Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection websrvr.exe


  • This topic is locked This topic is locked
22 replies to this topic

#1 zoom1209

zoom1209

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 June 2009 - 03:23 PM

i have been having problems with popups and a lot of junk mail. i believe i have a vundo infection. i had programs like websrvr.exe running on my computer that i earlier got rid of with HJT, but it appears i still cant get to the root problem.

i use spyware doctor and malwarebyte's anti-malware pretty regularly and find something new each time i've been online for more than a minute or two.

here is my pseudo HJT report from you dds program.

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - No File
BHO: 504139 Class: {d2cade3f-b3e0-4b74-b338-71d70910bbca} - c:\windows\system32\sysloc\sysloc.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Stumble&Upon: {22d003ce-6952-46c5-80b9-d19b479620ab} - c:\windows\system32\s1940.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ESPN BottomLine] c:\program files\espn\bottomline\bline.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [FileBack PC] c:\progra~1\fileba~1\FileBack.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
dRun: [InetChk] c:\windows\temp\ms1239209006.exe work
dRun: [<NO NAME>] c:\windows\temp\gfes2gsno.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
dRun: [nzdflkioezncfiunfindiuchiuenfcdc] c:\windows\temp\gfes2gsno.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: connwsp.dll
Trusted Zone: stumbleupon.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: c:\windows\system32\fapawozi.dll n
LSA: Notification Packages = scecli c:\windows\system32\fapawozi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonhub~1\applic~1\mozilla\firefox\profiles\rs9pyydh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\jonhubbell\application data\mozilla\firefox\profiles\rs9pyydh.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {F0C62954-1690-4FF6-B9DE-5A2AFEB1549B} - c:\documents and settings\jonhubbell\local settings\application data\{F0C62954-1690-4FF6-B9DE-5A2AFEB1549B}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-29 13:19 <DIR> --d----- c:\windows\system32\sysloc
2009-05-28 10:49 20,480 a------- c:\windows\system32\ak1.exe
2009-05-28 10:43 2 ----h--- c:\windows\sonce122730.dat
2009-05-15 16:44 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-15 16:44 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-15 16:44 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-15 16:44 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-15 16:44 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-15 16:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-06-06 15:46 1,247 ---shr-- C:\BOOTFILE.DAT
2009-05-07 08:57 202 a------- C:\43214354.bat
2009-04-27 18:02 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-13 17:32 44,544 a------- c:\windows\system32\Winset20.exe
2009-04-10 13:28 20,480 a------- c:\windows\system32\nDler2.exe
2009-04-08 12:28 38,400 a------- c:\windows\system32\winsetupgl.exe
2009-04-06 19:02 848 a------- C:\delete.bat
2009-04-06 18:36 27,648 a------- c:\windows\system32\winsetupsm.exe
2009-04-06 18:18 27,648 a------- c:\windows\system32\winsetupsn.exe
2006-07-20 12:55 954 a--shr-- c:\windows\system32\PROTSTOR.SYS
2007-08-03 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007080320070804\index.dat

============= FINISH: 16:10:41.53 ===============




thanks for the help!!

jon

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 07 June 2009 - 05:15 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 07 June 2009 - 01:31 PM

thanks for the help so far.

as i mentioned in my first post, i already have MBAM and use it, along with spyware doctor, pretty regularly to get rid of any peripheral bugs that they can find but they still dont seem to get to the root of the problem.

anyway, here is my MBAM quick scan log from today:


Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 2

2009-06-07 2:26:18 PM
mbam-log-2009-06-07 (14-26-18).txt

Scan type: Quick Scan
Objects scanned: 94654
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




thanks again.

jon

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 08 June 2009 - 01:52 AM

Hi,

This is what I said in my previous post:

In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.

