Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have been HiJacked


  • This topic is locked This topic is locked
29 replies to this topic

#1 mcrex

mcrex

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 20 May 2009 - 07:36 PM

Boopme referred me over to this section from "AM I infected", I was told to run this HiJackthis file and post it here.

I cannot see my avg icon in the system tray. I try to run avg and cannot get a response. I even tried to un-install avg, no go.

ComboFix will not install because it says avg is running but I cannot turn it off because I have no icon in sys tray.

My microsoft office icons have went blank.

No doubt my machine is hijacked. I get messages in the system icon tray that files are corrupt, need to go to chkdsk utility.

This one has gone beyond me, so I need some help.
Thanks,



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:23 PM, on 5/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SqueezeCenter\SqueezeTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9661c52fd4afe) (gupdate1c9661c52fd4afe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9522 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:20 AM

Posted 01 June 2009 - 11:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 02 June 2009 - 07:46 PM

DDS (Ver_09-05-14.01) - NTFSx86
Run by Rex at 20:40:51.84 on Tue 06/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.620 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SqueezeCenter\SqueezeTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezecenter\SqueezeTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218069003884&h=4255af4d149d41f0c4addc3b6c2250ec/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-5-27 3968]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-6 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-6 27784]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S0 cojf;cojf;c:\windows\system32\drivers\krfc.sys --> c:\windows\system32\drivers\krfc.sys [?]
S0 jqgpjnb;jqgpjnb;c:\windows\system32\drivers\cgqyev.sys --> c:\windows\system32\drivers\cgqyev.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298776]
S2 gupdate1c9661c52fd4afe;Google Update Service (gupdate1c9661c52fd4afe);c:\program files\google\update\GoogleUpdate.exe [2008-12-24 133104]
S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
S3 idrmkl;idrmkl;\??\c:\docume~1\ryan\locals~1\temp\idrmkl.sys --> c:\docume~1\ryan\locals~1\temp\idrmkl.sys [?]

=============== Created Last 30 ================

2009-05-27 22:55 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-27 22:11 <DIR> a-dshr-- C:\cmdcons
2009-05-27 22:09 <DIR> --ds---- C:\ComboFix
2009-05-27 19:44 <DIR> --d----- c:\documents and settings\rex\.housecall6.6
2009-05-27 18:56 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys
2009-05-25 15:48 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-19 22:51 <DIR> --d----- c:\program files\Trend Micro
2009-05-19 21:24 <DIR> --d----- C:\Malwarebytes
2009-05-19 15:45 0 a------- c:\windows\system32\commonpriv.log.lock
2009-05-17 22:06 2,688 a------- c:\windows\system32\settings.aaw
2009-05-17 22:06 960 a------- c:\windows\system32\history.aaw
2009-05-10 11:18 <DIR> --dsh--- C:\found.001

==================== Find3M ====================

2009-05-08 22:25 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-08 22:25 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 21:28 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 20:41:04.00 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 03 June 2009 - 02:51 PM

Hello.

Your system appears to be very unstable at the moment, do you have your Operating Disk with you?

Then run GMER for me. I see a few infections already from the DDS log. Some appears to be deactivated however.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 03 June 2009 - 05:29 PM

I ran the GMER file. Thanks. It seems to be too long and the site kicked it out. I have zipped the file and attached it to this reply. I hope you can make hey of his mees as I am so frustrated. This virus has stifled my machine.

Thanks!!!

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 03 June 2009 - 10:13 PM

Hi again.

Your system appears to be very unstable at the moment, do you have your Operating Disk with you?


I need to leave soon so I can't give the next instruction but you could answer that question for me pleas.e

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 04 June 2009 - 06:08 AM

Yes I have the operating system disk, sorry I forgot to answer the question. XP Pro. Are we going to lose any info on my HD? All we care about are our pictures. I have all years backed up except 2009.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 04 June 2009 - 04:26 PM

Hello.

Yes I have the operating system disk, sorry I forgot to answer the question. XP Pro. Are we going to lose any info on my HD? All we care about are our pictures. I have all years backed up except 2009.

No. We may use it later to do a sfc /scannow scan and fix to make sure all windows files are okay.

We'll start off with Combofix.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 04 June 2009 - 04:52 PM

No problem. I cannot do anything with my AVG. It does not show in my status tray and when I click on the icon is does not respond at all. Whatever this thing is has completely taken over AVG.

