Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIN32/BHO.NPE trojan


  • This topic is locked This topic is locked
53 replies to this topic

#1 dona1

dona1

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 21 June 2009 - 08:43 AM

Hi guys, recently I got infected with a virus, which my anti-virus informs me is variant of "WIN32/BHO.NPE" trojan, I am being Bombarded with attacks from <hxxp://aforirish.com/index.php> which are being quarantined by my antivirus. I am usually pretty good at solving these infections but this has got me stumped. Ran malware bytes but no joy with that. It is only interfering with windows, if I try to use internet explorer or run a search for malicious files it keeps stalling and crashing. Firefox works perfectly. I think it may have exploited outdated java software I had but have since updated. I am grateful for any assistance you guys may provide. smile.gif

DDS (Ver_09-05-14.01) - NTFSx86
Run by max at 14:25:11.56 on 21/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.415 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\intel\intel application accelerator\iaanotif.exe
c:\program files\creative\sbaudigy2zs\surround mixer\ctsysvol.exe
c:\program files\creative\sbaudigy2zs\dvdaudio\ctdvddet.exe
c:\windows\system32\cthelper.exe
c:\program files\cyberlink\powerdvd\dvdlauncher.exe
c:\windows\system32\dla\tfswctrl.exe
c:\program files\dell\media experience\dmxlauncher.exe
c:\progra~1\maxtor\onetouch\utils\onetouch.exe
c:\windows\mxoaldr.exe
c:\program files\microsoft office\office12\groovemonitor.exe
c:\progra~1\retros~1\retros~1.1\retroexpress.exe
c:\program files\itunes\ituneshelper.exe
c:\program files\common files\real\update_ob\realsched.exe
c:\program files\eset\eset smart security\egui.exe
c:\program files\java\jre6\bin\jusched.exe
c:\program files\msn messenger\msnmsgr.exe
c:\program files\free internet window washer\clearpch.exe
c:\program files\privacy mantra 1.33\privacymantra.exe
c:\windows\system32\ctfmon.exe
c:\progra~1\retros~1\retros~1.1\retrospect.exe
c:\program files\windows media player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
c:\program files\mozilla firefox\firefox.exe
C:\WINDOWS\explorer.exe
c:\documents and settings\max\desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [Free Internet Window Washer] c:\program files\free internet window washer\Clearpch.exe -Start
uRun: [com.codeode.privacymantra] "c:\program files\privacy mantra 1.33\privacymantra.exe" -minimized
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [Retrospect_Setup] c:\windows\system32\setup.exe 2K -dr
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134572180906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\max\applic~1\mozilla\firefox\profiles\t07i4qt7.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 BVQJPYYA;BVQJPYYA;\??\c:\windows\system32\bvqjpyya.qih --> c:\windows\system32\bvqjpyya.qih [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-06-20 21:41 <DIR> --d----- C:\VundoFix Backups
2009-06-19 13:34 10 a------- c:\windows\system32\urhtps.dat
2009-06-19 13:30 112 a------- c:\windows\system32\srvblck2.tmp
2009-06-19 13:30 <DIR> --d----- c:\windows\system32\xmldm
2009-06-19 13:30 <DIR> --d----- c:\windows\system32\cock
2009-06-19 13:27 <DIR> --d----- c:\windows\system32\UAs
2009-06-11 15:57 19,197,323 a------- C:\video_join.wmv
2009-06-10 07:36 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 07:36 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-07 14:05 <DIR> --d----- c:\docume~1\max\applic~1\ESET
2009-06-07 14:04 <DIR> --d----- c:\program files\ESET
2009-06-01 15:43 <DIR> --dsh--- c:\documents and settings\max\IECompatCache
2009-05-29 16:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-29 16:42 <DIR> --dsh--- c:\documents and settings\max\PrivacIE
2009-05-28 11:22 29,384 a------- c:\windows\system32\shifld2.old
2009-05-25 18:58 <DIR> --dsh--- c:\documents and settings\max\IETldCache
2009-05-25 15:41 <DIR> --d----- c:\windows\ie8updates
2009-05-25 15:41 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-25 15:39 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-19 12:25 993,792 a------- c:\windows\system32\dllcache\kernel32.dll
2009-06-19 12:25 21,504 a------- c:\windows\system32\powrprof.dll
2009-06-19 12:25 21,504 a------- c:\windows\system32\dllcache\powrprof.dll
2009-06-19 12:25 20,247 a------- c:\windows\system32\wincode.dat
2009-06-19 12:25 6,394 a------- c:\windows\system32\krncode.dat
2009-06-19 12:25 1,575 a------- c:\windows\system32\pwrcode.dat
2009-06-19 12:25 919,552 a------- c:\windows\system32\wininet.dll
2009-06-19 12:25 919,552 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 15:49 55,768 a------- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 15:49 33,096 a------- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 15:49 133,000 a------- c:\windows\system32\drivers\epfw.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\sysw.tmp
2009-05-13 06:15 915,456 a------- c:\windows\system32\osysw.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-29 04:09 3,072 a------- c:\program files\Microsofts.exe
2008-03-15 13:14 87,608 a------- c:\docume~1\max\applic~1\inst.exe
2008-03-15 13:14 47,360 a------- c:\docume~1\max\applic~1\pcouffin.sys
2007-10-04 13:25 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2008-05-16 15:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 14:25:51.50 ===============
Attached File  Attach1.txt   11.54KB   23 downloads

Edited by Orange Blossom, 11 February 2013 - 05:12 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 26 June 2009 - 06:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 June 2009 - 08:09 AM

Updated as per instructions.. cheers..

