Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google Redirect Virus, Regedit and Potentially Other Things


  • This topic is locked This topic is locked
16 replies to this topic

#1 nikkibee40

nikkibee40

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 11 May 2009 - 03:15 PM

Hello,

About a week ago my computer was infected by malware that caused a lot of pop-ups. I ran MalwareBytes' Anti-Malware and got rid of most of it, but two problems with Registry Keys remain (after numerous scans). Also, whenever I clicked on a link brought up by a Google search I was redirected to a advertiser's site. This problem now has spread to all of my hotmail accounts - I cannot click on any link on any hotmail webpage without being redirected.

Posted below is the DDS scan results that this website suggested I run. I also have a HijackThis report if this will help you, or I could run a Kaspersky scan and post those results.

Thanks, in advance, for your help - I am a university grad student so my computer is a much needed part of my life right now!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Nicole Brandsma at 12:51:16.12 on 11/05/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = https://students.twu.ca/portal/default.aspx
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: DF Bar: {67fcef90-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SoundMan] c:\windows\system32\SOUNDMAN.EXE
uRun: [prnet] "c:\windows\system32\prnet.tmp"
uRun: [pidle] "c:\documents and settings\nicole brandsma\application data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [Diagnostic Manager] c:\docume~1\nicole~1\locals~1\temp\597750064.exe
uRun: [DigiFast] c:\documents and settings\nicole brandsma\application data\digifast\digifast.exe
uRun: [SfKg6wIPuSpdc] c:\documents and settings\nicole brandsma\application data\microsoft\windows\tulnlom.exe
uRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [HotkeyApp] c:\program files\launch manager\HotkeyApp.exe
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [LMgrOSD] c:\program files\launch manager\OSD.exe
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\mxurbff.exe
dRun: [Windows Resurections] c:\windows\temp\nz375.exe
dRun: [Diagnostic Manager] c:\windows\temp\3966785936.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\mxurbff.exe
dRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - hxxp://www.flyordie.com/pub/dl/msjavx86.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://nykole.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - hxxp://fulfillment.puretracks.com/onager.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: {217397C2-71A1-4916-BD5D-37F6F7AE4A3F} = 204.50.96.7,204.50.96.8
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: gutmfh.dll ,

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-10 23:02 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-10 21:34 <DIR> --d----- c:\program files\Trend Micro
2009-05-10 17:45 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-10 17:45 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-10 16:58 24,064 a--sh--- c:\documents and settings\nicole brandsma\protect.dll
2009-05-10 16:58 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-02 09:25 <DIR> --d----- c:\docume~1\nicole~1\applic~1\digifast
2009-05-02 09:20 <DIR> --d----- c:\docume~1\nicole~1\applic~1\Twain
2009-05-02 09:16 <DIR> --d----- c:\program files\WWShow
2009-05-02 09:10 <DIR> --d----- c:\program files\Jcore
2009-05-01 21:50 22,538 a------- c:\windows\system32\lmppcsetup.exe
2009-05-01 11:19 1 a------- c:\windows\system32\uniq.tll
2009-05-01 11:04 17,920 a------- c:\windows\system32\ak1.exe
2009-05-01 01:30 <DIR> --d----- c:\docume~1\nicole~1\applic~1\pidle
2009-04-14 16:27 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 16:26 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 16:26 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 16:26 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 16:26 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 16:26 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 16:26 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 16:25 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 16:25 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 16:25 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-01 01:38 51,712 a--sh--- c:\windows\system32\zahoyave.exe
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2005-05-03 15:59 32 a--sh--- c:\windows\{BD394333-318E-4C78-8983-7009F7491B70}.dat
2005-05-03 15:59 32 a--sh--- c:\windows\system32\{722A04FE-7075-486A-A63F-DE2D9F1BB051}.dat

============= FINISH: 12:52:48.88 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 16 May 2009 - 01:56 PM

Hello.

