Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"System" Process is eating up resources possibly due to worm


  • This topic is locked This topic is locked
20 replies to this topic

#1 kandax

kandax

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 11 June 2009 - 11:43 AM

Ive noticed that my computer has been running very slow of late forcing programs closed and giving various slow downs on others. Wondering if it could be malware cause im noticing that in the task manager my computers "system" process is eating up almost 60k more then it normally does.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Default at 12:29:46.00 on Thu 06/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2373 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Default\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {8be85fe6-0fc6-4975-9d11-26511ff24309} - No File
BHO: {8EA86503-476F-476A-A55A-7225082DF3EB} - No File
BHO: {8EFE662F-065D-4A0D-BE98-D67809EE0BCA} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233612995013
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ssqppQki - ssqppQki.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {8EA86503-476F-476A-A55A-7225082DF3EB} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXnnNGw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\default\applic~1\mozilla\firefox\profiles\7n67xuxn.default\
FF - prefs.js: browser.startup.homepage - hxxp://play.battlefield-heroes.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\default\application data\mozilla\firefox\profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\default\application data\mozilla\firefox\profiles\7n67xuxn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-11 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-11 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-11 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-11 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-1-26 13532]

=============== Created Last 30 ================

2009-06-11 02:28 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-11 02:23 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-10 23:35 617,472 a------- c:\windows\system32\_entreelist.dll
2009-06-10 23:35 714,752 a------- c:\windows\system32\_enviewlist.dll
2009-06-10 23:20 <DIR> --d----- C:\ProgramData
2009-06-10 12:40 <DIR> --d----- C:\CrashReport
2009-06-10 00:55 <DIR> --d----- c:\program files\msn gaming zone
2009-06-06 21:39 90,112 a----r-- c:\windows\system32\SCCD3X02.DLL
2009-06-06 21:39 131,072 a----r-- c:\windows\system32\SCCD3X01.DLL
2009-06-05 12:53 157,152 a------- c:\windows\system32\PubPlugin.dll
2009-06-05 12:53 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2009-06-05 12:53 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-06-05 12:53 58,800 a------- c:\windows\system32\ijjiProcessRestarter.exe
2009-06-03 11:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-02 11:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-06-02 10:53 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-01 13:26 <DIR> --d----- c:\program files\Lavasoft
2009-05-26 17:34 <DIR> --d----- c:\docume~1\default\applic~1\Windows Search

==================== Find3M ====================

2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-10 09:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-10 09:26 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 09:26 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-04-30 22:28 1,654,869 a------- c:\docume~1\alluse~1\applic~1\DynuEncrypt.dll
2008-04-06 13:46 1,890 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-04-06 13:46 88 ---shr-- c:\docume~1\alluse~1\applic~1\9AE5ADDEBA.sys
2008-06-11 01:19 722,869 a--sh--- c:\windows\system32\wGNnnXyb.ini2
2008-07-13 17:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat

============= FINISH: 12:30:21.92 ===============



NOTE: Sorry for this next part but it seems it does not want to let me upload a .rar file so im gonna just post the attach log as a .txt

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 12 June 2009 - 12:39 PM

Hello kandax and welcome to the Bleeping Computer forum,


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


****************

Disable Ad-Watch to make sure it won't interfere fixing.


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 12 June 2009 - 12:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 11:46 AM

Ok I've completed all the steps and here is the logs you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:14 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {90342ff1-1562-11d9-5794-6cf06ef58eb8} - {8be85fe6-0fc6-4975-9d11-26511ff24309} - (no file)
O2 - BHO: (no name) - {8EFE662F-065D-4A0D-BE98-D67809EE0BCA} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1233612995013
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://cnn-5.vo.llnwd.net/c1/static/cab_he...pWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: ssqppQki - ssqppQki.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

--
End of file - 4432 bytes


Malwarebytes' Anti-Malware 1.37
Database version: 2270
Windows 5.1.2600 Service Pack 3

6/13/2009 11:53:46 AM
mbam-log-2009-06-13 (11-53-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 241069
Time elapsed: 2 hour(s), 49 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ea86503-476f-476a-a55a-7225082df3eb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ea86503-476f-476a-a55a-7225082df3eb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{8ea86503-476f-476a-a55a-7225082df3eb} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\BMbf7f481c.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\BMbf7f481c.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
AVGFree8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
CCleaner (remove only)
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Request Timed Out (Check Internet connection?)