Attached Files

  • Attached File  DDS.txt   13.05KB   13 downloads


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 28 June 2009 - 08:19 AM

Hello ,
And :thumbup2: to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime Please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please reply to this post so I know you are still there
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 June 2009 - 08:27 AM

Hello Elise, thanks in advance for any help you can offer!!! No need to apologise for the delay!!! :thumbup2:

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 01 July 2009 - 06:02 AM

Hello dona1,

Sorry for the delay, we all have been quite busy. Please follow the steps below. If you have any problems or questions, please let me know.

WARNING
-------------
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


P2P WARNING
-------------------
Going over your logs I noticed that you have Vuze installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Vuze, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. This will be saved as C:\ComboFix.txt.

In your next reply, please include the following:
  • Combofix.txt
  • New DDS log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 03 July 2009 - 09:53 PM

Hello again!!! The following are the respective logs you requested..


ComboFix 09-07-03.03 - max 04/07/2009 3:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.570 [GMT 1:00]
Running from: c:\documents and settings\max\desktop\combofix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\max\Application Data\inst.exe
C:\sdfdgddd.exe
c:\windows\Installer\1cac0bc.msp
c:\windows\Installer\2fe30c.msp
c:\windows\Installer\2fe322.msp
c:\windows\Installer\2fe338.msp
c:\windows\Installer\3039afb.msp
c:\windows\Installer\3039afc.msp
c:\windows\Installer\3039afd.msp
c:\windows\Installer\3039afe.msp
c:\windows\Installer\3039aff.msp
c:\windows\Installer\3039b00.msp
c:\windows\Installer\3039b01.msp
c:\windows\Installer\3039b02.msp
c:\windows\Installer\3039b03.msp
c:\windows\Installer\31157.msp
c:\windows\Installer\31158.msp
c:\windows\Installer\31159.msp
c:\windows\Installer\3115a.msp
c:\windows\Installer\3115b.msp
c:\windows\Installer\3115c.msp
c:\windows\Installer\3115d.msp
c:\windows\Installer\3115e.msp
c:\windows\Installer\3115f.msp
c:\windows\Installer\37726.msp
c:\windows\Installer\37727.msp
c:\windows\Installer\37728.msp
c:\windows\Installer\37729.msp
c:\windows\Installer\3772a.msp
c:\windows\Installer\3772b.msp
c:\windows\Installer\3772c.msp
c:\windows\Installer\3772d.msp
c:\windows\Installer\3772e.msp
c:\windows\Installer\428a9e4.msi
c:\windows\Installer\5f486af.msp
c:\windows\Installer\617298.msi
c:\windows\Installer\631ea3.msp
c:\windows\Installer\631ea4.msp
c:\windows\Installer\631ea5.msp
c:\windows\Installer\631ea6.msp
c:\windows\Installer\631ea7.msp
c:\windows\Installer\631ea8.msp
c:\windows\Installer\631ea9.msp
c:\windows\Installer\631eaa.msp
c:\windows\Installer\631eab.msp
c:\windows\Installer\669fda.msp
c:\windows\Installer\669fdb.msp
c:\windows\Installer\669fdc.msp
c:\windows\Installer\669fdd.msp
c:\windows\Installer\669fde.msp
c:\windows\Installer\669fdf.msp
c:\windows\Installer\669fe0.msp
c:\windows\Installer\669fe1.msp
c:\windows\Installer\669fe2.msp
c:\windows\Installer\ec9f80.msp
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\AcroIEHelpe.dll
c:\windows\system32\AcroIEHelpe004.dll
c:\windows\system32\UAs
c:\windows\system32\UAs\AcroRd32_UAs001.dat
c:\windows\system32\UAs\explorer_UAs001.dat
c:\windows\system32\UAs\explorer_UAs002.dat
c:\windows\system32\UAs\explorer_UAs003.dat
c:\windows\system32\UAs\Explorer_UAs004.dat
c:\windows\system32\UAs\explorer_UAs005.dat
c:\windows\system32\UAs\firefox_UAs001.dat
c:\windows\system32\UAs\firefox_UAs002.dat
c:\windows\system32\UAs\firefox_UAs003.dat
c:\windows\system32\UAs\helpctr_UAs001.dat
c:\windows\system32\UAs\helpctr_UAs002.dat
c:\windows\system32\UAs\helpctr_UAs003.dat
c:\windows\system32\UAs\HelpHost_UAs001.dat
c:\windows\system32\UAs\HelpHost_UAs002.dat
c:\windows\system32\UAs\iexplore_UAs001.dat
c:\windows\system32\UAs\jre-6u14-windows-i586-iftw-rv_UAs001.dat
c:\windows\system32\UAs\jre-6u14-windows-i586-iftw-rv_UAs002.dat
c:\windows\system32\UAs\jucheck_UAs001.dat
c:\windows\system32\UAs\mbam_UAs001.dat
c:\windows\system32\UAs\mbam_UAs002.dat
c:\windows\system32\UAs\mbam_UAs003.dat
c:\windows\system32\UAs\msiexec_UAs001.dat
c:\windows\system32\UAs\RealPlay_UAs001.dat
c:\windows\system32\UAs\softwareupdate_UAs001.dat
c:\windows\system32\UAs\svchost_UAs001.dat
c:\windows\system32\UAs\wgatray_UAs001.dat
c:\windows\system32\UAs\wmplayer_UAs001.dat
c:\windows\system32\UAs\wmplayer_UAs002.dat
c:\windows\TEMP\shifld2.old

Infected copy of c:\windows\system32\powrprof.dll was found and disinfected
Restored copy from - c:\i386\POWRPROF.DLL

c:\windows\system32\wininet.dll . . . is infected!!