We will start off with Combofix.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 18 May 2009 - 11:32 PM

Thanks for your reply :thumbup2: I've followed your directions (thanks for your clarity!). Here are the contents of the ComboFix log:

ComboFix 09-05-18.02 - Nicole Brandsma 18/05/2009 21:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.502.282 [GMT -7:00]
Running from: c:\documents and settings\Nicole Brandsma\Desktop\ComboFix.exe
.
ADS - explorer.exe: deleted 19520 bytes in 3 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Nicole Brandsma\Application Data\digifast
c:\documents and settings\Nicole Brandsma\Application Data\digifast\config.cfg
c:\documents and settings\Nicole Brandsma\Application Data\digifast\DFUninstall.exe
c:\documents and settings\Nicole Brandsma\Application Data\digifast\digifast.exe
c:\documents and settings\Nicole Brandsma\Application Data\pidle
c:\documents and settings\Nicole Brandsma\Application Data\pidle\pidle.exe
c:\documents and settings\Nicole Brandsma\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Nicole Brandsma\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Nicole Brandsma\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Nicole Brandsma\protect.dll
c:\documents and settings\Nicole Brandsma\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Nicole Brandsma\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\Jcore
c:\program files\WWShow
c:\windows\IE4 Error Log.txt
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthyiidtoqdvqhwuyeekdpasalmmgdkcmaa.sys
c:\windows\system32\lmn_setup.exe
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfsthdvutfllykamgfdkaltlfjssjuvoytwvb.dat
c:\windows\system32\ovfsthlxblxgsdyanjeujjyfuducilrsdotxtf.dat
c:\windows\system32\ovfsthmyqjeoypeynyoiqgdpursvvropupstgv.dll
c:\windows\system32\ovfsthuoxhgpwrnxoxkxhlwigrrtkrlmcjscsk.dll
c:\windows\system32\ovfsthxcksxmaxvdlwcxkrxpoldxlwkawwwxxq.dll
c:\windows\system32\uniq.tll
c:\windows\Tasks\yoavjpts.job
c:\windows\Temp\1133057262.exe
c:\windows\Temp\1140467918.exe
c:\windows\Temp\2415638542.exe
c:\windows\Temp\3405032766.exe
c:\windows\Temp\963659262.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthfintactpitjlxmnkeligodopwfvernqo


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-18 20:27 . 2009-05-18 20:27 37376 ----a-w c:\windows\system32\glsetup.exe
2009-05-12 20:59 . 2009-05-12 21:05 -------- d-----w c:\documents and settings\Nicole Brandsma\Application Data\EndNote
2009-05-12 20:59 . 2009-05-12 21:05 -------- d-----w c:\program files\Common Files\Risxtd
2009-05-12 20:59 . 2009-05-12 20:59 -------- d-----w c:\windows\system32\Non-Existant
2009-05-12 20:55 . 2009-05-12 21:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-11 04:34 . 2009-05-11 04:34 -------- d-----w c:\program files\Trend Micro
2009-05-11 00:45 . 2009-05-11 00:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 16:20 . 2009-05-02 16:51 -------- d-----w c:\documents and settings\Nicole Brandsma\Application Data\Twain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 00:45 . 2006-04-01 06:05 -------- d-----w c:\program files\Java
2009-05-03 20:29 . 2008-07-05 04:45 -------- d-----w c:\program files\Sony
2009-05-02 00:29 . 2005-05-03 22:58 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 08:38 . 2009-02-01 08:38 51712 --sha-w c:\windows\system32\zahoyave.exe
2009-04-14 00:49 . 2008-04-07 20:01 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-01 17:33 . 2008-04-17 01:23 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-17 18:08 . 2005-05-02 22:49 24352 ----a-w c:\documents and settings\Nicole Brandsma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 21:50 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2008-09-11 07:47 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2007-11-07 08:44 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 21:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-10 21:50 78336 ----a-w c:\windows\system32\ieencode.dll
2005-05-03 22:59 . 2005-05-03 22:59 32 --sha-w c:\windows\{BD394333-318E-4C78-8983-7009F7491B70}.dat
2005-05-03 22:59 . 2005-05-03 22:59 32 --sha-w c:\windows\system32\{722A04FE-7075-486A-A63F-DE2D9F1BB051}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2002-11-25 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-19 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-19 614400]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-04 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-08-22 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2003-06-25 204800]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-08 65536]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 54296]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 58392]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-03 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-11 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R1 mailKmd;mailKmd; [x]
R3 b73bdb89-87c2-4a34-bff2-2e05ee154228;b73bdb89-87c2-4a34-bff2-2e05ee154228;e:\cds300\cds300.dll [x]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-15 226656]
S3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;c:\windows\system32\Drivers\WBMS.SYS [2003-04-16 30464]
S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\Drivers\WBSD.SYS [2003-05-07 26240]