I will try to run comboFix but I cannot do a thing with the antivirus.

Thanks for being there!

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 04 June 2009 - 05:07 PM

Hello.

If you have already ran Combofix then post the log once it's done.

However, if you have not run the following switch. Make sure Combofix is on your desktop and is called Combofix.
  • Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\combofix.exe" /killall
  • Combofix will now run
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 04 June 2009 - 06:32 PM

ComboFix 09-06-04.04 - Rex 06/04/2009 19:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.684 [GMT -4:00]
Running from: c:\documents and settings\Rex\desktop\combofix.exe
Command switches used :: /killall
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-05-28 02:55 . 2009-05-28 02:53 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-27 23:44 . 2009-05-28 02:56 -------- d-----w- c:\documents and settings\Rex\.housecall6.6
2009-05-27 22:56 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-05-26 10:46 . 2009-05-26 10:46 390664 ----a-w- c:\documents and settings\Terri\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-20 03:37 . 2009-05-20 03:37 -------- d-----w- c:\documents and settings\Terri\Application Data\Yahoo! Companion
2009-05-20 03:36 . 2009-05-20 03:36 -------- d-----w- c:\documents and settings\Terri\Application Data\Malwarebytes
2009-05-20 02:51 . 2009-05-20 02:51 -------- d-----w- c:\program files\Trend Micro
2009-05-20 01:24 . 2009-05-20 01:24 -------- d-----w- C:\Malwarebytes
2009-05-20 01:23 . 2009-05-20 01:23 -------- d-----w- c:\documents and settings\Rex\Application Data\Yahoo! Companion
2009-05-19 19:46 . 2009-05-19 19:46 -------- d-----w- c:\documents and settings\Megan\Application Data\Yahoo! Companion
2009-05-10 15:18 . 2009-05-10 15:18 -------- d-sh--w- C:\found.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 20:03 . 2008-08-08 01:58 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-20 01:33 . 2008-12-29 22:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-09 02:25 . 2009-02-02 20:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 02:25 . 2008-08-07 02:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 02:25 . 2008-08-07 02:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-28 21:22 . 2009-04-28 21:22 -------- d-----w- c:\program files\CCleaner
2009-04-15 22:46 . 2009-02-27 21:37 34 ----a-w- c:\documents and settings\Ryan\jagex_runescape_preferences.dat
2009-04-06 19:32 . 2008-12-29 22:36 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-29 22:36 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-05 01:28 . 2009-04-04 13:21 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.

------- Sigcheck -------




[-] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-07-27 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys




[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe


[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe






[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll



.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-07 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Terri\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-8-7 1728601]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-09 02:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2008 10:11 PM 325896]
S0 cojf;cojf;c:\windows\system32\drivers\krfc.sys --> c:\windows\system32\drivers\krfc.sys [?]
S0 jqgpjnb;jqgpjnb;c:\windows\system32\drivers\cgqyev.sys --> c:\windows\system32\drivers\cgqyev.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 4:21 PM 298776]
S2 gupdate1c9661c52fd4afe;Google Update Service (gupdate1c9661c52fd4afe);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 7:06 PM 133104]
S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
S3 idrmkl;idrmkl;\??\c:\docume~1\Ryan\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\Ryan\LOCALS~1\Temp\idrmkl.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-06-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-07 18:56]