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 02:21 . 2009-07-04 02:21 -------- d-----w- c:\windows\system32\UAs
2009-07-04 02:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 02:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 02:19 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-04 02:19 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-20 20:41 . 2009-06-20 20:41 -------- d-----w- C:\VundoFix Backups
2009-06-19 15:51 . 2009-06-19 15:51 152576 ----a-w- c:\documents and settings\max\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-19 12:34 . 2009-06-19 12:34 10 ----a-w- c:\windows\system32\urhtps.dat
2009-06-19 12:30 . 2009-07-04 02:21 -------- d-----w- c:\windows\system32\xmldm
2009-06-19 12:30 . 2009-06-21 12:19 -------- d-----w- c:\windows\system32\cock
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 06:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 13:05 . 2009-06-07 13:05 -------- d-----w- c:\documents and settings\max\Application Data\ESET
2009-06-07 13:04 . 2009-06-07 13:04 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 02:21 . 2005-08-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2009-07-04 02:20 . 2005-02-16 09:33 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-04 02:20 . 2005-02-16 09:33 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-04 02:18 . 2009-04-29 11:11 6394 ----a-w- c:\windows\system32\krncode.dat
2009-07-04 02:18 . 2009-04-29 11:11 20247 ----a-w- c:\windows\system32\wincode.dat
2009-07-04 02:18 . 2009-04-29 11:11 1575 ----a-w- c:\windows\system32\pwrcode.dat
2009-06-25 13:17 . 2006-07-25 09:59 -------- d-----w- c:\documents and settings\max\Application Data\Vso
2009-06-19 15:52 . 2008-08-09 15:31 -------- d-----w- c:\program files\Java
2009-06-19 14:28 . 2009-02-14 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 14:27 . 2009-04-29 13:16 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-19 12:30 . 2009-06-19 12:30 112 ----a-w- c:\windows\system32\srvblck2.tmp
2009-06-19 11:25 . 2004-08-04 05:00 993792 ----a-w- c:\windows\system32\sysk.tmp
2009-06-19 11:25 . 2004-08-04 05:00 21504 ----a-w- c:\windows\system32\sysp.tmp
2009-06-19 11:25 . 2004-08-04 05:00 919552 ----a-w- c:\windows\system32\wininet.dll
2009-06-19 11:25 . 2004-08-04 05:00 919552 ----a-w- c:\windows\system32\sysw.tmp
2009-06-17 10:27 . 2009-02-14 20:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-02-14 20:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 11:36 . 2007-02-16 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-07 13:04 . 2009-03-09 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-01 09:42 . 2009-06-01 09:42 390664 ----a-w- c:\documents and settings\max\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 15:46 . 2009-03-28 17:07 152576 ----a-w- c:\documents and settings\max\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-25 17:58 . 2005-04-13 18:51 83808 ----a-w- c:\documents and settings\max\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:06 . 2005-02-16 09:35 -------- d-----w- c:\program files\Microsoft Works
2009-05-21 10:33 . 2008-08-09 15:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 14:49 . 2009-05-14 14:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 14:49 . 2009-05-14 14:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 14:49 . 2009-05-14 14:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 14:47 . 2009-05-14 14:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 14:41 . 2009-05-14 14:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2009-04-29 11:11 915456 ----a-w- c:\windows\system32\osysw.dat
2009-05-12 19:48 . 2009-05-12 19:48 1915520 ----a-w- c:\documents and settings\max\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-12-29 03:09 . 2009-02-12 15:09 3072 ----a-w- c:\program files\Microsofts.exe
2007-10-04 12:25 . 2007-10-04 12:25 2293712 ----a-w- c:\program files\FLV PlayerFCSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"NBJ"="c:\program files\ahead\nero backitup\nbj.exe" [2006-09-15 2048000]
"Free Internet Window Washer"="c:\program files\Free Internet Window Washer\Clearpch.exe" [2006-06-28 1467392]
"com.codeode.privacymantra"="c:\program files\privacy mantra 1.33\privacymantra.exe" [2006-06-06 741376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 18583552]
"Retrospect_Setup"="c:\windows\system32\setup.exe" [2008-04-14 23040]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [14/05/2009 15:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 BVQJPYYA;BVQJPYYA;\??\c:\windows\system32\bvqjpyya.qih --> c:\windows\system32\bvqjpyya.qih [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\max\Application Data\Mozilla\Firefox\Profiles\t07i4qt7.default\
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 03:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BVQJPYYA]
"ImagePath"="\??\c:\windows\system32\bvqjpyya.qih"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2813933073-1730568982-1241464942-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell]
@="open"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\open]
@="&Open"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\Program Files\\Windows Media Player\\wmplayer.exe /Open \"%L\""

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\play]
@="&Play"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\play\command]
@="c:\\Program Files\\Windows Media Player\\wmplayer.exe /Play \"%L\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\RETROS~1\RETROS~1.1\Retrospect.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\RETROS~1\RETROS~1.1\retrorun.exe
.
**************************************************************************
.
Completion time: 2009-07-04 3:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 02:24

Pre-Run: 82,735,886,336 bytes free
Post-Run: 82,681,028,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

319 --- E O F --- 2009-07-01 07:21




DDS (Ver_09-05-14.01) - NTFSx86
Run by max at 3:27:35.57 on 04/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.534 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\intel\intel application accelerator\iaanotif.exe
c:\program files\creative\sbaudigy2zs\surround mixer\ctsysvol.exe
c:\program files\cyberlink\powerdvd\dvdlauncher.exe
c:\windows\system32\dla\tfswctrl.exe
c:\program files\dell\media experience\dmxlauncher.exe
c:\windows\mxoaldr.exe
c:\program files\microsoft office\office12\groovemonitor.exe
c:\progra~1\retros~1\retros~1.1\retroexpress.exe
c:\program files\itunes\ituneshelper.exe
c:\program files\common files\real\update_ob\realsched.exe
c:\program files\eset\eset smart security\egui.exe
c:\program files\java\jre6\bin\jusched.exe
c:\program files\msn messenger\msnmsgr.exe
c:\program files\free internet window washer\clearpch.exe
c:\program files\privacy mantra 1.33\privacymantra.exe
c:\windows\system32\ctfmon.exe
c:\program files\windows media player\wmpnscfg.exe
c:\progra~1\retros~1\retros~1.1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\documents and settings\max\desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [Free Internet Window Washer] c:\program files\free internet window washer\Clearpch.exe -Start
uRun: [com.codeode.privacymantra] "c:\program files\privacy mantra 1.33\privacymantra.exe" -minimized
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [Retrospect_Setup] c:\windows\system32\setup.exe 2K -dr
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134572180906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\max\applic~1\mozilla\firefox\profiles\t07i4qt7.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 BVQJPYYA;BVQJPYYA;\??\c:\windows\system32\bvqjpyya.qih --> c:\windows\system32\bvqjpyya.qih [?]

