Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicker- auhagoqg.dll Multiple Iexplore.exe on startup explorer.exe keeps building


  • This topic is locked This topic is locked
9 replies to this topic

#1 lpage

lpage

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 22 May 2009 - 08:32 AM

hello experts...
Hopefully this is correct now. I apologize in advance if it is not.
I have that nasty issue with iexplore.exe constantly running even upon reboot and explorer.exe building until if finally reboots the pc.

I have ran my virus software through stop sign, hijack this, killbox, mbam. I had the clicker virus,but iddos not seem to clean it thoroughly. I have seen you guys fixit so I am sure you will know exactly what to do. I appreciate all your help in advance.


DDS (Ver_09-05-14.01) - NTFSx86
Run by home at 18:53:28.94 on Thu 05/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.146 [GMT -4:00]

AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RTI\DRL Application Server\DrlSvrController.exe
C:\Program Files\eAcceleration\Framework\eac_productsvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\eAcceleration\Framework\eac_svc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bomgar\Representative\retailtech.bomgar.com\bomgar-rep.exe
C:\Program Files\BigAntSoft\BigAnt\BigAnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\home\Desktop\lspfix\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: {03f3b7d9-ec71-46c9-8d46-5bc5499ba3b0} - c:\windows\system32\auhagoqg.dll
BHO: : {047b451e-f92e-41c2-9c33-ba2ec711caf6} - c:\windows\system32\wtapgkp.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BigAnt] c:\program files\bigantsoft\bigant\BigAnt.exe /MinSize
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bomgar~1.lnk - c:\program files\bomgar\representative\retailtech.bomgar.com\bomgar-rep.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: text/html - {3cfad2d8-1c4d-49c8-958e-f65c837f89d0} -
Notify: kalwknag - wtapgkp.dll
Notify: PCANotify - PCANotify.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2009-4-3 100704]
R0 rhxxuool;rhxxuool;c:\windows\system32\drivers\rhxxuool.sys [2001-8-23 23424]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R2 Drl30ASController;Drl 3.0 Application Server Controller;c:\program files\rti\drl application server\DrlSvrController.exe [2007-12-11 758272]
R2 eac_notifysvc;eAcceleration Notification Service;c:\program files\eacceleration\framework\eac_svc.exe [2008-4-17 111952]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\program files\eacceleration\framework\eac_productsvc.exe [2008-4-17 263504]
R2 lqnczsyw;Digital CD Audio Playback Filter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R2 MSSQL$DRL3;MSSQL$DRL3;c:\program files\microsoft sql server\mssql$drl3\binn\sqlservr.exe -sdrl3 --> c:\program files\microsoft sql server\mssql$drl3\binn\sqlservr.exe -sDRL3 [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\program files\eacceleration\framework\eac_svc.exe [2008-4-17 111952]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\program files\eacceleration\framework\eac_svc.exe [2008-4-17 111952]
S0 nvmb;nvmb;c:\windows\system32\drivers\kjwhwqm.sys --> c:\windows\system32\drivers\kjwhwqm.sys [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;c:\progra~1\micros~4\ISLNDIS5.SYS [2004-7-19 14887]
S3 SQLAgent$DRL3;SQLAgent$DRL3;c:\program files\microsoft sql server\mssql$drl3\binn\sqlagent.exe -i drl3 --> c:\program files\microsoft sql server\mssql$drl3\binn\sqlagent.EXE -i DRL3 [?]
S4 FWService;FWService;c:\program files\eacceleration\firewall\fwservice.exe -service --> c:\program files\eacceleration\firewall\FWService.exe -Service [?]