Scan took 27 seconds.
`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 11:57 AM

Hi kandax,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 13 June 2009 - 12:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 12:12 PM

after running it what is my next course of action since im not supposed to post the log?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 12:27 PM

Please read the instructions:

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,



Do not run Combofix more than once.


Edited by SifuMike, 13 June 2009 - 12:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 12:52 PM

Ok gotcha sorry about that


ComboFix 09-06-13.01 - Default 06/13/2009 13:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2617 [GMT -4:00]
Running from: c:\documents and settings\Default\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\immoflim.ini
c:\windows\system32\wGNnnXyb.ini
c:\windows\system32\wGNnnXyb.ini2
c:\windows\system32\xurkdqhe.ini
c:\windows\system32\yqnctbcc.ini
D:\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 16:30 . 2009-06-13 16:30 -------- d-----w- c:\program files\Trend Micro
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\Default\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 03:35 . 2009-02-09 12:10 617472 ----a-w- c:\windows\system32\_entreelist.dll
2009-06-11 03:35 . 2009-02-09 12:10 714752 ----a-w- c:\windows\system32\_enviewlist.dll
2009-06-11 03:20 . 2009-06-11 03:20 -------- d-----w- C:\ProgramData
2009-06-10 16:40 . 2009-06-10 16:40 -------- d-----w- C:\CrashReport
2009-06-07 01:39 . 2004-02-25 22:10 90112 ----a-r- c:\windows\system32\SCCD3X02.DLL
2009-06-07 01:39 . 2004-02-25 22:10 131072 ----a-r- c:\windows\system32\SCCD3X01.DLL
2009-06-05 16:54 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-05 16:53 . 2008-06-12 03:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-06-05 16:53 . 2008-04-23 18:02 157152 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-05 16:53 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-06-05 16:53 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-06-04 03:40 . 2009-03-09 15:34 971776 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-03 15:29 . 2009-06-03 15:29 -------- d-----w- c:\windows\Sun
2009-06-03 15:26 . 2009-06-03 15:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 15:04 . 2009-06-02 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-02 14:53 . 2009-06-02 14:53 10134 ----a-r- c:\documents and settings\Default\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 14:53 . 2009-06-02 14:53 -------- d-----w- c:\program files\Microsoft WSE
2009-06-01 17:26 . 2009-06-13 16:09 -------- d-----w- c:\program files\Lavasoft
2009-05-26 21:34 . 2009-05-26 21:34 -------- d-----w- c:\documents and settings\Default\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 03:58 . 2008-01-30 06:55 -------- d-----w- c:\documents and settings\Default\Application Data\uTorrent
2009-06-12 03:11 . 2008-01-30 19:52 -------- d-----w- c:\documents and settings\Default\Application Data\Move Networks
2009-06-11 06:22 . 2008-06-10 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-10 17:16 . 2009-02-02 22:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 16:48 . 2008-12-16 03:42 -------- d-----w- c:\program files\Runes of Magic
2009-06-09 14:09 . 2008-01-28 03:25 -------- d-----w- c:\program files\Steam
2009-06-05 17:19 . 2008-02-07 01:27 -------- d--h--w- c:\documents and settings\Default\Application Data\ijjigame
2009-06-05 16:58 . 2008-11-21 21:29 1123994715 ----a-w- c:\documents and settings\Default\Application Data\ijjigame\U_LUNIA_setup.exe
2009-06-05 16:54 . 2008-10-13 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-05 16:53 . 2008-01-27 06:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 17:44 . 2008-09-04 16:01 -------- d-----w- c:\program files\Electronic Arts
2009-06-01 17:30 . 2008-03-28 23:23 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-01 17:26 . 2008-01-28 02:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 04:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 07:02 . 2008-01-28 02:02 -------- d-----w- c:\program files\VentSrv
2009-05-18 15:44 . 2008-09-05 01:32 594664 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PLauncher.exe
2009-05-12 19:12 . 2008-01-26 22:19 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-10 13:26 . 2008-06-11 04:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-10 13:26 . 2008-06-11 04:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 19:31 . 2009-05-04 19:48 1099128 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 19:31 . 2009-05-04 19:48 729088 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 04:27 . 2009-03-30 04:26 965344 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-26 16:48 . 2009-03-26 16:48 34062 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\ie_bin\Uninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-10 1947928]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Default^Start Menu^Programs^Startup^TitanTV Remote Scheduler.lnk]
path=c:\documents and settings\Default\Start Menu\Programs\Startup\TitanTV Remote Scheduler.lnk
backup=c:\windows\pss\TitanTV Remote Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 12:05 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 12:05 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 2:17 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 2:17 PM 298776]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/26/2008 5:55 PM 13532]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{8be85fe6-0fc6-4975-9d11-26511ff24309} - (no file)
BHO-{8EFE662F-065D-4A0D-BE98-D67809EE0BCA} - (no file)
Notify-ssqppQki - ssqppQki.dll


