Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Virtumonde/Trojan-Downloader.Agent.OGP


  • This topic is locked This topic is locked
45 replies to this topic

#1 mercyman

mercyman

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 04 May 2009 - 05:55 PM

Hi ! My system has been infected with Trojan.Virtumonde/Trojna-Downloader.Agent.OGP viruses. These were identified by Spyware Doctor , after identifying them Spyware doctor prompts me to reboot the system so that they can be removed. But once the system is started againg, they are there. Again Spyware Doctor identifies them and tries to Fix them, again asking to re-boot the system. This keeps on going but the viruses are still there. The Trojan.Virtumonde virus is associated with the basesr.dll file in System32 folder. The basesr.dll file description shows - Alcohol 120%, Company-Alcohol Soft Development Team

Due to this

I am receiving lot of unusual pop-up screens
Internet Explorer is Re-directing to different web pages instead of the expected page.
Internet explorer takes lot of time to load a page.
CPU usage seems to 100%.
Unkown process are executing in windows task manager.

Please resolve the same for me . let me know for anything.

DDS.txt details:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Clement at 18:20:15.82 on Mon 05/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1348 [GMT -4:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Documents and Settings\Clement\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {43b23159-68f5-4214-bda4-4a9d8d7a71be} - c:\windows\system32\basesr.dll
BHO: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {6F4F95AF-1647-4B72-A632-055405455423} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [BigDog305] c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [Qyazaqoju] rundll32.exe "c:\windows\efiticabaqey.dll",e
mRun: [CPMfb1c2f7b] Rundll32.exe "c:\windows\system32\binuvete.dll",a
mRun: [prnet] "c:\windows\system32\prnet.tmp"
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\s5rroo1.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\s5rroo1.exe
dRun: [Diagnostic Manager] c:\windows\temp\1997853640.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\documents and settings\clement\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\clement\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://myconnection.wellpoint.com/dana-cached/setup/JuniperSetupSP1.cab
Filter: text/html - {23f67bf3-1c9e-42a4-b9e9-220bd47f0dfe} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: __c00f259 - c:\windows\system32\__c00F259.dat
AppInit_DLLs: c:\windows\system32\binuvete.dll c:\windows\system32\jadikure.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jadikure.dll
STS: {D7BF4552-94F1-42BD-F434-3604812C856D} - No File
STS: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\binuvete.dll
SEH: {73259091-9574-4ED8-A40F-7F65AFC28634} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
LSA: Notification Packages = scecli c:\windows\system32\nuvutoki.dll dbd30ne.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\clement\applic~1\mozilla\firefox\profiles\r6we99rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {F8717C33-C445-4037-8446-50F2BAB42473} - c:\windows\system32\config\systemprofile\local settings\application data\{f8717c33-c445-4037-8446-50f2bab42473}\
FF - HiddenExtension: XUL Cache: {CD4E8289-B60D-4DD9-9BAB-96A7D5F1D9E1} - c:\documents and settings\clement\local settings\application data\{CD4E8289-B60D-4DD9-9BAB-96A7D5F1D9E1}
FF - HiddenExtension: XUL Cache: {3070E4A2-FA12-4A8E-B6F0-1840FF81E50F} - c:\documents and settings\administrator\local settings\application data\{3070E4A2-FA12-4A8E-B6F0-1840FF81E50F}
FF - HiddenExtension: XUL Cache: {5806336F-AA5C-43E7-BFAB-712E1D5A0994} - c:\documents and settings\ilango\local settings\application data\{5806336f-aa5c-43e7-bfab-712e1d5a0994}\

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-7-8 40840]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-4-16 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-4-16 27656]
R0 yqzarsga;yqzarsga;c:\windows\system32\drivers\yqzarsga.sys [2004-8-10 23424]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-7-8 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-7-8 81288]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-7-8 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-7-8 1079176]
S2 csiscanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service --> c:\program files\prevx\prevx.exe [?]
S2 eagbdiyceal;eagbdiyceal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);c:\windows\system32\drivers\usbVM305.sys [2007-11-29 392444]
S4 .norton2009reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-9-17 549159]
S4 eowicuqjedu;eowicuqjedu;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 hoecyo;hoecyo;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 kftusm;KftUsm;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 uafdy;UafdY;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