=============== Created Last 30 ================

2009-05-21 13:31 61,440 a------- c:\windows\system32\drivers\kjwhwqm.sys._eac_qt_
2009-05-18 10:51 <DIR> --d----- C:\!KillBox
2009-05-18 10:34 0 a------- c:\windows\system32\REN14.tmp
2009-05-18 10:34 0 a------- c:\windows\system32\REN13.tmp
2009-05-18 10:34 0 a------- c:\windows\system32\REN12.tmp
2009-05-18 09:50 60,416 a------- c:\windows\system32\drivers\Combo-Fix.sys
2009-05-18 09:43 <DIR> a-dshr-- C:\cmdcons
2009-05-18 09:40 161,792 a------- c:\windows\SWREG.exe
2009-05-18 09:40 98,816 a------- c:\windows\sed.exe
2009-05-18 09:39 <DIR> --d----- C:\ComboFix
2009-05-18 09:39 388,608 a------- c:\windows\system32\CF28549.exe
2009-05-18 04:41 <DIR> --d----- c:\program files\Trend Micro
2009-05-17 18:41 91 a------- c:\windows\wininit.ini
2009-05-17 16:16 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-17 16:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-17 11:37 <DIR> --d----- c:\program files\Sophos
2009-05-16 19:17 <DIR> --d----- C:\dc54e3e673f5a87f274e64da77
2009-05-15 14:52 0 a------- c:\windows\system32\REN91.tmp
2009-05-15 14:52 0 a------- c:\windows\system32\REN90.tmp
2009-05-15 14:52 0 a------- c:\windows\system32\REN8F.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN89.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN88.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN87.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN81.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN80.tmp
2009-05-15 14:51 0 a------- c:\windows\system32\REN7F.tmp
2009-05-15 04:48 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-15 03:49 <DIR> --d----- c:\docume~1\home\applic~1\Malwarebytes
2009-05-15 03:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 03:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 03:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 03:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-15 03:17 <DIR> --d----- c:\windows\pss
2009-05-15 01:11 <DIR> --d----- c:\windows\system32\HouseCall 6.6
2009-05-15 00:28 <DIR> --d----- c:\program files\Microsoft
2009-05-15 00:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 16:17 <DIR> --d----- c:\docume~1\home\applic~1\rhhchmrr
2009-05-14 12:09 268 a---h--- C:\sqmdata17.sqm
2009-05-14 12:09 244 a---h--- C:\sqmnoopt17.sqm
2009-05-14 11:01 492 a------- c:\windows\Shortcut to TASKMAN.EXE.lnk
2009-05-14 08:27 <DIR> --d----- c:\program files\Starfield
2009-05-12 10:34 103,600 a------- C:\2009_5_12_929.run
2009-05-12 10:33 14,803 a------- C:\2007_11_1_1040.run
2009-05-12 10:12 51,150 a------- C:\labels00005.run
2009-05-07 18:46 2,709 a------- c:\windows\system32\aserrsshe.dat
2009-05-05 08:33 1,156,644 a------- c:\windows\system32\temp_dbwithadapedimportype.zip
2009-05-04 10:57 7,948,800 a------- c:\windows\system32\smalltemp_db.bak
2009-05-04 10:50 1,112,395 a------- c:\windows\system32\ltemp_db.zip
2009-05-04 07:27 7,948,800 a------- c:\windows\system32\ltemp_db.bak
2009-05-03 20:00 8,276,480 a------- c:\windows\system32\temp_db.bak
2009-04-25 14:04 268 a---h--- C:\sqmdata16.sqm
2009-04-25 14:04 244 a---h--- C:\sqmnoopt16.sqm

==================== Find3M ====================

2009-05-21 13:31 1,068 a------- c:\program files\iuauea.txt
2009-05-04 13:28 1,096,492 a------- c:\windows\system32\temp_db.zip
2009-03-31 10:04 1,544,465 a------- c:\windows\system32\division by zeror temp_db.zip
2009-03-30 12:25 0 a------- C:\regsvr32.exe
2009-02-18 13:06 60,744 a------- c:\documents and settings\home\g2mdlhlpx.exe
2008-02-29 16:43 60,968 a------- c:\documents and settings\home\GoToAssistDownloadHelper.exe

============= FINISH: 18:54:41.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 May 2009 - 09:42 AM

Hi,

I will handle your log. As I am in training all my answers have to be approved by my Coaches.
I hope you understand.

I'll get back to you as soon as is possible.

#3 lpage

lpage
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 22 May 2009 - 06:12 PM

Ok Superbird......

Thanks for responding. I look forward to working with you.

Lpage

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 24 May 2009 - 08:40 AM

Hi,

1. Please download the self-extracting version of HijackThis from here:
HijackThis Installer Download

Save HJTInstall.exe to your desktop.

Double-click the file then click the Install button.

The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.
You can close Hijackthis for now.

2. Download ComboFix from one of these locations:
Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new Hijackthislog.