.
------- Supplementary Scan -------
.
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-688789844-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:02,8d,c7,b0,47,83,a3,58,0f,cb,e4,a3,54,3f,60,c6,17,fd,29,f2,11,
1e,05,c0,c9,d5,a0,67,6c,90,4b,48,11,e8,7e,20,75,c2,6a,ef,8d,41,4a,be,94,f9,\
"rkeysecu"=hex:f3,b2,ae,c0,66,12,a9,c5,bd,22,79,8d,f7,f4,bf,ca
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\CF3471.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\AVG\AVG8\avgui.exe
c:\windows\pchealth\helpctr\binaries\helpctr.exe
c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.
**************************************************************************
.
Completion time: 2009-06-13 13:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 17:47

Pre-Run: 53,766,533,120 bytes free
Post-Run: 54,016,753,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 01:08 PM

Hi kandax,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\_entreelist.dll
      c:\windows\system32\_enviewlist.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 01:35 PM

OK here goes


File Name : _entreelist.dll
File Size : 617472 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : e76f8807070ed04e7408a86d6d3a6137
SHA1 : ea2e9bac1789b53d7efcd675a63f4a2b44898439

Scanner results : All Scanners reported not find malware!
Time : 2009/06/13 14:19:57 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090612230239 2009-06-12
-
40.125
AhnLab V3 2009.06.13.00 2009.06.13 2009-06-13
-
0.742
AntiVir 8.2.0.187 7.1.4.88 2009-06-12
-
0.223
Antiy 2.0.18 20090613.2535569 2009-06-13
-
0.120
Arcavir 2009 200906130723 2009-06-13
-
0.074
Authentium 5.1.1 200906121847 2009-06-12
-
1.917
AVAST! 4.7.4 090613-0 2009-06-13
-
0.039
AVG 8.5.286 270.12.67/2173 2009-06-13
-
3.444
BitDefender 7.81008.3348478 7.25958 2009-06-14
-
3.017
CA (VET) 9.0.0.143 31.6.6555 2009-06-13
-
4.905
ClamAV 0.95.1 9463 2009-06-13
-
0.113
Comodo 3.9 1325 2009-06-13
-
0.743
CP Secure 1.1.0.715 2009.06.13 2009-06-13
-
10.108
Dr.Web 4.44.0.9170 2009.06.13 2009-06-13
-
4.657
F-Prot 4.4.4.56 20090612 2009-06-12
-
1.762
F-Secure 5.51.6100 2009.06.13.02 2009-06-13
-
0.072
Fortinet 2.81-3.117 10.494 2009-06-13
-
0.216
GData 19.5805/19.362 20090613 2009-06-13
-
4.349
Ikarus T3.1.01.59 2009.06.13.72861 2009-06-13
-
3.293
JiangMin 11.0.706 2009.06.13 2009-06-13
-
2.327
Kaspersky 5.5.10 2009.06.13 2009-06-13
-
0.057
KingSoft 2009.2.5.15 2009.6.13.21 2009-06-13
-
0.565
McAfee 5.3.00 5645 2009-06-13
-
3.057
Microsoft 1.4701 2009.06.13 2009-06-13
-
4.390
mks_vir 2.01 2009.06.13 2009-06-13
-
3.202
Norman 6.01.09 6.01.00 2009-06-12
-
4.007