2009-05-04 17:46 76 a------- c:\windows\system32\ikhcore.cfg
2009-05-04 00:04 15,000 a------- c:\windows\system32\afnoinkdsfe.dll
2009-04-30 20:01 692,259 a------- c:\windows\system32\prnet.tmp
2009-04-29 18:08 22,538 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 19:51 50,524 a------- c:\windows\system32\998.exe
2009-04-28 17:46 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 17:46 24,064 a--sh--- c:\documents and settings\clement\protect.dll
2009-04-27 19:00 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:36 29,696 a------- c:\windows\system32\loader49.exe
2009-04-26 19:43 <DIR> --d----- c:\program files\FreeCommander
2009-04-23 17:47 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-20 17:46 97,792 a------- c:\windows\system32\atmpvc.dll
2009-04-20 17:45 125,440 a------- c:\windows\system32\__c00EC1F8.exe
2009-04-20 17:44 <DIR> --d----- c:\windows\system32\219198
2009-04-20 01:13 97,792 a------- c:\windows\system32\bthser.dll
2009-04-20 01:13 125,440 a------- c:\windows\system32\__c00A1359.exe
2009-04-19 20:49 45,568 a------- c:\windows\system32\~.exe
2009-04-19 19:34 14,848 a------- c:\windows\system32\dll32.exe
2009-04-19 19:34 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-19 19:34 11,776 ----h--- c:\windows\pp06.exe
2009-04-19 19:33 2 ----h--- c:\windows\t55ft2829f44.dat
2009-04-19 19:33 16,384 ----h--- c:\windows\ld08.exe
2009-04-16 21:51 2,203 a------- C:\xcrashdump.dat
2009-04-16 20:45 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-04-16 20:45 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-04-16 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-04-16 18:03 46 a------- c:\windows\system32\p2hhr.bat
2009-04-16 18:02 15,000 a------- c:\windows\system32\jh9fgo4ksdgf.dll
2009-04-16 18:02 17,920 a------- c:\windows\system32\ak1.exe
2009-04-13 21:33 1,404,795 ---sh--- c:\windows\system32\ipututef.ini2
2009-04-13 21:33 1,404,782 ---sh--- c:\windows\system32\ipututef.tmp
2009-04-13 21:32 172,032 a------- c:\windows\system32\igfxres.dll
2009-04-13 21:24 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-04-13 21:24 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-04-13 21:24 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-04-13 21:24 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-04-13 21:24 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-04-13 21:24 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-04-13 21:24 69,120 ac------ c:\windows\system32\dllcache\wingb.ime
2009-04-13 21:24 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-04-13 21:24 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-04-13 21:22 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-13 21:21 10,129,408 ac------ c:\windows\system32\dllcache\hwxkor.dll
2009-04-13 21:20 189,986 ac------ c:\windows\system32\dllcache\c_1361.nls
2009-04-13 21:17 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-04-13 21:17 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-04-13 21:17 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-13 21:17 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-04-13 21:17 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-04-13 21:16 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-04-13 21:16 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll
2009-04-13 21:16 214,528 ac------ c:\windows\system32\dllcache\icwconn1.exe
2009-04-13 21:16 86,016 ac------ c:\windows\system32\dllcache\icwconn2.exe
2009-04-13 21:16 20,480 ac------ c:\windows\system32\dllcache\inetwiz.exe
2009-04-13 20:55 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-04-13 20:55 13,312 a------- c:\windows\system32\irclass.dll
2009-04-13 20:55 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-04-13 20:55 24,661 a------- c:\windows\system32\spxcoins.dll
2009-04-13 17:44 44,544 a------- c:\windows\system32\Winset20.exe
2009-04-13 17:31 33,792 a------- c:\docume~1\clement\applic~1\tfdizqzo.dll
2009-04-13 17:30 101,486 a------- c:\windows\system32\drivers\f142d4a3.sys
2009-04-13 17:30 1,404,782 ---sh--- c:\windows\system32\ipututef.ini
2009-04-13 16:25 <DIR> --d----- c:\windows\dell
2009-04-12 21:42 84,045 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-12 21:29 33,792 a------- c:\program files\common files\amoigwya.dll
2009-04-12 21:29 100,078 a------- c:\windows\system32\drivers\275e0031.sys
2009-04-12 21:12 33,792 a------- c:\windows\fjvoklho.dll
2009-04-12 21:12 100,078 a------- c:\windows\system32\drivers\6fe21f85.sys
2009-04-12 21:12 2 a------- C:\-131130296
2009-04-12 12:48 155 a------- c:\windows\system32\SelfDel.bat
2009-04-12 12:42 97,792 a------- c:\windows\system32\avmete.dll
2009-04-12 12:35 97,792 a------- c:\windows\system32\bitsprxc.dll
2009-04-12 12:35 33,792 a------- c:\windows\gufkpi.dll
2009-04-12 12:33 85,358 a------- c:\windows\system32\drivers\6c5e6173.sys
2009-04-12 12:33 1,403,888 a--sh--- c:\windows\system32\ajetugab.ini
2009-04-12 12:33 15,000 a------- c:\windows\system32\hsf73ikmdf3f.dll
2009-04-12 12:32 9,216 a------- c:\windows\instsp2.exe
2009-04-11 23:58 1,403,888 a--sh--- c:\windows\system32\asodelij.ini
2009-04-10 20:22 1,403,901 a--sh--- c:\windows\system32\idegukep.ini
2009-04-10 18:04 97,792 a------- c:\windows\system32\audiosr.dll
2009-04-10 17:53 97,792 a------- c:\windows\system32\bitsprx.dll
2009-04-10 12:53 97,792 a------- c:\windows\system32\avwa.dll
2009-04-10 12:41 97,792 a------- c:\windows\system32\CddbFileTaggerRoxi.dll
2009-04-10 12:30 97,792 a------- c:\windows\system32\CddbCleanRoxih.dll
2009-04-10 01:14 97,792 a------- c:\windows\system32\atmpvcn.dll
2009-04-10 00:14 97,792 a------- c:\windows\system32\basesr.dll
2009-04-09 19:24 97,792 a------- c:\windows\system32\CddbCleanRox.dll
2009-04-09 19:12 97,792 a------- c:\windows\system32\ATL7.dll
2009-04-09 19:03 97,792 a------- c:\windows\system32\azrole.dll
2009-04-09 18:59 97,792 a------- c:\windows\system32\avifil.dll
2009-04-09 18:59 125,440 a------- c:\windows\system32\__c002C5CD.exe
2009-04-09 18:49 97,792 a------- c:\windows\system32\CddbCleanRoxi.dll
2009-04-09 18:11 27,648 a------- c:\windows\system32\__c00F259.dat
2009-04-08 17:43 0 a------- c:\windows\Wguwepacupo.bin
2009-04-08 17:43 408 a------- c:\windows\Xpulefova.dat
2009-04-06 17:45 15,000 a------- c:\windows\system32\sdfadccddkn93.dll
2009-04-06 17:44 <DIR> --d----- c:\program files\Microsoft Common