#5 lpage

lpage
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 26 May 2009 - 04:54 AM

Superbird, Here are the results
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:26 AM, on 5/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RTI\DRL Application Server\DrlSvrController.exe
C:\Program Files\eAcceleration\Framework\eac_productsvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\eAcceleration\Framework\eac_svc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Bomgar\Representative\retailtech.bomgar.com\bomgar-rep.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Symantec\pcAnywhere\WINAW32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {047B451E-F92E-41C2-9C33-BA2EC711CAF6} - c:\windows\system32\wtapgkp.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bomgar Representative Console [retailtech.bomgar.com].lnk = C:\Program Files\Bomgar\Representative\retailtech.bomgar.com\bomgar-rep.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/html - {3cfad2d8-1c4d-49c8-958e-f65c837f89d0} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: kalwknag - C:\WINDOWS\SYSTEM32\wtapgkp.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Drl 3.0 Application Server Controller (Drl30ASController) - Unknown owner - C:\Program Files\RTI\DRL Application Server\DrlSvrController.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\Program Files\eAcceleration\Framework\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\Program Files\eAcceleration\Framework\eac_productsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: StopSign Firewall Security Center Provider (ssfwmonsvc) - eAcceleration Corp - C:\Program Files\eAcceleration\Framework\eac_svc.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\Program Files\eAcceleration\Framework\eac_svc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 3366 bytes

Attached Files



#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 May 2009 - 08:35 AM

Hi,

1. Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).O2 - BHO: (no name) - {047B451E-F92E-41C2-9C33-BA2EC711CAF6} - c:\windows\system32\wtapgkp.dll
O18 - Filter hijack: text/html - {3cfad2d8-1c4d-49c8-958e-f65c837f89d0} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: kalwknag - C:\WINDOWS\SYSTEM32\wtapgkp.dll

Then close all windows except HijackThis and click Fix Checked.

2. Open Notepad.
Copy the code below, and paste this into the Notepad-file.
File::
c:\windows\system32\drivers\kjwhwqm.sys
Driver::
nvmb
Save the Notepad-file as CFScript.txt

Drag the file CFScript.txt into the file ComboFix.exe
Posted Image
ComboFix will start again.
When ComboFix is finished, this could be after a restart, a logfile will open.
Post the contents of this logfile in your next answer.

3. Go to Virustotal.com
Upload the following file by copy/paste the following (so do not use "Browse"!)): c:\windows\system32\aserrsshe.dat
Wait untill the results appear, and post them in your next reply. :thumbup2:

Do this also with these files:
c:\windows\system32\temp_dbwithadapedimportype.zip
c:\windows\system32\ltemp_db.zip
c:\windows\system32\REN14.tmp
C:\regsvr32.exe


#7 lpage

lpage
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 28 May 2009 - 03:32 AM

Superbird,
this virus has mutated into something horrific. When I boot up in normal mode my destop icons refresh every 5 seconds. I have to run everything through taskmanager. I am no longer able tp access the internet as far as surfing web pages even through safe mode/w networking. I am able to use programs such as pcanywhere and go to assist. I have no idea how that is possible. I am actually corresponding with you through a 3rd party machine. My ISP is unable to help me they say that because the system is not properly booting up in normal mode they can't fully diagnose the problem with me being able to get online.

I will try to get the things that you need but it will be difficult. Any other suggestions?

Lpage

#8 lpage

lpage
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 28 May 2009 - 04:00 AM

ComboFix 09-05-26.02 - home 05/28/2009 4:40.5 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.336 [GMT -4:00]
Running from: c:\documents and settings\home\Desktop\lspfix\ComboFix.exe
Command switches used :: c:\documents and settings\home\Desktop\lspfix\CFScript.txt
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

FILE ::
"c:\windows\system32\drivers\kjwhwqm.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nvmb


