr-- c:\windows\system32\3412EDC4B4.sys
2007-02-19 09:01 3,140 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:17:51.18 ===============

Attached Files


Edited by Ry1973, 02 May 2009 - 11:48 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 02 May 2009 - 01:43 PM

Hello Ry1973,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 02 May 2009 - 02:10 PM

Good day tea! Thank you for a quick reply! Hope you can help me sort this mess... Here are the requested logs:

ComboFix 09-05-02.4 - Nikki 05/02/2009 15:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1398 [GMT -4:00]
Running from: c:\documents and settings\Nikki\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 15:50 . 2009-05-02 15:53 -------- d-----w c:\documents and settings\Nikki\Application Data\Online Solutions
2009-05-02 13:17 . 2009-05-02 13:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 12:00 . 2009-04-29 12:00 -------- d-----w C:\VundoFix Backups
2009-04-28 12:29 . 2007-04-18 03:49 50688 ----a-w C:\ATF-Cleaner.exe
2009-04-04 13:05 . 2009-04-04 13:05 -------- d-----w c:\windows\Prefs
2009-04-04 13:05 . 2009-04-04 13:05 42631657 ----a-w c:\windows\Xena.exe
2009-04-04 13:05 . 2009-04-04 13:05 40960 ----a-w c:\windows\Xena.dll
2009-04-04 13:05 . 2009-04-04 13:05 272384 ----a-w c:\windows\Xena.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 19:01 . 2005-08-16 10:49 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 15:52 . 2009-04-28 09:46 434 ----a-w c:\windows\Tasks\At1.job
2009-05-02 14:51 . 2006-12-22 23:08 -------- d-----w c:\program files\Trend Micro
2009-04-13 17:26 . 2009-03-16 02:20 -------- d-----w c:\program files\BSTAurora
2009-04-10 11:17 . 2006-12-22 23:15 -------- d-----w c:\program files\Google
2009-04-09 13:14 . 2008-10-28 01:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2008-10-28 01:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-28 01:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-16 02:18 . 2009-03-16 02:18 -------- d-----w c:\program files\Business Objects
2009-03-16 02:15 . 2009-03-16 02:15 -------- d-----w c:\program files\F5
2009-03-02 16:34 . 2007-09-09 13:16 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 11:04 . 2006-12-30 03:27 81128 ----a-w c:\documents and settings\Nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-19 12:59 . 2006-12-30 19:25 88 --sh--r c:\windows\system32\3412EDC4B4.sys
2007-02-19 13:01 . 2006-12-30 19:25 3140 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB34400-0B36-4626-8EB8-96677F966C78}]
2004-08-10 11:00 103936 ----a-w c:\windows\system32\rvbwqsb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-12 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-06-29 1355042]

c:\documents and settings\Nikki\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-4-11 845408]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ejmlndzn]
2004-08-10 11:00 103936 ----a-w c:\windows\system32\rvbwqsb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-09-25 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-11-09 923216]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-11-09 566872]
R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2008-10-31 10752]
S0 clcduged;clcduged;c:\windows\system32\drivers\clcduged.sys [2004-08-10 23424]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2006-11-09 280392]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - UJMNCUQ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hdfdbjyo

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-02 c:\windows\Tasks\At1.job
- c:\windows\system32\rvbwqsb.dll [2005-08-16 11:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTtodg8.CAB
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeReportsCE11.CAB
DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeDepFiles.CAB
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/AuroraShell.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1532)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-02 15:04
ComboFix-quarantined-files.txt 2009-05-02 19:04

Pre-Run: 26,185,662,464 bytes free
Post-Run: 26,180,194,304 bytes free

160



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:33 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7EB34400-0B36-4626-8EB8-96677F966C78} - c:\windows\system32\rvbwqsb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2121
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://usvpn.golder.com/vdesk/terminal/f5t...,2008,1112,2313
O16 - DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...eb/BSTtodg8.CAB
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Rob\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://usvpn.golder.com/vdesk/terminal/f5I...,2008,1031,2107
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228574522453
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (BST Enterprise Reports 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...ReportsCE11.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2112
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - https://usvpn.golder.com/f5-w-687474703a2f2...STeDepFiles.CAB
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2108
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...AuroraShell.CAB
O20 - Winlogon Notify: ejmlndzn - C:\WINDOWS\SYSTEM32\rvbwqsb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12568 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 02 May 2009 - 02:25 PM

Hello :thumbup2:


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB34400-0B36-4626-8EB8-96677F966C78}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ejmlndzn]

File::
c:\windows\system32\rvbwqsb.dll
c:\windows\Tasks\At1.job


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also, I see you have MBAM. Is it coming up clean?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 02 May 2009 - 03:23 PM

tea, no joy!