2009-06-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 14:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\Nalu_1024x768.jpg 586602 bytes
c:\windows\Nalu_1162x864.jpg 721491 bytes
c:\windows\Nalu_1920x1440.jpg 1589587 bytes
c:\windows\Nalu_800x600.jpg 403524 bytes
c:\windows\NeroDigital.ini 69 bytes
c:\windows\network diagnostic
c:\windows\NIRCMD.exe 31232 bytes executable
c:\windows\notepad.exe 69120 bytes executable
c:\windows\SHELLNEW
c:\windows\SIERRA.INI 415 bytes
c:\windows\slrundll.exe 32866 bytes executable
c:\windows\snymsico.dll 90112 bytes executable
c:\windows\Soap Bubbles.bmp 65978 bytes
c:\windows\SoftwareDistribution
c:\windows\soundman.exe 577536 bytes executable
c:\windows\srchasst
c:\windows\Sti_Trace.log 0 bytes
c:\windows\Sun
c:\windows\SWREG.exe 161792 bytes executable
c:\windows\SWSC.exe 136704 bytes executable
c:\windows\SWXCACLS.exe 212480 bytes executable
c:\windows\system.ini 261 bytes
c:\windows\system32
c:\windows\TASKMAN.EXE 15360 bytes executable
c:\windows\Tasks
c:\windows\temp
c:\windows\twain.dll 94784 bytes
c:\windows\twain_32
c:\windows\twain_32.dll 50688 bytes executable
c:\windows\twunk_16.exe 49680 bytes
c:\windows\Favorites
c:\windows\FeatherTexture.bmp 16730 bytes
c:\windows\Fonts
c:\windows\Gone Fishing.bmp 17336 bytes
c:\windows\Greenstone.bmp 26582 bytes
c:\windows\grep.exe 80412 bytes executable
c:\windows\hegames.ini 421 bytes
c:\windows\Help
c:\windows\hh.exe 10752 bytes executable
c:\windows\ie7
c:\windows\ie7updates
c:\windows\ime
c:\windows\inf
c:\windows\Installer
c:\windows\uninst.exe 298496 bytes executable
c:\windows\UNNeroMediaHome.cfg 50 bytes
c:\windows\UNNeroMediaHome.exe 972336 bytes executable
c:\windows\UNNeroShowTime.cfg 50 bytes
c:\windows\UNNeroShowTime.exe 972336 bytes executable
c:\windows\UNNeroVision.cfg 50 bytes
c:\windows\UNNeroVision.exe 972336 bytes executable
c:\windows\UNRecode.cfg 50 bytes
c:\windows\UNRecode.exe 972336 bytes executable
c:\windows\vb.ini 36 bytes
c:\windows\vbaddin.ini 37 bytes
c:\windows\VertoFire1024x768.jpg 462828 bytes
c:\windows\VertoFire1152x864.jpg 546603 bytes
c:\windows\VertoFire800x600.jpg 330881 bytes
c:\windows\vmmreg32.dll 18944 bytes executable
c:\windows\vnDrvBas
c:\windows\vulcan_1024x768.jpg 136105 bytes
c:\windows\Resources
c:\windows\Rhododendron.bmp 17362 bytes
c:\windows\River Sumida.bmp 26680 bytes
c:\windows\RtlRack.ini 169 bytes
c:\windows\Santa Fe Stucco.bmp 65832 bytes
c:\windows\SchedLgU.Txt 32572 bytes
c:\windows\security
c:\windows\sed.exe 98816 bytes executable
c:\windows\ServicePackFiles
c:\windows\clock.avi 82944 bytes
c:\windows\explorer.scf 80 bytes
c:\windows\java
c:\windows\mui
c:\windows\nview
c:\windows\repair
c:\windows\setupapi.old
c:\windows\twunk_32.exe 25600 bytes executable
c:\windows\Coffee Bean.bmp 17062 bytes
c:\windows\Config
c:\windows\Connection Wizard
c:\windows\control.ini 0 bytes
c:\windows\Cursors
c:\windows\Dawn_1024x768.jpg 79737 bytes
c:\windows\Debug
c:\windows\Desktop
c:\windows\desktop.ini 2 bytes
c:\windows\Downloaded Program Files
c:\windows\Driver Cache
c:\windows\Dusk_1024x768.jpg 128539 bytes
c:\windows\ehome
c:\windows\ERDNT
c:\windows\explorer.exe 1033728 bytes executable
c:\windows\WBEM
c:\windows\Web
c:\windows\wiadebug.log 157 bytes
c:\windows\wiaservc.log 48 bytes
c:\windows\win.ini 582 bytes
c:\windows\WindowsUpdate.log 2056277 bytes
c:\windows\winhelp.exe 256192 bytes
c:\windows\winhlp32.exe 283648 bytes executable
c:\windows\winnt.bmp 48680 bytes
c:\windows\winnt256.bmp 48680 bytes
c:\windows\WinSxS
c:\windows\WMSysPr9.prx 316640 bytes
c:\windows\Zapotec.bmp 9522 bytes
c:\windows\zip.exe 68096 bytes executable
c:\windows\_default.pif 707 bytes
c:\windows\bootstat.dat 2048 bytes
c:\windows\cdplayer.ini 50 bytes
c:\windows\ODBCINST.INI
c:\windows\Offline Web Pages
c:\windows\pchealth
c:\windows\PeerNet
c:\windows\PEV.exe 154624 bytes executable
c:\windows\PhotoSnapViewer.INI 151 bytes
c:\windows\Prairie Wind.bmp 65954 bytes
c:\windows\Prefetch
c:\windows\Provisioning
c:\windows\pss
c:\windows\regedit.exe 146432 bytes executable
c:\windows\RegisteredPackages
c:\windows\Registration
c:\windows\REGLOCS.OLD 8192 bytes
c:\windows\IsUninst.exe 306688 bytes executable
c:\windows\l2schemas
c:\windows\Media
c:\windows\msagent
c:\windows\msapps
c:\windows\msdfmap.ini 1405 bytes
c:\windows\msdownld.tmp