nProtect 20090612.01 4239206 2009-06-12
-
5.770
Panda 9.05.01 2009.06.12 2009-06-12
-
1.820
Quick Heal 10.00 2009.06.13 2009-06-13
-
1.388
Rising 20.0 21.33.52.00 2009-06-13
-
0.788
Sophos 2.87.1 4.42 2009-06-14
-
2.729
Sunbelt 5186 5186 2009-06-12
-
0.948
Symantec 1.3.0.24 20090613.003 2009-06-13
-
0.063
The Hacker 6.3.4.3 v00345 2009-06-12
-
0.690
Trend Micro 8.700-1004 6.192.23 2009-06-13
-
0.028
VBA32 3.12.10.7 20090612.1512 2009-06-12
-
2.081
ViRobot 20090613 2009.06.13 2009-06-13
-
0.442
VirusBuster 4.5.11.10 10.107.12/1629091 2009-06-13
-
2.156



File Name : _enviewlist.dll
File Size : 714752 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 911ddf2e16761643a47225f654d811e5
SHA1 : e753d19a2e3b98b2b3b8f02f276092096d10f22d

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/06/13 14:31:30 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090612230239 2009-06-12
-
40.126
AhnLab V3 2009.06.13.00 2009.06.13 2009-06-13
-
0.712
AntiVir 8.2.0.187 7.1.4.88 2009-06-12
-
0.214
Antiy 2.0.18 20090613.2535569 2009-06-13
-
0.119
Arcavir 2009 200906130723 2009-06-13
-
0.092
Authentium 5.1.1 200906121847 2009-06-12
-
1.930
AVAST! 4.7.4 090613-0 2009-06-13
-
0.042
AVG 8.5.286 270.12.67/2173 2009-06-13
-
3.508
BitDefender 7.81008.3348478 7.25958 2009-06-14
-
2.968
CA (VET) 9.0.0.143 31.6.6555 2009-06-13
-
8.399
ClamAV 0.95.1 9463 2009-06-13
-
0.118
Comodo 3.9 1325 2009-06-13
-
0.725
CP Secure 1.1.0.715 2009.06.13 2009-06-13
-
10.095
Dr.Web 4.44.0.9170 2009.06.13 2009-06-13
-
4.653
F-Prot 4.4.4.56 20090612 2009-06-12
-
1.823
F-Secure 5.51.6100 2009.06.13.02 2009-06-13
-
0.073
Fortinet 2.81-3.117 10.494 2009-06-13
-
0.217
GData 19.5805/19.362 20090613 2009-06-13
-
4.255
Ikarus T3.1.01.59 2009.06.13.72861 2009-06-13
-
3.291
JiangMin 11.0.706 2009.06.13 2009-06-13
-
2.031
Kaspersky 5.5.10 2009.06.13 2009-06-13
-
0.052
KingSoft 2009.2.5.15 2009.6.13.21 2009-06-13
-
0.494
McAfee 5.3.00 5645 2009-06-13
-
3.060
Microsoft 1.4701 2009.06.13 2009-06-13
-
4.345
mks_vir 2.01 2009.06.13 2009-06-13
-
3.244
Norman 6.01.09 6.01.00 2009-06-12
-
4.006
nProtect 20090612.01 4239206 2009-06-12
-
5.898
Panda 9.05.01 2009.06.12 2009-06-12
-
1.963
Quick Heal 10.00 2009.06.13 2009-06-13
-
1.383
Rising 20.0 21.33.52.00 2009-06-13
-
0.771
Sophos 2.87.1 4.42 2009-06-14
-
2.580
Sunbelt 5186 5186 2009-06-12
-
0.837
Symantec 1.3.0.24 20090613.003 2009-06-13
-
0.069
The Hacker 6.3.4.3 v00345 2009-06-12
-
0.625
Trend Micro 8.700-1004 6.192.23 2009-06-13
-
0.027
VBA32 3.12.10.7 20090612.1512 2009-06-12
-
2.839
ViRobot 20090613 2009.06.13 2009-06-13
-
0.416
VirusBuster 4.5.11.10 10.107.12/1629091 2009-06-13
-
2.122