=============== Created Last 30 ================

2009-07-04 03:23 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-04 03:21 <DIR> --d----- c:\windows\system32\UAs
2009-07-04 03:19 50,176 a------- c:\windows\system32\proquota.exe
2009-07-04 03:19 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\grpconv.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\dllcache\grpconv.exe
2009-07-04 03:14 <DIR> a-dshr-- C:\cmdcons
2009-07-04 03:02 161,792 a------- c:\windows\SWREG.exe
2009-07-04 03:02 155,136 a------- c:\windows\PEV.exe
2009-07-04 03:02 98,816 a------- c:\windows\sed.exe
2009-06-20 21:41 <DIR> --d----- C:\VundoFix Backups
2009-06-19 13:34 10 a------- c:\windows\system32\urhtps.dat
2009-06-19 13:30 112 a------- c:\windows\system32\srvblck2.tmp
2009-06-19 13:30 <DIR> --d----- c:\windows\system32\xmldm
2009-06-19 13:30 <DIR> --d----- c:\windows\system32\cock
2009-06-11 15:57 19,197,323 a------- C:\video_join.wmv
2009-06-10 07:36 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 07:36 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-07 14:05 <DIR> --d----- c:\docume~1\max\applic~1\ESET
2009-06-07 14:04 <DIR> --d----- c:\program files\ESET

==================== Find3M ====================

2009-07-04 03:18 20,247 a------- c:\windows\system32\wincode.dat
2009-07-04 03:18 6,394 a------- c:\windows\system32\krncode.dat
2009-07-04 03:18 1,575 a------- c:\windows\system32\pwrcode.dat
2009-06-23 16:02 993,792 a------- c:\windows\system32\dllcache\kernel32.dll
2009-06-23 16:02 919,552 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-19 12:25 993,792 a------- c:\windows\system32\sysk.tmp
2009-06-19 12:25 21,504 a------- c:\windows\system32\sysp.tmp
2009-06-19 12:25 919,552 a------- c:\windows\system32\wininet.dll
2009-06-19 12:25 919,552 a------- c:\windows\system32\sysw.tmp
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 15:49 55,768 a------- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 15:49 33,096 a------- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 15:49 133,000 a------- c:\windows\system32\drivers\epfw.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\osysw.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 06:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-29 04:09 3,072 a------- c:\program files\Microsofts.exe
2008-03-15 13:14 47,360 a------- c:\docume~1\max\applic~1\pcouffin.sys
2007-10-04 13:25 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2008-05-16 15:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 3:27:46.50 ===============

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 06 July 2009 - 04:19 AM

Hello dona1,

First of all, can you please tell me if you have a Windows XP CD at your disposal?

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    wininet.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
DDS::
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File

Driver::
BVQJPYYA

Folder::
c:\windows\system32\xmldm
c:\windows\system32\cock
c:\windows\system32\UAs 

File::
c:\windows\system32\urhtps.dat
c:\windows\system32\srvblck2.tmp
c:\windows\system32\krncode.dat
c:\windows\system32\pwrcode.dat
c:\windows\system32\wincode.dat
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\sysw.tmp0,0
c:\windows\system32\osysw.dat
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • SystemLook log
  • Combofix.txt
  • New DDS log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 06 July 2009 - 10:37 AM

Hello, I am having difficulty with systemlook, it keeps crashing mid-scan with the error message that it has encountered a problem and needs to close!! I have tried several times but to no avail? I have my xp cd..

#10 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 06 July 2009 - 11:37 AM

I think this search problem is linked to the malware, if I try to use the windows search function it also crashes.. I will post the other two logs shortly..cheers..

#11 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 06 July 2009 - 11:56 AM

The following are the two logs I have been able to create..


ComboFix 09-07-03.03 - max 06/07/2009 17:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.554 [GMT 1:00]
Running from: c:\documents and settings\max\desktop\combofix.exe
Command switches used :: c:\documents and settings\max\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point

FILE ::
"c:\windows\system32\krncode.dat"
"c:\windows\system32\osysw.dat"
"c:\windows\system32\pwrcode.dat"
"c:\windows\system32\srvblck2.tmp"
"c:\windows\system32\sysk.tmp"
"c:\windows\system32\sysp.tmp"
"c:\windows\system32\sysw.tmp0,0"
"c:\windows\system32\urhtps.dat"
"c:\windows\system32\wincode.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AcroIEHelpe004.dll
c:\windows\system32\cock
c:\windows\system32\cock\max@aerlingus.122.2o7[1].txt
c:\windows\system32\cock\max@atdmt[1].txt
c:\windows\system32\cock\max@doubleclick[1].txt
c:\windows\system32\cock\max@doubleclick[2].txt
c:\windows\system32\krncode.dat
c:\windows\system32\osysw.dat
c:\windows\system32\pwrcode.dat
c:\windows\system32\srvblck2.tmp
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\UAs
c:\windows\system32\UAs\explorer_UAs001.dat
c:\windows\system32\UAs\Explorer_UAs002.dat
c:\windows\system32\UAs\Explorer_UAs003.dat
c:\windows\system32\UAs\Explorer_UAs004.dat
c:\windows\system32\UAs\helpctr_UAs001.dat
c:\windows\system32\UAs\helpctr_UAs002.dat
c:\windows\system32\UAs\helpctr_UAs003.dat
c:\windows\system32\UAs\HelpHost_UAs001.dat
c:\windows\system32\UAs\HelpHost_UAs002.dat
c:\windows\system32\UAs\iexplore_UAs001.dat
c:\windows\system32\UAs\RealPlay_UAs001.dat
c:\windows\system32\UAs\softwareupdate_UAs001.dat
c:\windows\system32\UAs\svchost_UAs001.dat
c:\windows\system32\UAs\wgatray_UAs001.dat
c:\windows\system32\UAs\wmplayer_UAs001.dat
c:\windows\system32\urhtps.dat
c:\windows\system32\wincode.dat
c:\windows\system32\xmldm
c:\windows\system32\xmldm\explorer_UAs005.dat
c:\windows\TEMP\shifld2.old