==================== Find3M ====================

2009-04-30 19:54 862,636 a------- c:\windows\system32\rn.tmp
2009-04-14 18:13 69,632 a--sh--- c:\windows\system32\sotugulu.dll
2009-04-14 18:12 108,544 a--sh--- c:\windows\system32\binuvete.dll
2009-04-14 18:12 101,888 a--sh--- c:\windows\system32\vuhugeya.dll
2009-04-13 21:15 23,444 a------- c:\windows\system32\emptyregdb.dat
2009-04-13 17:30 107,520 a--sh--- c:\windows\system32\jadikure.dll
2009-04-13 17:30 64,000 a--sh--- c:\windows\system32\wuholove.exe
2009-04-12 12:32 101,888 a--sh--- c:\windows\system32\baguteja.dll
2009-04-12 12:32 108,544 a--sh--- c:\windows\system32\zagubura.dll
2009-04-12 12:32 64,000 a--sh--- c:\windows\system32\jijivafo.exe
2009-04-11 23:57 109,568 a--sh--- c:\windows\system32\rilalelu.dll
2009-04-11 23:57 62,976 a--sh--- c:\windows\system32\hidumule.exe
2009-04-11 11:58 109,568 a--sh--- c:\windows\system32\guhiziho.dll.vir
2009-04-11 11:58 62,464 a--sh--- c:\windows\system32\mobahibe.exe
2009-04-10 20:22 71,680 a--sh--- c:\windows\system32\vahuwodi.dll
2009-04-10 20:22 63,488 a--sh--- c:\windows\system32\nazehogi.exe
2009-04-10 20:22 110,080 a--sh--- c:\windows\system32\tevupiru.dll
2009-04-01 17:26 50,688 a------- c:\windows\system32\mcenspc.dll
2009-03-30 17:53 61,440 a--sh--- c:\windows\system32\wasubezu.exe
2009-03-29 21:47 89,088 a--sh--- c:\windows\system32\gavomiwi.dll
2009-03-29 21:47 61,440 a--sh--- c:\windows\system32\zagomeri.exe
2009-03-29 21:47 81,408 a------- c:\windows\system32\nogayeda.dll
2009-03-29 09:46 89,088 a--sh--- c:\windows\system32\relifaga.dll
2009-03-29 09:46 80,896 a------- c:\windows\system32\vatotosa.dll
2009-03-29 09:46 61,440 a--sh--- c:\windows\system32\nasiliyu.exe
2009-03-28 21:46 89,088 a--sh--- c:\windows\system32\pibosiju.dll
2009-03-28 21:46 81,408 a------- c:\windows\system32\mulanaha.dll
2009-03-28 21:46 61,440 a--sh--- c:\windows\system32\tuwegego.exe
2009-03-28 09:46 89,088 a--sh--- c:\windows\system32\hokegemu.dll
2009-03-28 09:46 61,440 a--sh--- c:\windows\system32\husugudi.exe
2009-03-27 21:07 89,088 a--sh--- c:\windows\system32\konazuki.dll
2009-03-27 21:07 81,408 a------- c:\windows\system32\begajetu.dll
2009-03-27 21:07 61,440 a--sh--- c:\windows\system32\kojofaba.exe
2009-03-07 03:28 23,043 a------- c:\windows\system32\scrrjn.dat
2009-03-07 03:28 23,043 a------- c:\windows\system32\msvbvm5j.dat
2009-03-07 03:28 23,043 a------- c:\windows\system32\MFC71JSP.dat
2009-03-06 19:24 130,544 a------- c:\windows\system32\pndx5b16.dat
2008-11-30 16:17 50,592 a------- c:\docume~1\clement\applic~1\GDIPFONTCACHEV1.DAT
2008-09-17 09:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2007-12-02 00:01 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-27 23:30 60,968 a------- c:\documents and settings\clement\GoToAssistDownloadHelper.exe
2009-01-02 19:55 679,958 a--sh--- c:\windows\system32\adKUwyxx.ini2
2008-12-21 01:18 878,673 a--sh--- c:\windows\system32\Cbbaycfe.ini2
2009-01-14 18:13 69,632 a--sh--- c:\windows\system32\hulujige.dll
2009-01-10 20:22 71,680 a--sh--- c:\windows\system32\meseleru.dll.vir
2008-11-23 01:38 921,839 a--sh--- c:\windows\system32\mUvwDfhk.ini2
2008-11-24 23:12 899,333 a--sh--- c:\windows\system32\sBJRYcfe.ini2
2009-01-14 18:13 69,632 a--sh--- c:\windows\system32\yolufeta.dll

============= FINISH: 18:24:16.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 05 May 2009 - 12:06 PM

Hello mercyman,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 06 May 2009 - 06:09 PM

Hi Mike !