No wonder it doesn't detect the malware if you're using an outdated version. So please update and run again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 08 June 2009 - 02:23 PM

i tried updating but kept getting an error that i was either not connected to the internet (i was) or that there was a firewall setting blocking the update. I added MBAM to my firewall exceptions, but still no luck. i did uninstall MBAM and redownload the file so that i have the newest version. here's the log from the full scan i just ran with the new version.

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

2009-06-08 3:18:00 PM
mbam-log-2009-06-08 (15-17-54).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 197738
Time elapsed: 33 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d2cade3f-b3e0-4b74-b338-71d70910bbca} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d2cade3f-b3e0-4b74-b338-71d70910bbca} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2cade3f-b3e0-4b74-b338-71d70910bbca} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetchk (Trojan.Proxy) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Winwebsec) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzdflkioezncfiunfindiuchiuenfcdc (Trojan.Winwebsec) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\796525 (Trojan.BHO) -> No action taken.

Files Infected:
C:\WINDOWS\Temp\ms1239209006.exe (Trojan.Proxy) -> No action taken.
C:\WINDOWS\Temp\gfes2gsno.exe (Trojan.Winwebsec) -> No action taken.
c:\WINDOWS\SYSTEM32\ak1.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\SYSTEM32\nDler2.exe (Trojan.Agent.V) -> No action taken.
c:\WINDOWS\SYSTEM32\winglsetup.exe (Trojan.Vundo) -> No action taken.
c:\WINDOWS\SYSTEM32\winsetupgl.exe (Trojan.Vundo) -> No action taken.
c:\WINDOWS\Temp\sfdef9834j.exe (Trojan.Winwebsec) -> No action taken.
c:\WINDOWS\Temp\sfsdfdf.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Temp\sjgh4kdg4rg4.exe (Trojan.Ertfor) -> No action taken.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> No action taken.
c:\documents and settings\Information\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
c:\documents and settings\jonhubbell\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\winsetupsm.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\winsetupsn.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\sysloc\sysloc.dll (Trojan.BHO) -> No action taken.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 08 June 2009 - 02:31 PM

Hi,

First of all, Open IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Then, use the update button in malwarebytes again, because it's still outdated.

Also,

It is confusing whether you removed what it found or not, so please rescan again and let mbam remove what it found.
Then reboot and post the log together with a new DDS log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 08 June 2009 - 03:35 PM

i did remove what MBAM found the first time, but when i rescanned, it found more.

Here is the log of the most current MBAM scan, followed by the new DDS log:

Malwarebytes' Anti-Malware 1.37
Database version: 2249
Windows 5.1.2600 Service Pack 2

2009-06-08 4:26:40 PM
mbam-log-2009-06-08 (16-26-40).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 201551
Time elapsed: 36 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\jk557.jk557mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\jk557.jk557mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\Winset20.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


-------------------------------------------------------------------------------------------------------------------------




DDS (Ver_09-05-14.01) - NTFSx86
Run by jonhubbell at 16:30:18.72 on 2009-06-08
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Stumble&Upon: {22d003ce-6952-46c5-80b9-d19b479620ab} - c:\windows\system32\s1940.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ESPN BottomLine] c:\program files\espn\bottomline\bline.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [FileBack PC] c:\progra~1\fileba~1\FileBack.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: connwsp.dll
Trusted Zone: stumbleupon.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
AppInit_DLLs: c:\windows\system32\fapawozi.dll n
LSA: Notification Packages = scecli c:\windows\system32\fapawozi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonhub~1\applic~1\mozilla\firefox\profiles\rs9pyydh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\jonhubbell\application data\mozilla\firefox\profiles\rs9pyydh.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {F0C62954-1690-4FF6-B9DE-5A2AFEB1549B} - c:\documents and settings\jonhubbell\local settings\application data\{F0C62954-1690-4FF6-B9DE-5A2AFEB1549B}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-08 14:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 14:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-08 14:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 16:44 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-15 16:44 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-15 16:44 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-15 16:44 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-15 16:44 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-15 16:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-06-08 16:30 1,246 ---shr-- C:\BOOTFILE.DAT
2009-05-07 08:57 202 a------- C:\43214354.bat
2009-04-06 19:02 848 a------- C:\delete.bat
2006-07-20 12:55 954 a--shr-- c:\windows\system32\PROTSTOR.SYS
2007-08-03 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007080320070804\index.dat

============= FINISH: 16:31:01.80 ===============

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 08 June 2009 - 03:46 PM

Hi,

but when i rescanned, it found more.