Infected copy of c:\windows\system32\powrprof.dll was found and disinfected
Restored copy from - c:\i386\POWRPROF.DLL

c:\windows\system32\wininet.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BVQJPYYA
-------\Service_BVQJPYYA


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 16:20 . 2009-07-06 16:20 -------- d-----w- c:\program files\ESET
2009-07-04 02:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 02:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 02:19 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-04 02:19 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-20 20:41 . 2009-06-20 20:41 -------- d-----w- C:\VundoFix Backups
2009-06-19 15:51 . 2009-06-19 15:51 152576 ----a-w- c:\documents and settings\max\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 06:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 13:05 . 2009-06-07 13:05 -------- d-----w- c:\documents and settings\max\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 16:46 . 2005-08-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2009-07-06 16:45 . 2005-02-16 09:33 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-06 16:45 . 2005-02-16 09:33 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-05 17:43 . 2006-07-25 09:59 -------- d-----w- c:\documents and settings\max\Application Data\Vso
2009-06-23 15:02 . 2004-08-04 05:00 919552 ----a-w- c:\windows\system32\wininet.dll
2009-06-19 15:52 . 2008-08-09 15:31 -------- d-----w- c:\program files\Java
2009-06-19 14:28 . 2009-02-14 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 14:27 . 2009-04-29 13:16 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-19 11:25 . 2004-08-04 05:00 919552 ----a-w- c:\windows\system32\sysw.tmp
2009-06-17 10:27 . 2009-02-14 20:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-02-14 20:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 11:36 . 2007-02-16 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-07 13:04 . 2009-03-09 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-01 09:42 . 2009-06-01 09:42 390664 ----a-w- c:\documents and settings\max\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 15:46 . 2009-03-28 17:07 152576 ----a-w- c:\documents and settings\max\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-25 17:58 . 2005-04-13 18:51 83808 ----a-w- c:\documents and settings\max\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:06 . 2005-02-16 09:35 -------- d-----w- c:\program files\Microsoft Works
2009-05-21 10:33 . 2008-08-09 15:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 14:49 . 2009-05-14 14:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 14:49 . 2009-05-14 14:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 14:49 . 2009-05-14 14:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 14:47 . 2009-05-14 14:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 14:41 . 2009-05-14 14:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-12 19:48 . 2009-05-12 19:48 1915520 ----a-w- c:\documents and settings\max\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-12-29 03:09 . 2009-02-12 15:09 3072 ----a-w- c:\program files\Microsofts.exe
2007-10-04 12:25 . 2007-10-04 12:25 2293712 ----a-w- c:\program files\FLV PlayerFCSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-04_02.21.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 16:46 . 2009-07-06 16:46 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
- 2008-05-16 14:31 . 2009-06-23 15:02 21504 c:\windows\ServicePackFiles\i386\powrprof.dll
+ 2008-05-16 14:31 . 2009-07-06 14:42 21504 c:\windows\ServicePackFiles\i386\powrprof.dll
+ 2009-07-06 16:20 . 2009-07-06 16:20 97360 c:\windows\Installer\{71CBF9BB-7E07-4A9D-BF30-84C11810B242}\egui.exe
- 2009-06-07 13:05 . 2009-06-07 13:05 97360 c:\windows\Installer\{71CBF9BB-7E07-4A9D-BF30-84C11810B242}\egui.exe
+ 2009-07-06 16:20 . 2009-07-06 16:20 10134 c:\windows\Installer\{71CBF9BB-7E07-4A9D-BF30-84C11810B242}\callmsi.exe
- 2009-06-07 13:05 . 2009-06-07 13:05 10134 c:\windows\Installer\{71CBF9BB-7E07-4A9D-BF30-84C11810B242}\callmsi.exe
+ 2008-05-16 14:36 . 2009-07-06 14:42 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
- 2008-05-16 14:36 . 2009-06-23 15:02 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
+ 2005-02-16 09:23 . 2009-07-04 02:25 513556 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-02-16 09:23 . 2009-04-17 15:17 513556 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-02-16 09:23 . 2009-04-17 15:17 100040 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-02-16 09:23 . 2009-07-04 02:25 100040 c:\windows\SYSTEM32\PERFC009.DAT
- 2004-08-04 05:00 . 2009-06-23 15:02 993792 c:\windows\SYSTEM32\kernel32.dll
+ 2004-08-04 05:00 . 2009-07-06 14:42 993792 c:\windows\SYSTEM32\kernel32.dll
+ 2004-08-04 05:00 . 2009-07-06 14:42 919552 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2004-08-04 05:00 . 2009-06-23 15:02 919552 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2004-08-04 05:00 . 2009-06-23 15:02 993792 c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
+ 2004-08-04 05:00 . 2009-07-06 14:42 993792 c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
+ 2008-05-16 14:31 . 2009-07-06 14:42 919552 c:\windows\ServicePackFiles\i386\wininet.dll
- 2008-05-16 14:31 . 2009-06-23 15:02 919552 c:\windows\ServicePackFiles\i386\wininet.dll
+ 2008-05-16 14:30 . 2009-07-06 14:42 993792 c:\windows\ServicePackFiles\i386\kernel32.dll
- 2008-05-16 14:30 . 2009-06-23 15:02 993792 c:\windows\ServicePackFiles\i386\kernel32.dll
+ 2009-06-10 14:04 . 2009-07-06 14:42 919552 c:\windows\ie8updates\KB969897-IE8\wininet.dll
- 2009-06-10 14:04 . 2009-06-23 15:02 919552 c:\windows\ie8updates\KB969897-IE8\wininet.dll
- 2009-05-25 14:39 . 2009-06-23 15:02 919552 c:\windows\ie8\wininet.dll
+ 2009-05-25 14:39 . 2009-07-06 14:42 919552 c:\windows\ie8\wininet.dll
- 2009-04-17 14:06 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-17 14:06 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB963027-IE7\wininet.dll
- 2009-02-12 10:13 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2009-02-12 10:13 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2008-12-10 06:45 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-12-10 06:45 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-10-17 20:08 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-10-17 20:08 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-08-22 18:24 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB953838-IE7\wininet.dll
- 2008-08-22 18:24 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB953838-IE7\wininet.dll
+ 2008-06-11 14:02 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB950759-IE7\wininet.dll
- 2008-06-11 14:02 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB950759-IE7\wininet.dll
- 2008-02-13 15:01 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB944533-IE7\wininet.dll
+ 2008-02-13 15:01 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB944533-IE7\wininet.dll
- 2007-06-13 07:42 . 2009-06-23 15:02 919552 c:\windows\ie7updates\KB933566-IE7\wininet.dll
+ 2007-06-13 07:42 . 2009-07-06 14:42 919552 c:\windows\ie7updates\KB933566-IE7\wininet.dll
+ 2008-08-22 18:11 . 2009-07-06 14:42 919552 c:\windows\ie7\wininet.dll
- 2008-08-22 18:11 . 2009-06-23 15:02 919552 c:\windows\ie7\wininet.dll
+ 2009-04-17 14:06 . 2009-07-06 14:42 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