Please find the Security Check scan results below

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Spyware Doctor 6.0
HijackThis 2.0.2
Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 7
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 122 seconds.
`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 06 May 2009 - 09:42 PM

Hi mercyman,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 11
    Java™ 6 Update 3
    Java™ 6 Update 7
    6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 06 May 2009 - 09:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 07 May 2009 - 09:56 PM

Hi !!

Thanks for your guidelines, it looks like the basesr.dll file was removed.

As per your instruction removed old version of Java and installed the latest version. Also installed the Avira_Antivirus and did a complete scan. Please find the attached scan report . Attaching the scan report as the length exceeds the length allowed for posting.


Ran HijackThis again , please find the HijackThis log details

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:19 PM, on 5/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071121
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: (no name) - {43B23159-68F5-4214-BDA4-4A9D8D7A71BE} - C:\WINDOWS\system32\basesr.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Qyazaqoju] rundll32.exe "C:\WINDOWS\efiticabaqey.dll",e
O4 - HKLM\..\Run: [CPMfb1c2f7b] Rundll32.exe "c:\windows\system32\jadikure.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Clement\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\s5rroo1.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\s5rroo1.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1997853640.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://myconnection.wellpoint.com/dana-cac...perSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {23f67bf3-1c9e-42a4-b9e9-220bd47f0dfe} - C:\WINDOWS\system32\msiebbar.dll
O20 - AppInit_DLLs: c:\windows\system32\binuvete.dll c:\windows\system32\jadikure.dll
O20 - Winlogon Notify: __c00f259 - C:\WINDOWS\system32\__c00F259.dat (file missing)
O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - (no file)
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: CSIScanner (csiscanner) - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9808 bytes


Waiting for your further instructions

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 07 May 2009 - 10:13 PM

Hi mercyman.

You had a ton of trojans in your computer. :thumbup2: Thats what happens if you dont have an antivirus program runnning.

We will restore the default hosts file back onto your machine.

Download the HostsXpert 3.7 Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program


Since you are still infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira Antivir Antivirus and Spyware Doctor before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 09 May 2009 - 09:07 AM

Hi !!

Downloaded the HostsXpert and did the following

Unzipped and opend the application.

Enabled the Uppermost left button to "Make Writeable", then tried to select the Backup/Restore button, but it is not highlighted/selected. Then selected the "Restore MS Hosts File" button and tried to restore the files but it shows the following error.

ERROR: Cannot create File C:\Windows\system32\DRIVERS\ETC\hosts.

Checked inside the above path and found a file with the name "hosts".

Please let me know whether the above process is OK and anything has to be done.

Will run the ComboFix after receiving instructions from you.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 09 May 2009 - 09:24 AM

Hi,

You are getting that messasge becasue you have your hosts file locked . :thumbup2:

Disable Spyware Doctor and try it again.
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

If you still cant get HostsXpert to run, then run ComboFix.

Edited by SifuMike, 09 May 2009 - 09:25 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 10 May 2009 - 05:35 PM

Hi

I am still having problem with HostXpert , so ran Combofix, please find the log details. While running combofix it shows Prevx3.0 is enabled , I once installed Prevx3.0 and uninstalled the same, not sure from where it is running. So ran Combofix ignoring the message. Find the log below.