--- Other Services/Drivers In Memory ---

*Deregistered* - ACS
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - Irmon
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LxrJD31d
*Deregistered* - LxrJD31s
*Deregistered* - MDC8021X
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - navapsvc
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - Net Driver HPZ12
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SbcpHid
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - SeaPort
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SymEvent
*Deregistered* - SYMTDI
*Deregistered* - SymWSC
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-05-19 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 02:31]

2009-05-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-03 19:24]

2009-05-19 c:\windows\Tasks\User_Feed_Synchronization-{54CF744D-746E-4E97-A7AA-8E7431BE9834}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 19:58]

2009-05-14 c:\windows\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_YOUR-37E7FC83FD_Nicole Brandsma.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
HKCU-Run-SoundMan - c:\windows\system32\SOUNDMAN.EXE
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKCU-Run-pidle - c:\documents and settings\Nicole Brandsma\Application Data\pidle\pidle.exe
HKCU-Run-DigiFast - c:\documents and settings\Nicole Brandsma\Application Data\digifast\digifast.exe
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\nz375.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\963659262.exe
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\l8m7r.exe
HKU-Default-Run-autochk - c:\docume~1\NETWOR~1\protect.dll


.
------- Supplementary Scan -------
.
uStart Page = https://students.twu.ca/portal/default.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {217397C2-71A1-4916-BD5D-37F6F7AE4A3F} = 204.50.96.7,204.50.96.8
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - hxxp://www.flyordie.com/pub/dl/msjavx86.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-19 21:19
ComboFix-quarantined-files.txt 2009-05-19 04:18

Pre-Run: 1,595,842,560 bytes free
Post-Run: 3,626,459,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2009-04-30 10:04

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 19 May 2009 - 03:36 PM

Hello.

You had a rootkit on your machine.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

IF you wish to continue follow the steps below to continue disinfecting the machine.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\zahoyave.exe
    c:\windows\{BD394333-318E-4C78-8983-7009F7491B70}.dat
    c:\windows\system32\{722A04FE-7075-486A-A63F-DE2D9F1BB051}.dat
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    Driver::
    mailKmd
    b73bdb89-87c2-4a34-bff2-2e05ee154228
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Create Compressed Zipped Quarantine File

Please navigate to the following folder.

C:\Qoobox <- This folder

In that folder you should see another folder called Quarantine.

Please right-click and select Send to > . From the drop down box select Compressed (zipped) file

Then another file called Quarantine.zip should be created in the C:\Qoobox folder.

Upload that file to me by doing the following.

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/226182/infected-with-google-redirect-virus-regedit-and-potentially-other-things/
  • Click Browse and select the Quarantine.zip file in the C:\Qoobox folder
  • Under the comments section, say that ExtremeBoy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 21 May 2009 - 04:31 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 21 May 2009 - 07:46 PM

Hello. Sorry about the delay, I really do appreciate your help.