- 2009-04-17 14:06 . 2009-06-23 15:02 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
- 2007-06-13 07:45 . 2009-06-23 15:02 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
+ 2007-06-13 07:45 . 2009-07-06 14:42 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
- 2006-08-11 09:49 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB918899$\wininet.dll
+ 2006-08-11 09:49 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB918899$\wininet.dll
+ 2006-08-11 09:49 . 2009-07-06 14:42 993792 c:\windows\$NtUninstallKB917422$\kernel32.dll
- 2006-08-11 09:49 . 2009-06-23 15:02 993792 c:\windows\$NtUninstallKB917422$\kernel32.dll
- 2006-06-18 23:18 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB916281$\wininet.dll
+ 2006-06-18 23:18 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB916281$\wininet.dll
- 2006-04-12 09:25 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB912812$\wininet.dll
+ 2006-04-12 09:25 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB912812$\wininet.dll
- 2005-12-14 14:57 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB905915$\wininet.dll
+ 2005-12-14 14:57 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB905915$\wininet.dll
+ 2005-08-10 20:34 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB896727$\wininet.dll
- 2005-08-10 20:34 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB896727$\wininet.dll
+ 2005-10-18 14:55 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB896688$\wininet.dll
- 2005-10-18 14:55 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB896688$\wininet.dll
+ 2005-04-14 21:05 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB890923$\wininet.dll
- 2005-04-14 21:05 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB890923$\wininet.dll
+ 2005-06-18 09:23 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB883939$\wininet.dll
- 2005-06-18 09:23 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB883939$\wininet.dll
- 2005-04-07 23:41 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB867282$\wininet.dll
+ 2005-04-07 23:41 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB867282$\wininet.dll
- 2005-02-16 09:38 . 2009-06-23 15:02 919552 c:\windows\$NtUninstallKB834707$\wininet.dll
+ 2005-02-16 09:38 . 2009-07-06 14:42 919552 c:\windows\$NtUninstallKB834707$\wininet.dll
+ 2008-05-16 14:36 . 2009-07-06 14:42 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
- 2008-05-16 14:36 . 2009-06-23 15:02 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
- 2009-06-10 06:36 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll
- 2009-03-03 00:17 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
+ 2009-03-03 00:17 . 2009-07-06 14:42 919552 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
- 2009-02-12 10:10 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
+ 2009-02-12 10:10 . 2009-07-06 14:42 919552 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
- 2009-03-21 13:59 . 2009-06-23 15:02 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
+ 2009-03-21 13:59 . 2009-07-06 14:42 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
+ 2008-12-09 20:30 . 2009-07-06 14:42 919552 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
- 2008-12-09 20:30 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
+ 2008-08-26 09:08 . 2009-07-06 14:42 919552 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
- 2008-08-26 09:08 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2008-08-15 18:04 . 2009-07-06 14:42 919552 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-08-15 18:04 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-06-11 08:57 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
+ 2008-06-11 08:57 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
+ 2008-04-09 18:07 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
- 2008-04-09 18:07 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
- 2007-12-07 02:01 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2007-12-07 02:01 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2007-10-10 23:47 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
- 2007-10-10 23:47 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
- 2007-08-20 10:02 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
+ 2007-08-20 10:02 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
- 2007-06-27 14:40 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
+ 2007-06-27 14:40 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
+ 2007-04-16 16:07 . 2009-07-06 16:44 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
- 2007-04-16 16:07 . 2009-06-23 15:02 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
- 2007-04-25 09:08 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
+ 2007-04-25 09:08 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
- 2007-05-09 02:56 . 2009-06-23 15:02 919552 c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
+ 2007-05-09 02:56 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
- 2006-07-05 10:57 . 2009-07-04 02:18 993792 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
+ 2006-07-05 10:57 . 2009-07-06 16:44 993792 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
- 2005-10-21 03:38 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
+ 2005-10-21 03:38 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
- 2005-07-03 02:09 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
+ 2005-07-03 02:09 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
- 2005-10-18 11:37 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
+ 2005-10-18 11:37 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
- 2005-03-10 07:43 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
+ 2005-03-10 07:43 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
- 2005-05-02 20:57 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
+ 2005-05-02 20:57 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
+ 2005-04-07 21:38 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
- 2005-04-07 21:38 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
+ 2005-02-16 09:38 . 2009-07-06 16:44 919552 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
- 2005-02-16 09:38 . 2009-07-04 02:18 919552 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
+ 2009-07-06 16:20 . 2009-07-06 16:20 1131008 c:\windows\Installer\458dd.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"NBJ"="c:\program files\ahead\nero backitup\nbj.exe" [2006-09-15 2048000]
"Free Internet Window Washer"="c:\program files\Free Internet Window Washer\Clearpch.exe" [2006-06-28 1467392]
"com.codeode.privacymantra"="c:\program files\privacy mantra 1.33\privacymantra.exe" [2006-06-06 741376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 18583552]
"Retrospect_Setup"="c:\windows\system32\setup.exe" [2008-04-14 23040]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [14/05/2009 15:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\max\Application Data\Mozilla\Firefox\Profiles\t07i4qt7.default\
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 17:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2813933073-1730568982-1241464942-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell]
@="open"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\open]
@="&Open"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\Program Files\\Windows Media Player\\wmplayer.exe /Open \"%L\""