ComboFix 09-05-08.03 - Clement 05/09/2009 14:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1498 [GMT -4:00]
Running from: c:\documents and settings\Clement\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: Prevx 3.0 *On-access scanning enabled* (Updated)
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\combofix\NULL
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Clement\Application Data\gadcom
c:\documents and settings\Clement\Application Data\rhcn5ej0ev3t
c:\documents and settings\Clement\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Clement\protect.dll
c:\documents and settings\Clement\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\program files\Common\helper.sig
c:\program files\Microsoft Common
c:\windows\9g234sdff3d23dfgjf23
c:\windows\dbd30ne.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\998.exe
c:\windows\system32\adeyagon.ini
c:\windows\system32\adKUwyxx.ini
c:\windows\system32\adKUwyxx.ini2
c:\windows\system32\afjwvrnl.ini
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ahanalum.ini
c:\windows\system32\ajebigol.ini
c:\windows\system32\ajetugab.ini
c:\windows\system32\asodelij.ini
c:\windows\system32\asototav.ini
c:\windows\system32\autochk.dll
c:\windows\system32\Cbbaycfe.ini
c:\windows\system32\Cbbaycfe.ini2
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthkyfvaenbmpevathswwpuavhxidqnerft.sys
c:\windows\system32\gmkkbkud.ini
c:\windows\system32\idegukep.ini
c:\windows\system32\ipututef.ini
c:\windows\system32\ipututef.ini2
c:\windows\system32\ipututef.tmp
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\lplwtwqj.ini
c:\windows\system32\mUvwDfhk.ini
c:\windows\system32\mUvwDfhk.ini2
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\ovfsthceoughqrpolqyyqnoyjjmtdrfcvgtbog.dll
c:\windows\system32\ovfsthftiwphcqlqqmwpcjdmljjaretvhppndh.dat
c:\windows\system32\ovfsthqxxwirmyctxwvqfnhlbawlcidwiviavd.dll
c:\windows\system32\ovfsthwbtltpnlklmpwcxofqbubxmegdlktxid.dat
c:\windows\system32\ovfsthwpgbwylllxeduxrsfymepiayurumdwsw.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\pxabgsxp.ini
c:\windows\system32\qrwsqefs.ini
c:\windows\system32\sBJRYcfe.ini
c:\windows\system32\sBJRYcfe.ini2
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\uhagayok.ini
c:\windows\system32\utejageb.ini
c:\windows\system32\x64
c:\windows\t55ft2809f44.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthulqjesmkkbsbfoofrrngwlewonmpjxjo
-------\Legacy_fci
-------\Legacy_PACKET
-------\Legacy_sfc
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-09 19:00 . 2009-05-09 19:00 51545 ----a-w C:\ComboFix_error.dat
2009-05-09 18:35 . 2009-05-09 18:35 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-07 23:44 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-07 23:44 . 2009-05-07 23:44 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-07 23:44 . 2009-05-07 23:44 -------- d-----w c:\program files\Avira
2009-05-07 23:35 . 2009-05-07 23:35 -------- d-----w c:\program files\Java
2009-05-05 02:33 . 2009-05-05 02:33 2 ---h--w c:\windows\t55ft2692f44.dat
2009-05-05 02:33 . 2009-05-08 01:09 -------- d-----w c:\windows\system32\796525
2009-05-01 00:01 . 2009-05-01 00:01 -------- d-sh--w c:\documents and settings\Clement\Local Settings\Application Data\.#
2009-04-27 23:00 . 2009-04-27 23:00 -------- d-----w c:\program files\Trend Micro
2009-04-26 23:43 . 2009-04-26 23:43 -------- d-----w c:\program files\FreeCommander
2009-04-20 21:44 . 2009-04-29 03:28 -------- d-----w c:\windows\system32\219198
2009-04-19 23:33 . 2009-04-19 23:33 2 ---h--w c:\windows\t55ft2829f44.dat
2009-04-17 00:45 . 2009-04-17 00:45 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-04-17 00:45 . 2009-04-17 00:45 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-04-17 00:45 . 2009-04-17 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-16 23:46 . 2009-04-16 23:46 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-16 03:14 . 2009-04-16 03:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{3070E4A2-FA12-4A8E-B6F0-1840FF81E50F}
2009-04-14 01:32 . 2007-06-06 21:30 172032 ----a-w c:\windows\system32\igfxres.dll
2009-04-14 01:24 . 2004-08-04 10:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-04-14 01:24 . 2004-08-04 10:00 41600 -c--a-w c:\windows\system32\dllcache\weitekp9.dll
2009-04-14 01:22 . 2001-08-18 02:36 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-14 01:21 . 2004-08-04 10:00 10129408 -c--a-w c:\windows\system32\dllcache\hwxkor.dll
2009-04-14 01:20 . 2004-08-04 10:00 331264 -c--a-w c:\windows\system32\dllcache\aqueue.dll
2009-04-14 01:16 . 2004-08-04 10:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-04-14 01:16 . 2004-08-04 10:00 32768 -c--a-w c:\windows\system32\dllcache\icwdl.dll
2009-04-14 01:16 . 2004-08-04 10:00 20480 -c--a-w c:\windows\system32\dllcache\inetwiz.exe
2009-04-14 01:16 . 2004-08-04 10:00 86016 -c--a-w c:\windows\system32\dllcache\icwconn2.exe
2009-04-14 01:16 . 2004-08-04 10:00 214528 -c--a-w c:\windows\system32\dllcache\icwconn1.exe
2009-04-14 00:55 . 2004-08-04 10:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-04-14 00:55 . 2004-08-04 10:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-04-14 00:55 . 2004-08-04 10:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-04-14 00:55 . 2004-08-04 10:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-04-14 00:53 . 2009-04-14 00:53 -------- d-s---w c:\windows\system32\config\systemprofile\History
2009-04-13 21:30 . 2009-05-09 19:09 101486 ----a-w c:\windows\system32\drivers\f142d4a3.sys
2009-04-13 20:25 . 2009-04-13 20:25 -------- d-----w c:\windows\dell
2009-04-13 01:29 . 2009-05-09 19:09 100078 ----a-w c:\windows\system32\drivers\275e0031.sys
2009-04-13 01:12 . 2009-05-09 19:09 100078 ----a-w c:\windows\system32\drivers\6fe21f85.sys
2009-04-12 16:48 . 2009-04-23 22:02 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-12 16:33 . 2009-05-09 19:09 85358 ----a-w c:\windows\system32\drivers\6c5e6173.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-09 18:55 . 2008-08-18 22:51 -------- d-----w c:\program files\Common
2009-05-09 04:00 . 2009-04-08 21:43 0 ----a-w c:\windows\Wguwepacupo.bin
2009-05-07 23:35 . 2008-12-19 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-05 02:37 . 2008-07-08 04:32 -------- d-----w c:\program files\Spyware Doctor
2009-04-17 01:52 . 2007-12-02 19:13 -------- d-----w c:\program files\Symantec
2009-04-17 01:52 . 2007-12-02 19:11 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-16 04:43 . 2009-04-08 21:43 408 ----a-w c:\windows\Xpulefova.dat
2009-04-14 01:39 . 2007-11-27 18:48 50592 ----a-w c:\documents and settings\Clement\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 01:18 . 2004-08-10 18:50 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-14 01:15 . 2004-08-10 19:02 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-30 02:11 . 2007-11-28 13:07 -------- d-----w c:\program files\Yahoo!
2009-03-23 03:13 . 2009-03-23 03:13 921 ----a-w c:\windows\QSFVExit.bat
2009-03-18 22:10 . 2007-11-28 05:08 -------- d-----w c:\program files\DivX
2009-03-18 22:10 . 2009-03-18 22:10 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\scrrjn.dat
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\msvbvm5j.dat
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\MFC71JSP.dat
2009-03-06 23:24 . 2008-11-25 00:19 130544 ----a-w c:\windows\system32\pndx5b16.dat
2009-02-28 15:31 . 2009-02-28 15:31 126200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-09-17 13:16 . 2008-09-17 13:16 549159 --sha-r c:\program files\Norton2009Reset.exe
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-31 23:15 . 2008-02-27 01:37 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-31 23:15 . 2008-02-27 01:37 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-31 23:15 . 2008-02-27 01:37 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-31 23:15 . 2008-02-27 01:37 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-31 23:15 . 2008-02-27 01:37 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-09-30 1168264]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-07 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-11-21 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-21 50688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ??`