Okay, here is the log from running ComboFix again:

ComboFix 09-05-21.01 - Nicole Brandsma 21/05/2009 17:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.502.204 [GMT -7:00]
Running from: c:\documents and settings\Nicole Brandsma\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nicole Brandsma\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\{BD394333-318E-4C78-8983-7009F7491B70}.dat
c:\windows\system32\{722A04FE-7075-486A-A63F-DE2D9F1BB051}.dat
c:\windows\system32\zahoyave.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\{BD394333-318E-4C78-8983-7009F7491B70}.dat
c:\windows\system32\{722A04FE-7075-486A-A63F-DE2D9F1BB051}.dat
c:\windows\system32\glsetup.exe
c:\windows\system32\zahoyave.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_b73bdb89-87c2-4a34-bff2-2e05ee154228
-------\Service_mailKmd


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-12 20:59 . 2009-05-12 21:05 -------- d-----w c:\documents and settings\Nicole Brandsma\Application Data\EndNote
2009-05-12 20:59 . 2009-05-12 21:05 -------- d-----w c:\program files\Common Files\Risxtd
2009-05-12 20:59 . 2009-05-12 20:59 -------- d-----w c:\windows\system32\Non-Existant
2009-05-12 20:55 . 2009-05-12 21:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-11 04:34 . 2009-05-11 04:34 -------- d-----w c:\program files\Trend Micro
2009-05-11 00:46 . 2009-05-11 00:46 57344 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-5b825d2a-n\Decora-SSE.dll
2009-05-11 00:46 . 2009-05-11 00:46 24064 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-11344e3f-n\Decora-D3D.dll
2009-05-11 00:46 . 2009-05-11 00:46 315392 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2c76328f-n\jogl.dll
2009-05-11 00:46 . 2009-05-11 00:46 20480 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2c76328f-n\jogl_awt.dll
2009-05-11 00:46 . 2009-05-11 00:46 114688 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2c76328f-n\jogl_cg.dll
2009-05-11 00:46 . 2009-05-11 00:46 20480 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-7e1c78dd-n\gluegen-rt.dll
2009-05-11 00:46 . 2009-05-11 00:46 499712 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5f634476-n\msvcp71.dll
2009-05-11 00:46 . 2009-05-11 00:46 499712 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5f634476-n\jmc.dll
2009-05-11 00:46 . 2009-05-11 00:46 348160 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5f634476-n\msvcr71.dll
2009-05-11 00:45 . 2009-05-11 00:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-11 00:44 . 2009-05-11 00:44 152576 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-02 16:26 . 2009-05-02 16:26 35840 ----a-w c:\documents and settings\Nicole Brandsma\Application Data\Microsoft\Windows\tulnlom.exe
2009-05-02 16:20 . 2009-05-02 16:51 -------- d-----w c:\documents and settings\Nicole Brandsma\Application Data\Twain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 00:20 . 2005-05-03 22:58 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-11 00:45 . 2006-04-01 06:05 -------- d-----w c:\program files\Java
2009-05-03 20:29 . 2008-07-05 04:45 -------- d-----w c:\program files\Sony
2009-04-14 00:49 . 2008-04-07 20:01 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-08 05:24 . 2009-04-08 05:24 -------- d-----w c:\documents and settings\Nicole Brandsma\Application Data\HP
2009-04-01 17:33 . 2008-04-17 01:23 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-17 18:08 . 2005-05-02 22:49 24352 ----a-w c:\documents and settings\Nicole Brandsma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-12 07:11 . 2009-03-12 07:11 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.51\SetupAdmin.exe
2009-03-06 14:22 . 2004-08-10 21:50 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2008-09-11 07:47 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2007-11-07 08:44 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-10 21:51 826368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-19_04.17.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 00:20 . 2009-05-22 00:20 16384 c:\windows\Temp\Perflib_Perfdata_6c8.dat
+ 2007-11-26 01:04 . 2009-05-19 05:34 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-05-19 07:36 . 2009-05-19 07:36 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-04-15 08:13 . 2009-04-15 08:13 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2007-03-23 02:05 . 2007-03-23 02:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2006-10-27 04:07 . 2006-10-27 04:07 17680 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBPROXY.DLL
+ 2005-05-03 23:36 . 2009-05-19 07:37 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-05-03 23:36 . 2009-05-19 07:37 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-05-03 23:36 . 2009-04-30 10:02 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-05-19 07:34 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2002-11-25 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-19 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-19 614400]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-09-04 40960]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-08-22 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2003-06-25 204800]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-08 65536]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 54296]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 58392]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-03 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-11 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;c:\windows\system32\drivers\wbms.sys [26/08/2004 4:59 PM 30464]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [26/08/2004 4:59 PM 26240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-05-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 02:31]