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\play]
@="&Play"

[HKEY_LOCAL_MACHINE\software\Classes\*t*i*nJ*_*a*u*t*o*_*f*i*l*e*\shell\play\command]
@="c:\\Program Files\\Windows Media Player\\wmplayer.exe /Play \"%L\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\RETROS~1\RETROS~1.1\Retrospect.exe
c:\progra~1\RETROS~1\RETROS~1.1\retrorun.exe
.
**************************************************************************
.
Completion time: 2009-07-06 17:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 16:50
ComboFix2.txt 2009-07-04 02:24

Pre-Run: 80,960,122,880 bytes free
Post-Run: 80,908,156,928 bytes free

379 --- E O F --- 2009-07-01 07:21




DDS (Ver_09-05-14.01) - NTFSx86
Run by max at 17:51:34.71 on 06/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.535 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Internet Window Washer\Clearpch.exe
C:\program files\privacy mantra 1.33\privacymantra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\max\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [Free Internet Window Washer] c:\program files\free internet window washer\Clearpch.exe -Start
uRun: [com.codeode.privacymantra] "c:\program files\privacy mantra 1.33\privacymantra.exe" -minimized
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [Retrospect_Setup] c:\windows\system32\setup.exe 2K -dr
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134572180906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\max\applic~1\mozilla\firefox\profiles\t07i4qt7.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

=============== Created Last 30 ================

2009-07-06 17:20 <DIR> --d----- c:\program files\ESET
2009-07-04 03:23 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-04 03:19 50,176 a------- c:\windows\system32\proquota.exe
2009-07-04 03:19 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\grpconv.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\dllcache\grpconv.exe
2009-07-04 03:14 <DIR> a-dshr-- C:\cmdcons
2009-07-04 03:02 161,792 a------- c:\windows\SWREG.exe
2009-07-04 03:02 155,136 a------- c:\windows\PEV.exe
2009-07-04 03:02 98,816 a------- c:\windows\sed.exe
2009-06-20 21:41 <DIR> --d----- C:\VundoFix Backups
2009-06-11 15:57 19,197,323 a------- C:\video_join.wmv
2009-06-10 07:36 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 07:36 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-07 14:05 <DIR> --d----- c:\docume~1\max\applic~1\ESET

==================== Find3M ====================

2009-07-06 15:42 21,504 a------- c:\windows\system32\dllcache\cache\powrprof.dll
2009-07-06 15:42 993,792 a------- c:\windows\system32\dllcache\kernel32.dll
2009-07-06 15:42 919,552 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-23 16:02 919,552 a------- c:\windows\system32\wininet.dll
2009-06-19 12:25 919,552 a------- c:\windows\system32\sysw.tmp
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 15:49 55,768 a------- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 15:49 33,096 a------- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 15:49 133,000 a------- c:\windows\system32\drivers\epfw.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 06:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-29 04:09 3,072 a------- c:\program files\Microsofts.exe
2008-03-15 13:14 47,360 a------- c:\docume~1\max\applic~1\pcouffin.sys
2007-10-04 13:25 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2008-05-16 15:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 17:51:45.92 ===============

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 08 July 2009 - 01:07 AM

Hello dona1,

First of all, I would advice you to disconnect your computer from the internet, unless you are instructed to download or update tools or programs. The reason for this is to prevent re-infection or spreading of the infection on your system.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

We have to delete all your previous restore points. Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point will help prevent this and enable your computer to "roll-back" to a working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
ATF-CLEANER
------------------
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Dr. Web.cvs report
  • Kaspersky scan results
  • New DDS log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 08 July 2009 - 06:21 AM

Hello Elise , the DR. WEB CUREIT scan persists in causing a crash and blue screen on my system?? Is this a symptom of something you are familiar with??Or is there any other scan I can use to replace it??

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 AM

Posted 09 July 2009 - 06:29 AM

Hello dona1,

Its not normal that Dr.Web crashes, but some malware can cause this. Therefore leave Dr. Web for now and proceed with the Kaspersky online scanner. I want us to run also a scan with GMER.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include the following:
  • Kaspersky online scan results
  • GMER log
  • New DDS log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 dona1

dona1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 July 2009 - 04:29 AM

Here are the requested log files....