I ran the script you provided and have the logs for ComboFix and HiJackThis below. Upon reboot, Trend still finds "TROJ VUNDO.ANL" but now in C:\WINDOWS\system32\wlhbylin.dll. MBAM finds Trojan.Vundo.H in the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7eb34400-0b36-4626-8eb8-96677f966c78} (Trojan.Vundo.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ejmlndzn (Trojan.Vundo.H)
HKEY_CLASSES_ROOT\CLSID\{7eb34400-0b36-4626-8eb8-96677f966c78} (Trojan.Vundo.H)
c:\WINDOWS\system32\rvbwqsb.dll (Trojan.Vundo.H)

ComboFix 09-05-02.4 - Nikki 05/02/2009 15:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT -4:00]
Running from: c:\documents and settings\Nikki\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\rvbwqsb.dll
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\system32\rvbwqsb.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 15:50 . 2009-05-02 15:53 -------- d-----w c:\documents and settings\Nikki\Application Data\Online Solutions
2009-05-02 13:17 . 2009-05-02 13:17 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 12:00 . 2009-04-29 12:00 -------- d-----w C:\VundoFix Backups
2009-04-28 12:29 . 2007-04-18 03:49 50688 ----a-w C:\ATF-Cleaner.exe
2009-04-04 13:05 . 2009-04-04 13:05 -------- d-----w c:\windows\Prefs
2009-04-04 13:05 . 2009-04-04 13:05 42631657 ----a-w c:\windows\Xena.exe
2009-04-04 13:05 . 2009-04-04 13:05 40960 ----a-w c:\windows\Xena.dll
2009-04-04 13:05 . 2009-04-04 13:05 272384 ----a-w c:\windows\Xena.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 19:46 . 2005-08-16 10:49 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 14:51 . 2006-12-22 23:08 -------- d-----w c:\program files\Trend Micro
2009-04-13 17:26 . 2009-03-16 02:20 -------- d-----w c:\program files\BSTAurora
2009-04-10 11:17 . 2006-12-22 23:15 -------- d-----w c:\program files\Google
2009-04-09 13:14 . 2008-10-28 01:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2008-10-28 01:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-28 01:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-16 02:18 . 2009-03-16 02:18 -------- d-----w c:\program files\Business Objects
2009-03-16 02:15 . 2009-03-16 02:15 -------- d-----w c:\program files\F5
2009-03-02 16:34 . 2007-09-09 13:16 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 11:04 . 2006-12-30 03:27 81128 ----a-w c:\documents and settings\Nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-19 12:59 . 2006-12-30 19:25 88 --sh--r c:\windows\system32\3412EDC4B4.sys
2007-02-19 13:01 . 2006-12-30 19:25 3140 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB34400-0B36-4626-8EB8-96677F966C78}]
2004-08-10 11:00 103936 ----a-w c:\windows\system32\rvbwqsb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-12 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-06-29 1355042]

c:\documents and settings\Nikki\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2007-4-11 845408]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ejmlndzn]
2004-08-10 11:00 103936 ----a-w c:\windows\system32\rvbwqsb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2008-10-31 10752]
S0 clcduged;clcduged;c:\windows\system32\drivers\clcduged.sys [2004-08-10 23424]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-09-25 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-11-09 923216]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-11-09 566872]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2006-11-09 280392]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys [2008-10-31 33408]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hdfdbjyo

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTtodg8.CAB
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeReportsCE11.CAB
DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/BSTeDepFiles.CAB
DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxps://usvpn.golder.com/f5-w-687474703a2f2f6273742e676f6c6465722e636f6d$$/AuroraWeb/AuroraShell.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1536)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1920)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Nikki\LOCALS~1\temp\clclean.0001
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-05-02 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 19:50
ComboFix2.txt 2009-05-02 19:04