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-27 14:09 . 2009-05-27 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\MSN6
2009-05-27 14:09 . 2009-05-27 15:17 -------- d-----w c:\documents and settings\home\Application Data\MSN6
2009-05-27 11:49 . 2004-08-04 04:56 245248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
2009-05-27 10:11 . 2009-05-27 10:21 -------- d-----w C:\need
2009-05-27 06:43 . 2009-05-27 06:43 -------- d-----w C:\VundoFix Backups
2009-05-27 02:38 . 2009-05-27 02:38 2709 ----a-w c:\windows\system32\jmcoardll.dat
2009-05-18 14:51 . 2009-05-21 19:24 -------- d-----w C:\!KillBox
2009-05-18 14:33 . 2009-05-18 14:34 -------- d-----w c:\program files\Java
2009-05-18 14:33 . 2009-05-18 14:33 -------- d-----w c:\program files\Common Files\Java
2009-05-18 08:41 . 2009-05-18 08:41 -------- d-----w c:\program files\Trend Micro
2009-05-17 20:16 . 2009-05-27 06:52 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-17 20:16 . 2009-05-27 06:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:37 . 2009-05-17 15:37 -------- d-----w c:\program files\Sophos
2009-05-16 23:17 . 2009-05-16 23:17 -------- d-----w C:\dc54e3e673f5a87f274e64da77
2009-05-15 19:32 . 2009-05-15 19:32 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-15 19:05 . 2009-05-15 22:52 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-15 19:05 . 2009-05-15 22:52 -------- d-----w c:\program files\NOS
2009-05-15 08:48 . 2009-05-15 09:19 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-15 07:49 . 2009-05-15 07:49 -------- d-----w c:\documents and settings\home\Application Data\Malwarebytes
2009-05-15 07:49 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-15 07:49 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 07:48 . 2009-05-18 08:54 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-15 07:48 . 2009-05-15 07:48 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-15 05:15 . 2009-05-15 05:15 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Bomgar
2009-05-15 05:11 . 2009-05-15 05:11 -------- d-----w c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2009-05-15 05:11 . 2009-05-15 05:11 -------- d-----w c:\windows\system32\HouseCall 6.6
2009-05-15 05:05 . 2009-05-15 05:05 152576 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 04:28 . 2009-05-15 04:28 -------- d-----w c:\program files\Microsoft
2009-05-15 04:26 . 2009-05-15 04:26 57344 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-6711d059-n\Decora-SSE.dll
2009-05-15 04:26 . 2009-05-15 04:26 24064 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-72aed2b3-n\Decora-D3D.dll
2009-05-15 04:26 . 2009-05-15 04:26 315392 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e4d6437-n\jogl.dll
2009-05-15 04:26 . 2009-05-15 04:26 20480 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e4d6437-n\jogl_awt.dll
2009-05-15 04:26 . 2009-05-15 04:26 114688 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e4d6437-n\jogl_cg.dll
2009-05-15 04:26 . 2009-05-15 04:26 20480 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-114b0cc0-n\gluegen-rt.dll
2009-05-15 04:26 . 2009-05-15 04:26 499712 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4aeec869-n\msvcp71.dll
2009-05-15 04:26 . 2009-05-15 04:26 499712 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4aeec869-n\jmc.dll
2009-05-15 04:26 . 2009-05-15 04:26 348160 ----a-w c:\documents and settings\home\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4aeec869-n\msvcr71.dll
2009-05-15 04:25 . 2009-05-15 04:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-15 04:23 . 2009-05-27 09:50 152576 ----a-w c:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-14 16:55 . 2009-05-14 16:55 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2009-05-14 12:27 . 2009-05-22 13:11 3262 ----a-r c:\documents and settings\home\Application Data\Microsoft\Installer\{02DEDA83-CF94-4CB2-BE1C-9E428BAD3E9E}\_75A033405B973FFC82166D.exe
2009-05-14 12:27 . 2009-05-22 13:11 3262 ----a-r c:\documents and settings\home\Application Data\Microsoft\Installer\{02DEDA83-CF94-4CB2-BE1C-9E428BAD3E9E}\_6FEFF9B68218417F98F549.exe
2009-05-14 12:27 . 2009-05-14 12:27 -------- d-----w c:\program files\Starfield
2009-05-07 22:46 . 2009-05-13 16:33 2709 ----a-w c:\windows\system32\aserrsshe.dat
2009-05-05 12:33 . 2009-05-05 12:33 1156644 ----a-w c:\windows\system32\temp_dbwithadapedimportype.zip
2009-05-04 14:50 . 2009-05-04 14:50 1112395 ----a-w c:\windows\system32\ltemp_db.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 13:54 . 2007-10-01 19:07 -------- d-----w c:\program files\Microsoft Broadband Networking
2009-05-27 11:57 . 2009-05-27 12:44 344050 ----a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2009-05-27 06:08 . 2007-05-27 02:54 27176 ----a-w c:\documents and settings\home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 23:47 . 2007-06-12 23:00 -------- d-----w c:\documents and settings\home\Application Data\OpenOffice.org2
2009-05-21 17:31 . 2009-05-21 17:31 1068 ----a-w c:\program files\iuauea.txt
2009-05-18 14:34 . 2009-05-18 14:34 0 ----a-w c:\windows\system32\REN14.tmp
2009-05-18 14:34 . 2009-05-18 14:34 0 ----a-w c:\windows\system32\REN13.tmp
2009-05-18 14:34 . 2009-05-18 14:34 0 ----a-w c:\windows\system32\REN12.tmp