2009-05-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-05-03 19:24]

2009-05-21 c:\windows\Tasks\User_Feed_Synchronization-{54CF744D-746E-4E97-A7AA-8E7431BE9834}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 19:58]

2009-05-19 c:\windows\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_YOUR-37E7FC83FD_Nicole Brandsma.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://students.twu.ca/portal/default.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {217397C2-71A1-4916-BD5D-37F6F7AE4A3F} = 204.50.96.7,204.50.96.8
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 17:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2116)
c:\program files\Launch Manager\KBHOOK.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
c:\program files\D-Link AirPlus Xtreme G\AIRPLUS.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Nikon\PictureProject\NkbMonitor.exe
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-05-22 17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 00:25
ComboFix2.txt 2009-05-19 04:19

Pre-Run: 2,333,990,912 bytes free
Post-Run: 2,890,575,872 bytes free

215 --- E O F --- 2009-05-19 07:37


I also submitted the zipped Quarantine file.

And, here is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

21/05/2009 5:36:47 PM
mbam-log-2009-05-21 (17-36-47).txt

Scan type: Quick Scan
Objects scanned: 78399
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{26a98aa8-07fe-46e6-b6df-26704f3b895f} (Trojan.BHO) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_CPV.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Nicole Brandsma\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole Brandsma\Application Data\Microsoft\Windows\tulnlom.exe (Trojan.Dropper) -> Quarantined and deleted successfully.




Thanks again,

Nicole

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 21 May 2009 - 07:56 PM

Hello.

Run an online scan for me. After that, please re-run DDS and post back with a new set of logs.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 May 2009 - 12:07 AM

Hi,

Here is the log from the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 22, 2009 04:04:58
Records in database: 2213170
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 83236
Threat name: 19
Infected objects: 62
Suspicious objects: 0
Duration of the scan: 02:24:14


File name / Threat name / Threats count
C:\Program Files\Norton AntiVirus\Quarantine\31AE07C2 Infected: Trojan-Clicker.Win32.Small.dn 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole Brandsma\Application Data\digifast\digifast.exe.vir Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole Brandsma\Application Data\pidle\pidle.exe.vir Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole Brandsma\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole Brandsma\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.arsh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthyiidtoqdvqhwuyeekdpasalmmgdkcmaa.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\glsetup.exe.vir Infected: Trojan.Win32.Monder.chce 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmn_setup.exe.vir Infected: Trojan-Dropper.Win32.Agent.apgo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmyqjeoypeynyoiqgdpursvvropupstgv.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthuoxhgpwrnxoxkxhlwigrrtkrlmcjscsk.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxcksxmaxvdlwcxkrxpoldxlwkawwwxxq.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zahoyave.exe.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1133057262.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1140467918.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2415638542.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3405032766.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\963659262.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine.zip Infected: Trojan-Spy.Win32.Agent.aoox 5
C:\Qoobox\Quarantine.zip Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\Qoobox\Quarantine.zip Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\Qoobox\Quarantine.zip Infected: Trojan-Spy.Win32.Agent.arsh 1
C:\Qoobox\Quarantine.zip Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine.zip Infected: Trojan.Win32.Monder.chce 1
C:\Qoobox\Quarantine.zip Infected: Trojan-Dropper.Win32.Agent.apgo 1
C:\Qoobox\Quarantine.zip Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine.zip Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine.zip Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine.zip Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine.zip Infected: Trojan-Downloader.Win32.Suurch.rc 5
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112289.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112290.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112291.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112292.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112308.exe Infected: Backdoor.Win32.Agent.acks 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112310.dll Infected: Trojan-Spy.Win32.Agent.arsh 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112312.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112313.exe Infected: Trojan-Dropper.Win32.Agent.apgo 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112316.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112317.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112320.exe Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112321.exe Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112322.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1138\A0112323.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1140\A0112616.exe Infected: Trojan.Win32.Monder.chce 1
C:\System Volume Information\_restore{E76CBAAF-C056-472B-B4F8-E8A267FA22AF}\RP1140\A0112617.exe Infected: Packed.Win32.Krap.q 1
C:\test\Local Settings\Temp\geMffo.exe Infected: Trojan-Downloader.Win32.IstBar.gn 1
C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\ads2[1].htm Infected: Trojan-Clicker.JS.Linker.f 1
C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\prompt[2].htm Infected: Trojan-Downloader.JS.IstBar.j 1
C:\test\Local Settings\Temporary Internet Files\Content.IE5\YHIJK345\a673a971[1].js Infected: Trojan-Downloader.JS.Small.aq 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\27HPR2SU\lsp[1].exe Infected: Trojan.Win32.Agent.cemi 1