I know it would.. thats why I asked you to update.

We still aren't finished yet...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 08 June 2009 - 05:39 PM

here is my combo fix log:

ComboFix 09-06-07.07 - jonhubbell 2009-06-08 17:57.1 - NTFSx86
Running from: c:\documents and settings\jonhubbell\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthmbtkytdqkbokscvqjyckqkibapsmrnpx.sys
c:\windows\system32\ovfsthatpltxuomxjlahyfkoymmlyrvkayvkst.dat
c:\windows\system32\ovfsthbxnkqntuwxkhylsqvynrthbxynfgawur.dll
c:\windows\system32\ovfsthcnoedxfihdyalgspqwxvvrsfimwyawqq.dll
c:\windows\system32\ovfsthnnopqgicrksvhmuejyqddilfdhtoihrg.dll
c:\windows\system32\ovfsthtinxujhkiaillgpcsinufcwceikolups.dat
c:\windows\system32\sfcfiles.dat
c:\windows\system32\tdtapfmn.dll
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthejsvkdulktlobqpkycfrqjlkvjcdlmch
-------\Service_ovfsthejsvkdulktlobqpkycfrqjlkvjcdlmch


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 18:20 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 18:20 . 2009-06-08 18:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 18:20 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-15 20:44 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-05-15 20:44 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-05-15 20:44 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-15 20:44 . 2009-05-15 20:44 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-15 20:44 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-05-15 20:44 . 2009-05-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 22:26 . 2006-07-20 16:55 1246 --sh--r- c:\windows\system32\PROTSTOR.DAT
2009-06-08 22:26 . 2005-05-02 15:34 1246 --sh--r- c:\windows\MOSPS.SYS
2009-06-08 22:26 . 2005-05-02 15:34 1246 --sh--r- C:\BOOTFILE.DAT
2009-06-08 22:25 . 2005-05-02 15:34 -------- d-----w- c:\program files\FileBack PC
2009-06-08 22:04 . 2005-11-18 18:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-08 21:00 . 2007-11-01 16:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-08 18:45 . 2007-11-01 16:25 -------- d-----w- c:\program files\Spyware Doctor
2009-06-07 22:56 . 2008-05-29 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-27 17:02 . 2004-10-20 21:47 -------- d-----w- c:\program files\Google
2009-05-27 17:01 . 2004-03-31 05:52 -------- d-----w- c:\program files\ESPN
2009-05-27 17:01 . 2004-03-26 04:25 -------- d-----w- c:\program files\Common Files\aolshare
2009-05-27 17:01 . 2004-03-26 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-07 12:57 . 2009-05-07 12:57 202 ----a-w- C:\43214354.bat
2009-05-01 16:15 . 2009-05-01 16:15 698511 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-05-01 16:15 . 2009-05-01 16:15 225280 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-05-01 16:14 . 2004-03-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-05-01 16:14 . 2009-05-01 16:14 327437 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\CIP\TransferAgentSetup.exe
2009-05-01 16:14 . 2009-05-01 16:11 -------- d--h--w- c:\documents and settings\Information\Application Data\GTek
2009-05-01 16:14 . 2009-05-01 16:14 1896448 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-05-01 16:14 . 2009-05-01 16:14 123138 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-05-01 16:11 . 2009-05-01 16:11 -------- d-----w- c:\documents and settings\Information\Application Data\Grisoft
2009-04-27 19:26 . 2009-04-07 21:06 155 ----a-w- c:\windows\system32\SelfDel.bat
2009-04-06 23:02 . 2007-08-08 05:56 848 ----a-w- C:\delete.bat
2007-08-03 19:20 . 2007-08-03 19:20 405 --sha-w- c:\windows\SYSTEM32\euoibhgc.tmp
2006-07-20 16:55 . 2005-05-02 15:34 954 --sha-r- c:\windows\SYSTEM32\PROTSTOR.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"FileBack PC"="c:\progra~1\FILEBA~1\FileBack.exe" [2009-04-17 4695040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 126104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 13:03 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Card Companion Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
backup=c:\windows\pss\Media Card Companion Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jonhubbell^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\jonhubbell\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\SYSTEM32\\DKabcoms.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe [2006-10-21 508824]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-24 124608]
S3 EraserUtilDrv10633;EraserUtilDrv10633;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [2006-11-28 102712]