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hoecyo"=2 (0x2)
".norton2009reset"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsSvc.exe"=
"c:\\Clement\\Games\\Age of Empires 2\\A_of_E_2[1]\\A of E 2\\A of E 2\\AOE\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7Debug\\mdm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\VM305_STI.EXE"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [4/16/2009 8:45 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [4/16/2009 8:45 PM 27656]
R0 yqzarsga;yqzarsga;c:\windows\system32\drivers\yqzarsga.sys [8/10/2004 2:51 PM 23424]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/7/2009 7:44 PM 108289]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/8/2008 12:32 AM 356920]
S2 csiscanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S2 eagbdiyceal;eagbdiyceal;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);c:\windows\system32\drivers\usbVM305.sys [11/29/2007 9:19 PM 392444]
S4 .norton2009reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [9/17/2008 9:16 AM 549159]
S4 eowicuqjedu;eowicuqjedu;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S4 hoecyo;hoecyo;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S4 kftusm;KftUsm;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S4 uafdy;UafdY;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchinjdrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0608da52-2f34-11dd-98e6-001d6018efd0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06b316b0-e3fb-11dc-9804-001d6018efd0}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{095281ec-7942-11dd-99cf-001d6018efd0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1ab95a-26c0-11dd-98cb-001d6018efd0}]
\shell\autorun\command - e:\wd_windows_tools\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{43B23159-68F5-4214-BDA4-4A9D8D7A71BE} - c:\windows\system32\basesr.dll
BHO-{c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
WebBrowser-{6F4F95AF-1647-4B72-A632-055405455423} - (no file)
ShellIconOverlayIdentifiers-{D17B8ADB-8A45-1DD1-A68D-5E93388DF45F} - c:\windows\system32\dsouzd3d.dIl
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKLM-Run-CPMfb1c2f7b - c:\windows\system32\jadikure.dll
HKLM-Run-Qyazaqoju - c:\windows\efiticabaqey.dll
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\s5rroo1.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\1997853640.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
SharedTaskScheduler-{D7BF4552-94F1-42BD-F434-3604812C856D} - (no file)
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
ShellExecuteHooks-{73259091-9574-4ED8-A40F-7F65AFC28634} - (no file)
Notify-__c00f259 - c:\windows\system32\__c00F259.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Clement\Application Data\Mozilla\Firefox\Profiles\r6we99rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 15:09
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\275e0031]
"ImagePath"="\SystemRoot\System32\drivers\275e0031.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6c5e6173]
"ImagePath"="\SystemRoot\System32\drivers\6c5e6173.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6fe21f85]
"ImagePath"="\SystemRoot\System32\drivers\6fe21f85.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f142d4a3]
"ImagePath"="\SystemRoot\System32\drivers\f142d4a3.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2132)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-05-09 15:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 19:12

Pre-Run: 25,083,101,184 bytes free
Post-Run: 30,720,634,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

324 --- E O F --- 2009-03-15 22:03

Waiting for further instructions...

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 10 May 2009 - 05:49 PM

Hi,

You need to do this ASAP:

ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4


Let me know when you have uploaded the file.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 11 May 2009 - 12:23 PM

Hi Mike !

I have submitted the Combofix_error.dat file to the link you have provided.