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 07:11:35
Records in database: 2454193
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 77992
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:20:09


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\Temp\shifld2.old.vir Infected: Trojan-Banker.Win32.MultiBanker.fg 1

The selected area was scanned.




GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 19:27:42
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 868C6630 ZwAssignProcessToJobObject
SSDT 868C5A60 ZwOpenProcess
SSDT 868C5E80 ZwOpenThread
SSDT 868C6460 ZwSuspendProcess
SSDT 868C6280 ZwSuspendThread
SSDT 868C5C90 ZwTerminateProcess
SSDT 868C60B0 ZwTerminateThread

---- User code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\svchost.exe[228] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[228] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[260] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\CTsvcCDA.EXE[272] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[296] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.reloc C:\Program Files\ESET\ESET Smart Security\ekrn.exe[296] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\ESET\ESET Smart Security\ekrn.exe[296] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\WINDOWS\System32\svchost.exe[372] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe[384] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Java\jre6\bin\jqs.exe[404] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\alg.exe[788] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\csrss.exe[1076] C:\WINDOWS\system32\KERNEL32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Windows Media Player\WMPNetwk.exe[1080] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\winlogon.exe[1100] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\services.exe[1144] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\lsass.exe[1156] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\Ati2evxx.exe[1340] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1356] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1460] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\svchost.exe[1584] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\svchost.exe[1584] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1692] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\Explorer.EXE[1728] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\Explorer.EXE[1728] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1832] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\spoolsv.exe[2012] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe[2228] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[2304] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[2340] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\CTHELPER.EXE[2368] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2408] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\dla\tfswctrl.exe[2416] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2432] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe[2464] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\MXOALDR.EXE[2472] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2480] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2480] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\iTunes\iTunesHelper.exe[2580] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\iTunes\iTunesHelper.exe[2580] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2600] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Java\jre6\bin\jusched.exe[2624] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Java\jre6\bin\jusched.exe[2624] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\ESET\ESET Smart Security\egui.exe[2656] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2784] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)
.reloc C:\Program Files\MSN Messenger\MsnMsgr.Exe[2784] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\MSN Messenger\MsnMsgr.Exe[2784] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\Free Internet Window Washer\Clearpch.exe[2812] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Free Internet Window Washer\Clearpch.exe[2812] C:\WINDOWS\system32\wininet.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\program files\privacy mantra 1.33\privacymantra.exe[2820] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\program files\privacy mantra 1.33\privacymantra.exe[2820] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\WINDOWS\system32\ctfmon.exe[2876] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Windows Media Player\WMPNSCFG.exe[2912] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe[3000] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe[3000] C:\WINDOWS\system32\wininet.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]
.reloc C:\Program Files\iPod\bin\iPodService.exe[3296] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\wscntfy.exe[3320] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Documents and Settings\max\Desktop\kzpfeoy5.exe[3572] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe[3964] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe[3964] C:\WINDOWS\system32\wininet.dll section is executable [0x3DA0F000, 0x7794, 0xE2000040]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:640] 868C4790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion@\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34\34 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a050fc size 0x1a9
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----






DDS (Ver_09-05-14.01) - NTFSx86
Run by max at 10:25:12.81 on 10/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.673 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Internet Window Washer\Clearpch.exe
C:\program files\privacy mantra 1.33\privacymantra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\max\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 213.105.224.17:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C6F3-F06FA69CBF7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [Free Internet Window Washer] c:\program files\free internet window washer\Clearpch.exe -Start
uRun: [com.codeode.privacymantra] "c:\program files\privacy mantra 1.33\privacymantra.exe" -minimized
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [Retrospect_Setup] c:\windows\system32\setup.exe 2K -dr
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134572180906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\max\applic~1\mozilla\firefox\profiles\t07i4qt7.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

=============== Created Last 30 ================

2009-07-06 17:20 <DIR> --d----- c:\program files\ESET
2009-07-04 03:23 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-04 03:19 50,176 a------- c:\windows\system32\proquota.exe
2009-07-04 03:19 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\grpconv.exe
2009-07-04 03:19 39,424 a------- c:\windows\system32\dllcache\grpconv.exe
2009-07-04 03:14 <DIR> a-dshr-- C:\cmdcons
2009-07-04 03:02 161,792 a------- c:\windows\SWREG.exe
2009-07-04 03:02 155,136 a------- c:\windows\PEV.exe
2009-07-04 03:02 98,816 a------- c:\windows\sed.exe
2009-06-20 21:41 <DIR> --d----- C:\VundoFix Backups
2009-06-11 15:57 19,197,323 a------- C:\video_join.wmv

==================== Find3M ====================

2009-07-08 10:27 90,112 a------- c:\windows\DUMP2124.tmp
2009-07-06 15:42 21,504 a------- c:\windows\system32\dllcache\cache\powrprof.dll
2009-07-06 15:42 993,792 a------- c:\windows\system32\dllcache\kernel32.dll
2009-07-06 15:42 919,552 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-23 16:02 919,552 a------- c:\windows\system32\wininet.dll
2009-06-19 12:25 919,552 a------- c:\windows\system32\sysw.tmp
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 15:49 55,768 a------- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 15:49 33,096 a------- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 15:49 133,000 a------- c:\windows\system32\drivers\epfw.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 22:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 06:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-29 04:09 3,072 a------- c:\program files\Microsofts.exe
2008-03-15 13:14 47,360 a------- c:\docume~1\max\applic~1\pcouffin.sys
2007-10-04 13:25 2,293,712 a------- c:\program files\FLV PlayerFCSetup.exe
2009-04-10 07:12 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-16 15:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 10:25:23.51 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users