.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 16:26]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ESPN BottomLine - c:\program files\ESPN\BottomLine\bline.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: connwsp.dll
Trusted Zone: stumbleupon.com
FF - ProfilePath - c:\documents and settings\jonhubbell\Application Data\Mozilla\Firefox\Profiles\rs9pyydh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\jonhubbell\Application Data\Mozilla\Firefox\Profiles\rs9pyydh.default\extensions\{0FFCC8D1-8198-4b2f-9A96-2B4D4A65ECC9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\connwsp.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\connwsp.dll

- - - - - - - > 'explorer.exe'(1612)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\System32\shdoclc.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\SYSTEM32\scardsvr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\ZCfgSvc.exe
c:\windows\SYSTEM32\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-08 18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-08 22:30
ComboFix2.txt 2007-10-13 17:56

Pre-Run: 12,158,914,560 bytes free
Post-Run: 12,205,830,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

212 --- E O F --- 2007-06-18 16:42

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 09 June 2009 - 12:55 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\43214354.bat
c:\windows\system32\SelfDel.bat
C:\delete.bat
c:\windows\SYSTEM32\euoibhgc.tmp
DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 09 June 2009 - 02:46 PM

Here's that new ComboFix log:


ComboFix 09-06-07.07 - jonhubbell 2009-06-09 15:35.2 - NTFSx86
Running from: c:\documents and settings\jonhubbell\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jonhubbell\Desktop\CFScript.txt

FILE ::
"C:\43214354.bat"
"C:\delete.bat"
"c:\windows\SYSTEM32\euoibhgc.tmp"
"c:\windows\system32\SelfDel.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43214354.bat
C:\delete.bat
c:\windows\SYSTEM32\euoibhgc.tmp
c:\windows\system32\SelfDel.bat