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 02:25 PM

Hi kandax,

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 02:51 PM

ComboFix 09-06-13.02 - Default 06/13/2009 15:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2571 [GMT -4:00]
Running from: c:\documents and settings\Default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Default\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 16:30 . 2009-06-13 16:30 -------- d-----w- c:\program files\Trend Micro
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\Default\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 03:35 . 2009-02-09 12:10 617472 ----a-w- c:\windows\system32\_entreelist.dll
2009-06-11 03:35 . 2009-02-09 12:10 714752 ----a-w- c:\windows\system32\_enviewlist.dll
2009-06-11 03:20 . 2009-06-11 03:20 -------- d-----w- C:\ProgramData
2009-06-10 16:40 . 2009-06-10 16:40 -------- d-----w- C:\CrashReport
2009-06-07 01:39 . 2004-02-25 22:10 90112 ----a-r- c:\windows\system32\SCCD3X02.DLL
2009-06-07 01:39 . 2004-02-25 22:10 131072 ----a-r- c:\windows\system32\SCCD3X01.DLL
2009-06-05 16:54 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-05 16:53 . 2008-06-12 03:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-06-05 16:53 . 2008-04-23 18:02 157152 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-05 16:53 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-06-05 16:53 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-06-04 03:40 . 2009-03-09 15:34 971776 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-03 15:29 . 2009-06-03 15:29 -------- d-----w- c:\windows\Sun
2009-06-03 15:26 . 2009-06-03 15:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 15:04 . 2009-06-02 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-02 14:53 . 2009-06-02 14:53 10134 ----a-r- c:\documents and settings\Default\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 14:53 . 2009-06-02 14:53 -------- d-----w- c:\program files\Microsoft WSE
2009-06-01 17:26 . 2009-06-13 16:09 -------- d-----w- c:\program files\Lavasoft
2009-05-26 21:34 . 2009-05-26 21:34 -------- d-----w- c:\documents and settings\Default\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 03:58 . 2008-01-30 06:55 -------- d-----w- c:\documents and settings\Default\Application Data\uTorrent
2009-06-12 03:11 . 2008-01-30 19:52 -------- d-----w- c:\documents and settings\Default\Application Data\Move Networks
2009-06-11 06:22 . 2008-06-10 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-10 17:16 . 2009-02-02 22:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 16:48 . 2008-12-16 03:42 -------- d-----w- c:\program files\Runes of Magic
2009-06-09 14:09 . 2008-01-28 03:25 -------- d-----w- c:\program files\Steam
2009-06-05 17:19 . 2008-02-07 01:27 -------- d--h--w- c:\documents and settings\Default\Application Data\ijjigame
2009-06-05 16:58 . 2008-11-21 21:29 1123994715 ----a-w- c:\documents and settings\Default\Application Data\ijjigame\U_LUNIA_setup.exe
2009-06-05 16:54 . 2008-10-13 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-05 16:53 . 2008-01-27 06:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 17:44 . 2008-09-04 16:01 -------- d-----w- c:\program files\Electronic Arts
2009-06-01 17:30 . 2008-03-28 23:23 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-01 17:26 . 2008-01-28 02:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 04:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 07:02 . 2008-01-28 02:02 -------- d-----w- c:\program files\VentSrv
2009-05-18 15:44 . 2008-09-05 01:32 594664 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PLauncher.exe
2009-05-12 19:12 . 2008-01-26 22:19 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-10 13:26 . 2008-06-11 04:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-10 13:26 . 2008-06-11 04:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 19:31 . 2009-05-04 19:48 1099128 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 19:31 . 2009-05-04 19:48 729088 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 04:27 . 2009-03-30 04:26 965344 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-26 16:48 . 2009-03-26 16:48 34062 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\ie_bin\Uninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-10 1947928]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Default^Start Menu^Programs^Startup^TitanTV Remote Scheduler.lnk]
path=c:\documents and settings\Default\Start Menu\Programs\Startup\TitanTV Remote Scheduler.lnk
backup=c:\windows\pss\TitanTV Remote Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 12:05 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 12:05 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 2:17 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 2:17 PM 298776]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/26/2008 5:55 PM 13532]
.
.
------- Supplementary Scan -------
.
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-688789844-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:02,8d,c7,b0,47,83,a3,58,0f,cb,e4,a3,54,3f,60,c6,17,fd,29,f2,11,
1e,05,c0,c9,d5,a0,67,6c,90,4b,48,11,e8,7e,20,75,c2,6a,ef,8d,41,4a,be,94,f9,\
"rkeysecu"=hex:f3,b2,ae,c0,66,12,a9,c5,bd,22,79,8d,f7,f4,bf,ca
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 15:48
ComboFix-quarantined-files.txt 2009-06-13 19:47
ComboFix2.txt 2009-06-13 17:47