scan completed successfully
hidden files: 131

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2212)
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\soundman.exe
.
**************************************************************************
.
Completion time: 2009-06-04 19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 23:30
ComboFix2.txt 2009-05-28 02:18

Pre-Run: 123,284,905,984 bytes free
Post-Run: 123,288,539,136 bytes free

296 --- E O F --- 2009-05-13 22:33

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 04 June 2009 - 08:34 PM

Hello.

Please do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/228394/i-have-been-hijacked/
    Collect::[68]
    c:\windows\system32\drivers\krfc.sys 
    c:\windows\system32\drivers\cgqyev.sys 
    c:\docume~1\Ryan\LOCALS~1\Temp\idrmkl.sys 
    Driver::
    cojf4
    jqgpjnb
    idrmkl
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply. There may be no upload because some/all of the files may not exist, just let me know.

Run SFC /Scannow with XP disk

Please follow the instructions in this topic on running SFC /Scannow.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 05 June 2009 - 06:52 AM

Hello,

I ran ComboFix again as you instructed. I am posting the log. It did not upload anything, then I went to the location you listed and there was nothing or any zip files for that matter in the folder. I checked and nothing was hidden as well.

I also ran the scannow and it just disappeared. I am assuming it ran. It did not request my installation disk. I hope I completed all required tasks.

ComboFix 09-06-04.04 - Rex 06/05/2009 7:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.665 [GMT -4:00]
Running from: c:\documents and settings\Rex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rex\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\1c4c331123ae5269fbd179de68e18722\Socket.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\4698d6dad1d9192f189448cd2250e41c\Registry.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\c147fa650a1a0662dceef2f7ea370a7d\List.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\e51718032942dd5fb4b1590be1ec8d83\Process.dll
c:\docume~1\Rex\LOCALS~1\Temp\pdk-Rex-1780\perl58.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\1c4c331123ae5269fbd179de68e18722\Socket.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\4698d6dad1d9192f189448cd2250e41c\Registry.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\c147fa650a1a0662dceef2f7ea370a7d\List.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\e51718032942dd5fb4b1590be1ec8d83\Process.dll
c:\documents and settings\Rex\Local Settings\temp\pdk-Rex-1780\perl58.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl
-------\Service_jqgpjnb


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-05-28 02:55 . 2009-05-28 02:53 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-27 23:44 . 2009-05-28 02:56 -------- d-----w- c:\documents and settings\Rex\.housecall6.6
2009-05-27 22:56 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-05-26 10:46 . 2009-05-26 10:46 390664 ----a-w- c:\documents and settings\Terri\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-20 03:37 . 2009-05-20 03:37 -------- d-----w- c:\documents and settings\Terri\Application Data\Yahoo! Companion
2009-05-20 03:36 . 2009-05-20 03:36 -------- d-----w- c:\documents and settings\Terri\Application Data\Malwarebytes
2009-05-20 02:51 . 2009-05-20 02:51 -------- d-----w- c:\program files\Trend Micro
2009-05-20 01:24 . 2009-05-20 01:24 -------- d-----w- C:\Malwarebytes
2009-05-20 01:23 . 2009-05-20 01:23 -------- d-----w- c:\documents and settings\Rex\Application Data\Yahoo! Companion
2009-05-19 19:46 . 2009-05-19 19:46 -------- d-----w- c:\documents and settings\Megan\Application Data\Yahoo! Companion
2009-05-10 15:18 . 2009-05-10 15:18 -------- d-sh--w- C:\found.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 20:03 . 2008-08-08 01:58 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-20 01:33 . 2008-12-29 22:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-09 02:25 . 2009-02-02 20:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 02:25 . 2008-08-07 02:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 02:25 . 2008-08-07 02:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-28 21:22 . 2009-04-28 21:22 -------- d-----w- c:\program files\CCleaner
2009-04-15 22:46 . 2009-02-27 21:37 34 ----a-w- c:\documents and settings\Ryan\jagex_runescape_preferences.dat
2009-04-06 19:32 . 2008-12-29 22:36 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-29 22:36 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-05 01:28 . 2009-04-04 13:21 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.