The selected area was scanned.


And here is the log from the DDS scan . . . and I attached the other one . . .


DDS (Ver_09-03-16.01) - NTFSx86
Run by Nicole Brandsma at 21:59:49.38 on 21/05/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = https://students.twu.ca/portal/default.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [HotkeyApp] c:\program files\launch manager\HotkeyApp.exe
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [LMgrOSD] c:\program files\launch manager\OSD.exe
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://nykole.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - hxxp://fulfillment.puretracks.com/onager.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: {217397C2-71A1-4916-BD5D-37F6F7AE4A3F} = 204.50.96.7,204.50.96.8
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-21 18:36 <DIR> --dsh--- c:\documents and settings\nicole brandsma\UserData
2009-05-21 17:13 130,048 a------- c:\windows\PEV.exe
2009-05-18 21:04 <DIR> a-dshr-- C:\cmdcons
2009-05-18 21:02 161,792 a------- c:\windows\SWREG.exe
2009-05-18 21:02 98,816 a------- c:\windows\sed.exe
2009-05-12 13:59 <DIR> --d----- c:\docume~1\nicole~1\applic~1\EndNote
2009-05-12 13:59 <DIR> --d----- c:\program files\common files\Risxtd
2009-05-12 13:59 <DIR> --d----- c:\windows\system32\Non-Existant
2009-05-12 13:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-10 21:34 <DIR> --d----- c:\program files\Trend Micro
2009-05-10 17:45 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-10 17:45 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 22:01:14.58 ===============

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 22 May 2009 - 02:52 PM

Hello.

Just a few things we need to take care of.

Just a question: Did you run ATF-Cleaner before running Kaspersky?

Anyways, please run ATF-Cleaner (refer to above for the instructions).

Uninstall this program:
J2SE Runtime Environment 5.0 Update 11

Now do the following:

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image (OTMoveIT3)icon on your desktop.
  • Paste the following code under the Posted Image (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    :files
    C:\Program Files\Norton AntiVirus\Quarantine
    C:\test\Local Settings\Temp\geMffo.exe
    C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\ads2[1].htm
    C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\prompt[2].htm
    C:\test\Local Settings\Temporary Internet Files\Content.IE5\YHIJK345\a673a971[1].js
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\27HPR2SU\lsp[1].exe
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image (MoveIT!) button.
  • Copy/Paste the contents under the Posted Image (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Take a new DDS log afterwards.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 May 2009 - 08:10 PM

Quick question: Where do I go to find J2SE Runtime Environment 5.0 Update 11 in order to uninstall it?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 22 May 2009 - 08:23 PM

Quick question: Where do I go to find J2SE Runtime Environment 5.0 Update 11 in order to uninstall it?