Pre-Run: 26,182,492,160 bytes free
Post-Run: 26,183,704,576 bytes free

189


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:52 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\DOCUME~1\Nikki\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7EB34400-0B36-4626-8EB8-96677F966C78} - c:\windows\system32\rvbwqsb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2121
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://usvpn.golder.com/vdesk/terminal/f5t...,2008,1112,2313
O16 - DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...eb/BSTtodg8.CAB
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Rob\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://usvpn.golder.com/vdesk/terminal/f5I...,2008,1031,2107
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228574522453
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (BST Enterprise Reports 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...ReportsCE11.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2112
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - https://usvpn.golder.com/f5-w-687474703a2f2...STeDepFiles.CAB
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2108
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...AuroraShell.CAB
O20 - Winlogon Notify: ejmlndzn - C:\WINDOWS\SYSTEM32\rvbwqsb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12778 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 02 May 2009 - 04:23 PM

Hi there,

Try running the script again with ComboFix, but this time in Safe Mode. If it doesn't remove it that way I'll bring out a really big gun on it. :thumbup2:

Just so you know.....I'm in Texas and we have some nasty severe storms coming (tornado warnings to our north and we're under a watch) so if I'm not here it's because I've had to shut everything down. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 02 May 2009 - 11:02 PM

tea,

I hope you and your loved ones are safe and sound!

We need a Texas fly-swatter on this one... I ran it again in safe mode, and I will spare you the logs and MBAM findings by simply stating this from the ComboFix log:

"c:\windows\system32\rvbwqsb.dll . . . . failed to delete"

I do appreciate your continued help, and I really hope it can be cleaned from the system.

Thx!

#8 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 04 May 2009 - 10:06 AM

tea,

Hope you made out OK!

When you can, I am ready for your "bigger hammer"!!!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 04 May 2009 - 03:12 PM

I see you here....give me a few minutes to get my thoughts together and I'll be right back. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 04 May 2009 - 03:22 PM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete :
c:\windows\system32\rvbwqsb.dll
c:\windows\Tasks\At1.job


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 05 May 2009 - 07:30 AM

tea,

The Avenger program has been updated and your instruction no longer fit the new version, but it's a cinch to figure out... Unfortunately, not a big enough hammer! I ran it again in Safe Mode after it originally failed as well.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\rvbwqsb.dll"
Deletion of file "c:\windows\system32\rvbwqsb.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: file "c:\windows\Tasks\At1.job" not found!
Deletion of file "c:\windows\Tasks\At1.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:10 AM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\DOCUME~1\Nikki\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061222
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7EB34400-0B36-4626-8EB8-96677F966C78} - c:\windows\system32\rvbwqsb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2121
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://usvpn.golder.com/vdesk/terminal/f5t...,2008,1112,2313
O16 - DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...eb/BSTtodg8.CAB
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Rob\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://usvpn.golder.com/vdesk/terminal/f5I...,2008,1031,2107
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228574522453
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (BST Enterprise Reports 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...ReportsCE11.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2112
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - https://usvpn.golder.com/f5-w-687474703a2f2...STeDepFiles.CAB
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://usvpn.golder.com/vdesk/terminal/urx...,2008,1031,2108
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.3) - https://usvpn.golder.com/f5-w-687474703a2f2...AuroraShell.CAB
O20 - Winlogon Notify: ejmlndzn - C:\WINDOWS\SYSTEM32\rvbwqsb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12954 bytes

#12 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 05 May 2009 - 07:55 PM

tea,

Hate to be a nag... Just wondering if you had thought of anything else? My husband is leaving tomorrow night for business so I will be without access to the internet unless I am on campus and can get a machine in one of the labs. I talked to a friend of friend who has some advanced computer knowledge and he said if all this hasn't succeeded in deleting the file, then I need a DOS boot and delete it that way. However, I have no idea what that really means. I know what DOS is, even remember learning some basic language in junior high school, but I have no idea how to do this. Nonetheless, I've been following your instructions to the letter and don't want to go down another path that may do more harm than good...

Thx.

#13 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 06 May 2009 - 10:24 AM

Can anyone else help me? I'm pretty desperate at this point... :thumbup2:

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:41 PM

Posted 06 May 2009 - 03:31 PM

Hello,

I do so apologize for being human and not a robot. :thumbup2:

Try this in Safe Mode :

Open HijackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

c:\windows\system32

And select the file

rvbwqsb.dll

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Ry1973

Ry1973
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 06 May 2009 - 05:20 PM

tea,

My sincere apologies! I was not trying to offend you and appreciate all of your help - GREATLY! I just am stressed as I am a full-time grad student finishing my thesis, work a 40-hour job, and give another 20-hours to practicum each week so getting elsewhere to use another machine is really difficult and I need to complete my thesis revisions for submission to binding ASAP or they won't approve my graduation request...

I ran HiJackThis as you indicated, but the file still did not delete.

Thx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users