------- Sigcheck -------




[-] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-07-27 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys




[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe


[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe






[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll



.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-07 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Terri\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-8-7 1728601]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-09 02:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (CLI)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2008 10:11 PM 325896]
S0 cojf;cojf;c:\windows\system32\drivers\krfc.sys --> c:\windows\system32\drivers\krfc.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 4:21 PM 298776]
S2 gupdate1c9661c52fd4afe;Google Update Service (gupdate1c9661c52fd4afe);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 7:06 PM 133104]
S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-06-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-07 18:56]

2009-06-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 14:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 07:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\Nalu_1024x768.jpg 586602 bytes
c:\windows\Nalu_1162x864.jpg 721491 bytes
c:\windows\Nalu_1920x1440.jpg 1589587 bytes
c:\windows\Nalu_800x600.jpg 403524 bytes
c:\windows\NeroDigital.ini 69 bytes
c:\windows\network diagnostic
c:\windows\NIRCMD.exe 31232 bytes executable
c:\windows\notepad.exe 69120 bytes executable
c:\windows\SHELLNEW
c:\windows\SIERRA.INI 415 bytes
c:\windows\slrundll.exe 32866 bytes executable
c:\windows\snymsico.dll 90112 bytes executable
c:\windows\Soap Bubbles.bmp 65978 bytes
c:\windows\SoftwareDistribution
c:\windows\soundman.exe 577536 bytes executable
c:\windows\srchasst
c:\windows\Sti_Trace.log 0 bytes
c:\windows\Sun
c:\windows\SWREG.exe 161792 bytes executable
c:\windows\SWSC.exe 136704 bytes executable
c:\windows\SWXCACLS.exe 212480 bytes executable
c:\windows\system.ini 261 bytes
c:\windows\system32
c:\windows\TASKMAN.EXE 15360 bytes executable
c:\windows\Tasks
c:\windows\temp
c:\windows\twain.dll 94784 bytes
c:\windows\twain_32
c:\windows\twain_32.dll 50688 bytes executable
c:\windows\twunk_16.exe 49680 bytes
c:\windows\Favorites
c:\windows\FeatherTexture.bmp 16730 bytes
c:\windows\Fonts
c:\windows\Gone Fishing.bmp 17336 bytes
c:\windows\Greenstone.bmp 26582 bytes
c:\windows\grep.exe 80412 bytes executable
c:\windows\hegames.ini 421 bytes
c:\windows\Help
c:\windows\hh.exe 10752 bytes executable
c:\windows\ie7
c:\windows\ie7updates
c:\windows\ime
c:\windows\inf
c:\windows\Installer
c:\windows\uninst.exe 298496 bytes executable
c:\windows\UNNeroMediaHome.cfg 50 bytes
c:\windows\UNNeroMediaHome.exe 972336 bytes executable
c:\windows\UNNeroShowTime.cfg 50 bytes
c:\windows\UNNeroShowTime.exe 972336 bytes executable
c:\windows\UNNeroVision.cfg 50 bytes
c:\windows\UNNeroVision.exe 972336 bytes executable
c:\windows\UNRecode.cfg 50 bytes
c:\windows\UNRecode.exe 972336 bytes executable
c:\windows\vb.ini 36 bytes
c:\windows\vbaddin.ini 37 bytes
c:\windows\VertoFire1024x768.jpg 462828 bytes
c:\windows\VertoFire1152x864.jpg 546603 bytes
c:\windows\VertoFire800x600.jpg 330881 bytes
c:\windows\vmmreg32.dll 18944 bytes executable
c:\windows\vnDrvBas
c:\windows\vulcan_1024x768.jpg 136105 bytes
c:\windows\Resources
c:\windows\Rhododendron.bmp 17362 bytes
c:\windows\River Sumida.bmp 26680 bytes
c:\windows\RtlRack.ini 169 bytes
c:\windows\Santa Fe Stucco.bmp 65832 bytes
c:\windows\SchedLgU.Txt 32572 bytes
c:\windows\security
c:\windows\sed.exe 98816 bytes executable
c:\windows\ServicePackFiles
c:\windows\clock.avi 82944 bytes
c:\windows\explorer.scf 80 bytes
c:\windows\java
c:\windows\mui
c:\windows\nview
c:\windows\repair
c:\windows\setupapi.old
c:\windows\twunk_32.exe 25600 bytes executable
c:\windows\Coffee Bean.bmp 17062 bytes
c:\windows\Config
c:\windows\Connection Wizard
c:\windows\control.ini 0 bytes
c:\windows\Cursors
c:\windows\Dawn_1024x768.jpg 79737 bytes
c:\windows\Debug
c:\windows\Desktop
c:\windows\desktop.ini 2 bytes
c:\windows\Downloaded Program Files
c:\windows\Driver Cache
c:\windows\Dusk_1024x768.jpg 128539 bytes
c:\windows\ehome
c:\windows\ERDNT
c:\windows\explorer.exe 1033728 bytes executable
c:\windows\WBEM
c:\windows\Web
c:\windows\wiadebug.log 159 bytes
c:\windows\wiaservc.log 48 bytes
c:\windows\win.ini 582 bytes
c:\windows\WindowsUpdate.log 2076182 bytes
c:\windows\winhelp.exe 256192 bytes
c:\windows\winhlp32.exe 283648 bytes executable
c:\windows\winnt.bmp 48680 bytes
c:\windows\winnt256.bmp 48680 bytes
c:\windows\WinSxS
c:\windows\WMSysPr9.prx 316640 bytes
c:\windows\Zapotec.bmp 9522 bytes
c:\windows\zip.exe 68096 bytes executable
c:\windows\_default.pif 707 bytes
c:\windows\bootstat.dat 2048 bytes
c:\windows\cdplayer.ini 50 bytes
c:\windows\ODBCINST.INI
c:\windows\Offline Web Pages
c:\windows\pchealth
c:\windows\PeerNet
c:\windows\PEV.exe 154624 bytes executable
c:\windows\PhotoSnapViewer.INI 151 bytes
c:\windows\Prairie Wind.bmp 65954 bytes
c:\windows\Prefetch
c:\windows\Provisioning
c:\windows\pss
c:\windows\regedit.exe 146432 bytes executable
c:\windows\RegisteredPackages
c:\windows\Registration
c:\windows\REGLOCS.OLD 8192 bytes
c:\windows\IsUninst.exe 306688 bytes executable
c:\windows\l2schemas
c:\windows\Media
c:\windows\msagent
c:\windows\msapps
c:\windows\msdfmap.ini 1405 bytes
c:\windows\msdownld.tmp