Add/Remove..

Here's a detailed instruction on removing a program.

Removing Programs using Add/Remove

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":


J2SE Runtime Environment 5.0 Update 11


Additional instructions can be found here if needed.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 May 2009 - 10:28 PM

Okay, I removed J2SE Runtime Environment 5.0 Update 11 and ran the ATF-Cleaner.

Here is the log from MoveIT:

========== FILES ==========
C:\Program Files\Norton AntiVirus\Quarantine\Portal moved successfully.
C:\Program Files\Norton AntiVirus\Quarantine\Incoming moved successfully.
C:\Program Files\Norton AntiVirus\Quarantine moved successfully.
C:\test\Local Settings\Temp\geMffo.exe moved successfully.
C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\ads2[1].htm moved successfully.
C:\test\Local Settings\Temporary Internet Files\Content.IE5\2ZU36HMZ\prompt[2].htm moved successfully.
C:\test\Local Settings\Temporary Internet Files\Content.IE5\YHIJK345\a673a971[1].js moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\27HPR2SU\lsp[1].exe moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\VKXFQY2X\index[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\O02MOT5A\339[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\LQJJTC9W\xd_receiver[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\683ILJN3\fastonlinetvs_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\4EFKDNAN\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\3TLOA51P\login_status[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicole Brandsma\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05222009_202243

I will post the new DDS Log in a couple minutes . . .

Nicole

#13 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 May 2009 - 10:33 PM

And the DDS Log and Attach Files . . .


DDS (Ver_09-03-16.01) - NTFSx86
Run by Nicole Brandsma at 20:29:17.79 on 22/05/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = https://students.twu.ca/portal/default.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [HotkeyApp] c:\program files\launch manager\HotkeyApp.exe
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [LMgrOSD] c:\program files\launch manager\OSD.exe
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [OTMoveIt] c:\documents and settings\nicole brandsma\desktop\OTMoveIt3.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://nykole.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - hxxp://fulfillment.puretracks.com/onager.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: {217397C2-71A1-4916-BD5D-37F6F7AE4A3F} = 204.50.96.7,204.50.96.8
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-22 20:22 <DIR> --d----- C:\_OTMoveIt
2009-05-21 18:36 <DIR> --dsh--- c:\documents and settings\nicole brandsma\UserData
2009-05-21 17:13 130,048 a------- c:\windows\PEV.exe
2009-05-18 21:04 <DIR> a-dshr-- C:\cmdcons
2009-05-18 21:02 161,792 a------- c:\windows\SWREG.exe
2009-05-18 21:02 98,816 a------- c:\windows\sed.exe
2009-05-12 13:59 <DIR> --d----- c:\docume~1\nicole~1\applic~1\EndNote
2009-05-12 13:59 <DIR> --d----- c:\program files\common files\Risxtd
2009-05-12 13:59 <DIR> --d----- c:\windows\system32\Non-Existant
2009-05-12 13:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-10 21:34 <DIR> --d----- c:\program files\Trend Micro
2009-05-10 17:45 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-10 17:45 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 20:29:55.89 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 23 May 2009 - 10:58 AM

Hello.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire 4.18.8). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.


We can cleanup now. All looks fine.

Please follow/read the steps below to remove the tools we used and for some more information. :step5:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Cleanup! with OTMoveIt
Let's remove all the tools we've used so far.
  • Double click the OTMoveIt3.exe to run it.
  • Click Posted Image. If you recieve a warning from your security program, select allow to download the packet.
  • A pop-up box will appear saying "Cleanup list download succesfully Begin Removal Process?". Click Yes.
  • If required for a reboot click Yes
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 nikkibee40

nikkibee40
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 23 May 2009 - 12:27 PM

Hello.

I haven't had any more problems with my computer lately :thumbup2: Thanks so much for all your help. I will be sure to read up on all the advice for keeping my computer clean - and I will definitely recommend this site to my friends.

Thanks again,
Nicole




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users