Pre-Run: 53,962,444,800 bytes free
Post-Run: 53,959,032,832 bytes free

147

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 03:08 PM

Hi kandax,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 13 June 2009 - 03:18 PM

ComboFix 09-06-13.02 - Default 06/13/2009 16:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2493 [GMT -4:00]
Running from: c:\documents and settings\Default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Default\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 16:30 . 2009-06-13 16:30 -------- d-----w- c:\program files\Trend Micro
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\Default\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 03:11 . 2009-06-13 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 03:11 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 03:35 . 2009-02-09 12:10 617472 ----a-w- c:\windows\system32\_entreelist.dll
2009-06-11 03:35 . 2009-02-09 12:10 714752 ----a-w- c:\windows\system32\_enviewlist.dll
2009-06-11 03:20 . 2009-06-11 03:20 -------- d-----w- C:\ProgramData
2009-06-10 16:40 . 2009-06-10 16:40 -------- d-----w- C:\CrashReport
2009-06-07 01:39 . 2004-02-25 22:10 90112 ----a-r- c:\windows\system32\SCCD3X02.DLL
2009-06-07 01:39 . 2004-02-25 22:10 131072 ----a-r- c:\windows\system32\SCCD3X01.DLL
2009-06-05 16:54 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-05 16:53 . 2008-06-12 03:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-06-05 16:53 . 2008-04-23 18:02 157152 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-05 16:53 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-06-05 16:53 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-06-04 03:40 . 2009-03-09 15:34 971776 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-03 15:29 . 2009-06-03 15:29 -------- d-----w- c:\windows\Sun
2009-06-03 15:26 . 2009-06-03 15:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 15:04 . 2009-06-02 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-02 14:53 . 2009-06-02 14:53 10134 ----a-r- c:\documents and settings\Default\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 14:53 . 2009-06-02 14:53 -------- d-----w- c:\program files\Microsoft WSE
2009-06-01 17:26 . 2009-06-13 16:09 -------- d-----w- c:\program files\Lavasoft
2009-05-26 21:34 . 2009-05-26 21:34 -------- d-----w- c:\documents and settings\Default\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 03:58 . 2008-01-30 06:55 -------- d-----w- c:\documents and settings\Default\Application Data\uTorrent
2009-06-12 03:11 . 2008-01-30 19:52 -------- d-----w- c:\documents and settings\Default\Application Data\Move Networks
2009-06-11 06:22 . 2008-06-10 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-10 17:16 . 2009-02-02 22:38 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 16:48 . 2008-12-16 03:42 -------- d-----w- c:\program files\Runes of Magic
2009-06-09 14:09 . 2008-01-28 03:25 -------- d-----w- c:\program files\Steam
2009-06-05 17:19 . 2008-02-07 01:27 -------- d--h--w- c:\documents and settings\Default\Application Data\ijjigame
2009-06-05 16:58 . 2008-11-21 21:29 1123994715 ----a-w- c:\documents and settings\Default\Application Data\ijjigame\U_LUNIA_setup.exe