scan completed successfully
hidden files: 131

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2036)
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\soundman.exe
.
**************************************************************************
.
Completion time: 2009-06-05 7:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 11:18
ComboFix2.txt 2009-06-04 23:30
ComboFix3.txt 2009-05-28 02:18

Pre-Run: 123,287,879,680 bytes free
Post-Run: 123,212,783,616 bytes free

324 --- E O F --- 2009-05-13 22:33

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 06 June 2009 - 07:17 PM

Hello.

I also ran the scannow and it just disappeared. I am assuming it ran. It did not request my installation disk. I hope I completed all required tasks.

What do you mean it just disappeared? Did you actually see a window open showing that it was scanning?

Please delete Combofix re-download from one of those links above and do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\drivers\krfc.sys 
    Driver::
    cojf
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also how's your computer running now? Any better or any symptoms yo still have?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 mcrex

mcrex
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 08 June 2009 - 10:15 AM

Hello Extremeboy,

First thing, thanks for you support. With regards to the scan it said preparing to scan then boom it was gone. No status or nothing. I am to assume it did its job.

The computer seems a little more stable. I am still getting continuious error messages that refer me to the chckdisk utility. I ignore these as this came about along with the infection.

Malwarebytes will not run now. A message came up and ask told me a newer version was available and I said yes. Since then Malwarebytes will not run. I get an error message that says the database incompatible and to download a newer version.

I noticed that all my quick launch icons have disappeared now. The desktop icon for AVG disappeared. I do not know if I have anti-virus at all because the machine will not let me load or remove anything of that nature.

I am currently on vacation with my family and will be returning this weekend, so I cannot run anything to try to fix the mess on my computer. I hope I do not lose my place with you as I feel we are progressing.

I will run all the applications you requested as soon as I get home.

Thanks for all your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users