2009-05-15 19:28 . 2007-06-02 17:11 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 18:52 . 2009-05-15 18:52 0 ----a-w c:\windows\system32\REN91.tmp
2009-05-15 18:52 . 2009-05-15 18:52 0 ----a-w c:\windows\system32\REN90.tmp
2009-05-15 18:52 . 2009-05-15 18:52 0 ----a-w c:\windows\system32\REN8F.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN89.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN88.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN87.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN81.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN80.tmp
2009-05-15 18:51 . 2009-05-15 18:51 0 ----a-w c:\windows\system32\REN7F.tmp
2009-05-15 08:06 . 2008-10-04 06:21 -------- d-----w c:\program files\Common
2009-05-14 17:14 . 2008-05-23 15:38 -------- d-----w c:\documents and settings\home\Application Data\LimeWire
2009-05-14 15:01 . 2009-04-16 01:32 -------- d-----w c:\program files\StopSign
2009-05-04 17:28 . 2009-04-14 18:47 1096492 ----a-w c:\windows\system32\temp_db.zip
2009-04-29 19:08 . 2008-05-18 18:44 -------- d-----w c:\program files\Kodak
2009-04-17 13:36 . 2007-08-06 14:25 -------- d-----w c:\program files\Common Files\eAcceleration
2009-04-15 19:17 . 2007-06-06 20:00 -------- d-----w c:\program files\RTI
2009-04-08 23:57 . 2009-04-08 23:57 -------- d-----w c:\documents and settings\home\Application Data\GetRightToGo
2009-04-08 21:57 . 2009-04-08 21:57 -------- d-----w c:\program files\Blue Squirrel
2009-04-08 21:41 . 2009-04-08 21:41 -------- d-----w c:\program files\abcfastdirectory_eval
2009-04-03 14:53 . 2007-08-06 14:25 -------- d-----w c:\program files\eAcceleration
2009-03-31 14:04 . 2009-03-31 14:04 1544465 ----a-w c:\windows\system32\division by zeror temp_db.zip
2009-03-30 16:25 . 2009-03-30 16:25 0 ----a-w C:\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-26_09.36.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 08:45 . 2009-05-28 08:45 16384 c:\windows\temp\Perflib_Perfdata_6a8.dat
+ 2001-08-23 12:00 . 2004-08-04 04:56 16896 c:\windows\system32\dllcache\winrnr.dll
+ 2007-06-27 14:35 . 2007-06-27 14:35 1806229 c:\windows\system32\jmcoardll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigAnt"="c:\program files\BigAntSoft\BigAnt\BigAnt.exe" [2008-12-12 1675313]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bomgar Representative Console [retailtech.bomgar.com].lnk - c:\program files\Bomgar\Representative\retailtech.bomgar.com\bomgar-rep.exe [2009-4-20 8795136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ----a-w c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bomgar Representative Client [retailtech.bomgar.com].lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bomgar Representative Client [retailtech.bomgar.com].lnk
backup=c:\windows\pss\Bomgar Representative Client [retailtech.bomgar.com].lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [4/3/2009 10:53 AM 100704]
R2 Drl30ASController;Drl 3.0 Application Server Controller;c:\program files\RTI\DRL Application Server\DrlSvrController.exe [12/11/2007 11:30 AM 758272]
R2 eac_notifysvc;eAcceleration Notification Service;c:\program files\eAcceleration\Framework\eac_svc.exe [4/17/2008 4:42 PM 111952]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\program files\eAcceleration\Framework\eac_productsvc.exe [4/17/2008 4:42 PM 263504]
R2 MSSQL$DRL3;MSSQL$DRL3;c:\program files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlservr.exe -sDRL3 --> c:\program files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlservr.exe -sDRL3 [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\program files\eAcceleration\Framework\eac_svc.exe [4/17/2008 4:42 PM 111952]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\program files\eAcceleration\Framework\eac_svc.exe [4/17/2008 4:42 PM 111952]
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;c:\progra~1\MICROS~4\ISLNDIS5.SYS [7/19/2004 4:07 PM 14887]
S3 SQLAgent$DRL3;SQLAgent$DRL3;c:\program files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlagent.EXE -i DRL3 --> c:\program files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlagent.EXE -i DRL3 [?]
S4 FWService;FWService;c:\program files\eAcceleration\Firewall\FWService.exe -Service --> c:\program files\eAcceleration\Firewall\FWService.exe -Service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IP6FW
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-05-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 08:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 04:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Microsoft SQL Server\MSSQL$DRL3\Binn\sqlservr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-28 4:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 08:54
ComboFix2.txt 2009-05-27 11:43
ComboFix3.txt 2009-05-27 09:12
ComboFix4.txt 2009-05-26 09:43

Pre-Run: 6,395,490,304 bytes free
Post-Run: 6,434,140,160 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
194 --- E O F --- 2009-05-18 08:04

#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 May 2009 - 06:34 AM

Hi,

Can you put them on a usb-stick or something like that, and scan them with an external pc?
(Don't open the files when they are on the usb-stick or other pc!!)

#10 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland

Posted 14 June 2009 - 07:11 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users