2009-06-05 16:54 . 2008-10-13 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-05 16:53 . 2008-01-27 06:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 17:44 . 2008-09-04 16:01 -------- d-----w- c:\program files\Electronic Arts
2009-06-01 17:30 . 2008-03-28 23:23 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-01 17:26 . 2008-01-28 02:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 04:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 07:02 . 2008-01-28 02:02 -------- d-----w- c:\program files\VentSrv
2009-05-18 15:44 . 2008-09-05 01:32 594664 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PLauncher.exe
2009-05-12 19:12 . 2008-01-26 22:19 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-10 13:26 . 2008-06-11 04:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-10 13:26 . 2008-06-11 04:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-10 13:26 . 2008-06-11 04:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 19:31 . 2009-05-04 19:48 1099128 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 19:31 . 2009-05-04 19:48 729088 ----a-w- c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\7n67xuxn.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 04:27 . 2009-03-30 04:26 965344 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000006.exe
2009-03-26 16:48 . 2009-03-26 16:48 34062 ----a-w- c:\documents and settings\Default\Application Data\Move Networks\ie_bin\Uninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-10 1947928]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Default^Start Menu^Programs^Startup^TitanTV Remote Scheduler.lnk]
path=c:\documents and settings\Default\Start Menu\Programs\Startup\TitanTV Remote Scheduler.lnk
backup=c:\windows\pss\TitanTV Remote Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 12:05 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 12:05 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 2:17 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 2:17 PM 298776]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/26/2008 5:55 PM 13532]
.
.
------- Supplementary Scan -------
.
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 16:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-688789844-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:02,8d,c7,b0,47,83,a3,58,0f,cb,e4,a3,54,3f,60,c6,17,fd,29,f2,11,
1e,05,c0,c9,d5,a0,67,6c,90,4b,48,11,e8,7e,20,75,c2,6a,ef,8d,41,4a,be,94,f9,\
"rkeysecu"=hex:f3,b2,ae,c0,66,12,a9,c5,bd,22,79,8d,f7,f4,bf,ca
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 16:17
ComboFix-quarantined-files.txt 2009-06-13 20:17
ComboFix2.txt 2009-06-13 19:48
ComboFix3.txt 2009-06-13 17:47

Pre-Run: 53,967,695,872 bytes free
Post-Run: 53,954,277,376 bytes free

146

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 13 June 2009 - 05:20 PM

Hi kandax,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kandax

kandax
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 14 June 2009 - 08:07 AM

it turned up absolutely nothing in its scan what should my next course of action be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users