Waiting for further instructions.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 11 May 2009 - 12:34 PM

Hi mercyman,

You need to disable your Avira Antivir Antivirus, Prevx 3 antivirus and Spyware Doctor before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL::
File:: 
c:\windows\t55ft2692f44.dat
c:\windows\system32\drivers\f142d4a3.sys
c:\windows\system32\drivers\275e0031.sys
c:\windows\system32\drivers\6fe21f85.sys
c:\windows\system32\drivers\6c5e6173.sys
c:\windows\system32\drivers\yqzarsga.sys

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\275e0031]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6c5e6173]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6fe21f85]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f142d4a3]
"ImagePath"=-

Driver:: 
yqzarsga
eowicuqjedu
hoecyo
kftusm
uafdy


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Edited by SifuMike, 11 May 2009 - 02:08 PM.
modified script

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 11 May 2009 - 01:26 PM

Hi

I can disable AVIRA and Spyware Doctor but not sure how to disable Prevx 3.0 . Last time while running comboxfix Prevx was active not sure how to disable that, as I have already removed it from my system. I don't know what are all the Prevx files left over in the system.

Whether it will create any problem if I run combofix with Prevx enabled? If so please let me know what are all the prevx files need to be removed to disable the same.

Thanks again
mercyman

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:54 AM

Posted 11 May 2009 - 02:10 PM

I modified the script slightly, so just run it after disabling Avira and spyware doctor.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 mercyman

mercyman
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 12 May 2009 - 08:33 PM

Hi ,

Ran the CFScript.txt as per your instructions. Please find the log details.

ComboFix 09-05-08.03 - Clement 05/12/2009 21:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1561 [GMT -4:00]
Running from: c:\documents and settings\Clement\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clement\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: Prevx 3.0 *On-access scanning enabled* (Updated)

FILE ::
c:\windows\system32\drivers\275e0031.sys
c:\windows\system32\drivers\6c5e6173.sys
c:\windows\system32\drivers\6fe21f85.sys
c:\windows\system32\drivers\f142d4a3.sys
c:\windows\system32\drivers\yqzarsga.sys
c:\windows\t55ft2692f44.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe
c:\windows\system32\drivers\275e0031.sys
c:\windows\system32\drivers\6c5e6173.sys
c:\windows\system32\drivers\6fe21f85.sys
c:\windows\system32\drivers\f142d4a3.sys
c:\windows\system32\drivers\yqzarsga.sys
c:\windows\system32\prnet.tmp
c:\windows\t55ft2692f44.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_eowicuqjedu
-------\Legacy_hoecyo
-------\Legacy_kftusm
-------\Legacy_uafdy
-------\Legacy_YQZARSGA
-------\Service_275e0031
-------\Service_eowicuqjedu
-------\Service_f142d4a3275e0031
-------\Service_hoecyo
-------\Service_kftusm
-------\Service_uafdy
-------\Service_yqzarsga
-------\Service_6c5e6173
-------\Service_6fe21f85
-------\Service_f142d4a3