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-08 18:20 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 18:20 . 2009-06-08 18:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 18:20 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-15 20:44 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-05-15 20:44 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-05-15 20:44 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-15 20:44 . 2009-05-15 20:44 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-15 20:44 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-05-15 20:44 . 2009-05-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 19:02 . 2007-11-01 16:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-09 18:50 . 2006-07-20 16:55 1247 --sh--r- c:\windows\system32\PROTSTOR.DAT
2009-06-09 18:50 . 2005-05-02 15:34 1247 --sh--r- c:\windows\MOSPS.SYS
2009-06-09 18:50 . 2005-05-02 15:34 1247 --sh--r- C:\BOOTFILE.DAT
2009-06-09 18:48 . 2005-11-18 18:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-09 18:48 . 2005-05-02 15:34 -------- d-----w- c:\program files\FileBack PC
2009-06-08 23:57 . 2008-05-29 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-08 18:45 . 2007-11-01 16:25 -------- d-----w- c:\program files\Spyware Doctor
2009-05-27 17:02 . 2004-10-20 21:47 -------- d-----w- c:\program files\Google
2009-05-27 17:01 . 2004-03-31 05:52 -------- d-----w- c:\program files\ESPN
2009-05-27 17:01 . 2004-03-26 04:25 -------- d-----w- c:\program files\Common Files\aolshare
2009-05-27 17:01 . 2004-03-26 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-01 16:15 . 2009-05-01 16:15 698511 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-05-01 16:15 . 2009-05-01 16:15 225280 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-05-01 16:14 . 2004-03-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-05-01 16:14 . 2009-05-01 16:14 327437 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\CIP\TransferAgentSetup.exe
2009-05-01 16:14 . 2009-05-01 16:11 -------- d--h--w- c:\documents and settings\Information\Application Data\GTek
2009-05-01 16:14 . 2009-05-01 16:14 1896448 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-05-01 16:14 . 2009-05-01 16:14 123138 ----a-w- c:\documents and settings\Information\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-05-01 16:11 . 2009-05-01 16:11 -------- d-----w- c:\documents and settings\Information\Application Data\Grisoft
2006-07-20 16:55 . 2005-05-02 15:34 954 --sha-r- c:\windows\SYSTEM32\PROTSTOR.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_22.26.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-09 18:47 . 2009-06-09 18:47 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"FileBack PC"="c:\progra~1\FILEBA~1\FileBack.exe" [2009-04-17 4695040]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 126104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 13:03 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Card Companion Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk
backup=c:\windows\pss\Media Card Companion Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jonhubbell^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\jonhubbell\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\SYSTEM32\\DKabcoms.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe [2006-10-21 508824]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-24 124608]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]


--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10633
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 16:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: connwsp.dll
Trusted Zone: stumbleupon.com
FF - ProfilePath - c:\documents and settings\jonhubbell\Application Data\Mozilla\Firefox\Profiles\rs9pyydh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\jonhubbell\Application Data\Mozilla\Firefox\Profiles\rs9pyydh.default\extensions\{0FFCC8D1-8198-4b2f-9A96-2B4D4A65ECC9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 15:40
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\connwsp.dll
.
Completion time: 2009-06-09 15:44
ComboFix-quarantined-files.txt 2009-06-09 19:44
ComboFix2.txt 2009-06-08 22:30
ComboFix3.txt 2007-10-13 17:56

Pre-Run: 12,217,688,064 bytes free
Post-Run: 12,202,811,392 bytes free

171 --- E O F --- 2007-06-18 16:42







thanks!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 09 June 2009 - 02:48 PM

Hi,

This looks OK again.

Update your Sun Java, because previous versions are vulnerable:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 11 June 2009 - 12:26 PM

i followed all your instructions and think i may still have a problem.

after i was finished with what you had said, i scanned my computer with spyware doctor and found the following bugs:

Trojan-PWS.Bancos.PWN
Adware.Vundo
trojan-dropper.agent!sd6
Trojan.Generic

i removed them, restarted and rescanned.

it again found:

Adware.Vundo
trojan.dropper.agent!sd6

i removed, restarted and rescanned. it was a clean scan, but i just finished it and will wait an hour or two and scan again to see if anything new has been downloaded.

i will keep you posted.



thanks

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:18 AM

Posted 11 June 2009 - 03:04 PM

Hi,

Can you let me know where Spyware Doctor finds these? This because I have seen Spyware doctor flagging harmless cookies as these or legit registry keys....
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 zoom1209

zoom1209
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 11 June 2009 - 03:14 PM

that last spyware doctor scan just finished and was again clean.

here are the summaires from the last scan that picked up bugs

Threat Name - Trojan-Dropper.Agent!sd6
Type - File
Risk Level - High
Infection - F:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\A0001440.exe

Threat Name - Adware.Vundo
Type - File
Risk Level - Medium
Infection - C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\A0001439.exe

Threat Name - Adware.Vundo
Type - File
Risk Level - Medium
Infection - F:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\A0001437.exe

Threat Name - Adware.Vundo
Type - File
Risk Level - Medium
Infection - F:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\A0001438.dll

Threat Name - Adware.Vundo
Type - File
Risk Level - Medium
Infection - F:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\A0001438.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users