((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-09 18:35 . 2009-05-09 18:35 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-07 23:44 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-07 23:44 . 2009-05-07 23:44 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-07 23:44 . 2009-05-07 23:44 -------- d-----w c:\program files\Avira
2009-05-07 23:35 . 2009-05-07 23:35 -------- d-----w c:\program files\Java
2009-05-05 02:33 . 2009-05-08 01:09 -------- d-----w c:\windows\system32\796525
2009-05-01 00:01 . 2009-05-01 00:01 -------- d-sh--w c:\documents and settings\Clement\Local Settings\Application Data\.#
2009-04-27 23:00 . 2009-04-27 23:00 -------- d-----w c:\program files\Trend Micro
2009-04-26 23:43 . 2009-04-26 23:43 -------- d-----w c:\program files\FreeCommander
2009-04-20 21:44 . 2009-04-29 03:28 -------- d-----w c:\windows\system32\219198
2009-04-19 23:33 . 2009-04-19 23:33 2 ---h--w c:\windows\t55ft2829f44.dat
2009-04-17 00:45 . 2009-04-17 00:45 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-04-17 00:45 . 2009-04-17 00:45 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-04-17 00:45 . 2009-04-17 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-16 23:46 . 2009-04-16 23:46 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-16 03:14 . 2009-04-16 03:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{3070E4A2-FA12-4A8E-B6F0-1840FF81E50F}
2009-04-14 01:32 . 2007-06-06 21:30 172032 ----a-w c:\windows\system32\igfxres.dll
2009-04-14 01:24 . 2004-08-04 10:00 31232 -c--a-w c:\windows\system32\dllcache\weitekp9.sys
2009-04-14 01:24 . 2004-08-04 10:00 41600 -c--a-w c:\windows\system32\dllcache\weitekp9.dll
2009-04-14 01:22 . 2001-08-18 02:36 38912 -c--a-w c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-14 01:21 . 2004-08-04 10:00 10129408 -c--a-w c:\windows\system32\dllcache\hwxkor.dll
2009-04-14 01:20 . 2004-08-04 10:00 331264 -c--a-w c:\windows\system32\dllcache\aqueue.dll
2009-04-14 01:16 . 2004-08-04 10:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-04-14 01:16 . 2004-08-04 10:00 32768 -c--a-w c:\windows\system32\dllcache\icwdl.dll
2009-04-14 01:16 . 2004-08-04 10:00 20480 -c--a-w c:\windows\system32\dllcache\inetwiz.exe
2009-04-14 01:16 . 2004-08-04 10:00 86016 -c--a-w c:\windows\system32\dllcache\icwconn2.exe
2009-04-14 01:16 . 2004-08-04 10:00 214528 -c--a-w c:\windows\system32\dllcache\icwconn1.exe
2009-04-14 00:55 . 2004-08-04 10:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-04-14 00:55 . 2004-08-04 10:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-04-14 00:55 . 2004-08-04 10:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-04-14 00:55 . 2004-08-04 10:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-04-14 00:53 . 2009-04-14 00:53 -------- d-s---w c:\windows\system32\config\systemprofile\History
2009-04-13 20:25 . 2009-04-13 20:25 -------- d-----w c:\windows\dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 01:16 . 2004-08-10 18:51 23424 ----a-w c:\windows\system32\drivers\tgsscnuh.sys
2009-05-09 18:55 . 2008-08-18 22:51 -------- d-----w c:\program files\Common
2009-05-09 04:00 . 2009-04-08 21:43 0 ----a-w c:\windows\Wguwepacupo.bin
2009-05-07 23:35 . 2008-12-19 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-05 02:37 . 2008-07-08 04:32 -------- d-----w c:\program files\Spyware Doctor
2009-04-23 22:02 . 2009-04-12 16:48 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-17 01:52 . 2007-12-02 19:13 -------- d-----w c:\program files\Symantec
2009-04-17 01:52 . 2007-12-02 19:11 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-16 04:43 . 2009-04-08 21:43 408 ----a-w c:\windows\Xpulefova.dat
2009-04-14 01:39 . 2007-11-27 18:48 50592 ----a-w c:\documents and settings\Clement\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 01:18 . 2004-08-10 18:50 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-14 01:15 . 2004-08-10 19:02 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-30 02:11 . 2007-11-28 13:07 -------- d-----w c:\program files\Yahoo!
2009-03-23 03:13 . 2009-03-23 03:13 921 ----a-w c:\windows\QSFVExit.bat
2009-03-18 22:10 . 2007-11-28 05:08 -------- d-----w c:\program files\DivX
2009-03-18 22:10 . 2009-03-18 22:10 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\scrrjn.dat
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\msvbvm5j.dat
2009-03-07 07:28 . 2008-11-25 00:19 23043 ----a-w c:\windows\system32\MFC71JSP.dat
2009-03-06 23:24 . 2008-11-25 00:19 130544 ----a-w c:\windows\system32\pndx5b16.dat
2009-02-28 15:31 . 2009-02-28 15:31 126200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-09-17 13:16 . 2008-09-17 13:16 549159 --sha-r c:\program files\Norton2009Reset.exe
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-31 23:15 . 2008-02-27 01:37 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-31 23:15 . 2008-02-27 01:37 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-31 23:15 . 2008-02-27 01:37 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-31 23:15 . 2008-02-27 01:37 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-31 23:15 . 2008-02-27 01:37 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-09_19.09.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-13 01:22 . 2009-05-13 01:22 16384 c:\windows\temp\Perflib_Perfdata_7a8.dat
+ 2004-08-10 18:51 . 2009-05-12 21:55 73376 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-05-09 18:50 73376 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2009-05-12 21:55 445036 c:\windows\system32\perfh009.dat
- 2004-08-10 18:51 . 2009-05-09 18:50 445036 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"prnet"="c:\windows\system32\prnet.tmp" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-09-30 1168264]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-07 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-11-21 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-21 50688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ??`

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hoecyo"=2 (0x2)
".norton2009reset"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsSvc.exe"=
"c:\\Clement\\Games\\Age of Empires 2\\A_of_E_2[1]\\A of E 2\\A of E 2\\AOE\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7Debug\\mdm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\VM305_STI.EXE"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [4/16/2009 8:45 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [4/16/2009 8:45 PM 27656]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/7/2009 7:44 PM 108289]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/8/2008 12:32 AM 356920]
S2 csiscanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S2 eagbdiyceal;eagbdiyceal;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);c:\windows\system32\drivers\usbVM305.sys [11/29/2007 9:19 PM 392444]
S4 .norton2009reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [9/17/2008 9:16 AM 549159]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - YQZARSGA
*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0608da52-2f34-11dd-98e6-001d6018efd0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06b316b0-e3fb-11dc-9804-001d6018efd0}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{095281ec-7942-11dd-99cf-001d6018efd0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d1ab95a-26c0-11dd-98cb-001d6018efd0}]
\shell\autorun\command - e:\wd_windows_tools\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-prnet - c:\windows\system32\prnet.tmp


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Clement\Application Data\Mozilla\Firefox\Profiles\r6we99rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 21:23
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2868)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-13 21:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 01:27
ComboFix2.txt 2009-05-09 19:12

Pre-Run: 26,962,239,488 bytes free
Post-Run: 27,276,435,456 bytes free

258 --- E O F --- 2009-03-15 22:03


Waiting for further instructions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users