Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Twex.exe/Vundo HJT/MBAM logs for evaluation


  • This topic is locked This topic is locked
9 replies to this topic

#1 kkernagh

kkernagh

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 24 June 2009 - 09:57 AM

BleepingComputer,

This is my first post, however I have read the results on this site for many years and received a lot of great advice that way. My computer at the office has had a repeating infection of twex.exe, winlognn.exe, etc. for the last two months. I typically clear it out for a two or three days at a time using Hijackthis and MalwareBytes Anti-Malware, but it always comes back. Finally today I get some free time to find a real solution, since I'm sure I'm not really ever fixing anything and it would be prudent to get anything that logs keystrokes or steals other information off of this PC.

Here's the HJT log upon startup with the problems:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:16 AM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Sepialine\Argos Print Monitor\SepialineDesktopClient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\mksno4kgfd4d.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [j6uh1ykiydc7supm7xbocxpci3ezsx] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\h02vddvfko.exe
O4 - HKCU\..\Run: [zcofald670wrw7zz3xl] C:\WINDOWS\TEMP\at2lhcj86.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [ymw1ukugladk6a9edg0hn5mabk1dg74f6q6gsvldu] C:\WINDOWS\TEMP\mprjqnds.exe
O4 - HKCU\..\Run: [lgepycum0bevr3695vzzn68g599tx5pj8s7qiuwku] C:\WINDOWS\TEMP\bamy74.exe
O4 - HKCU\..\Run: [qul128owywpmats8l4pxjbk7dhbiau3ihukybeimogq00pyic] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kbw8x7yxahx6.exe
O4 - HKCU\..\Run: [lvj1x2hi03] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\ur8bs3bc.exe
O4 - HKCU\..\Run: [kl2kdb7vkf5jzqdg7] C:\WINDOWS\TEMP\baqfw3.exe
O4 - HKCU\..\Run: [ghlqb8nawxj4v1q4xrl] C:\WINDOWS\TEMP\ldqtuo3.exe
O4 - HKCU\..\Run: [s8d06mj5nfv] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\fivj76gxhn.exe
O4 - HKCU\..\Run: [jcykhssi6wjq3pqj64y5d3zqzv48qp3knm] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\sqpy5aq4yys.exe
O4 - HKCU\..\Run: [rusv837kd1qcmtk7nacrtvvf8bt87twld2njnnz1ss5] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\u50asmlz9tk.exe
O4 - HKCU\..\Run: [tyc6ve87l8q2vrhqv3wxxva0961rpaoz6u03nq53c1b] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dm17kbl2nb.exe
O4 - HKCU\..\Run: [hgohunn2s073ulxvwe0g1s] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zf7gsn5ygq4.exe
O4 - HKCU\..\Run: [prriooj31] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kudnsr1.exe
O4 - HKCU\..\Run: [hg8qt5dun3qvdn0wczjo1cdg6kakbnlw4h5y0m2by5mhll] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\k238nik540.exe
O4 - HKCU\..\Run: [tkvmd3efbc5v8] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zeez6nikkte3d.exe
O4 - HKCU\..\Run: [tjkiaqo7kf2mrt6c61rssdesrz] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dhp74t9zu5443.exe
O4 - HKCU\..\Run: [oilhzbd3hpbm64bti0gzp5p3090aj0g1f14ti3n9jpz1r943] C:\WINDOWS\TEMP\yrh01q7y5ppb.exe
O4 - HKCU\..\Run: [h3drp3uos1zj0aso] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\mvj1015vx.exe
O4 - HKCU\..\Run: [qwcm6rb6n2o74y2ay8x566i3smqowzxb] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\c9iq3hw7l.exe
O4 - HKCU\..\Run: [gx51rf8ihvi06zkeb1u0zj9ljl7vy] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\i2iyqp.exe
O4 - HKCU\..\Run: [jbvyztgkfisccezt70kunk9] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\btjiur32.exe
O4 - HKCU\..\Run: [vot9t81hkd281tvlk] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\odqnwj882odr.exe
O4 - HKCU\..\Run: [jjc4im6mn88in] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\rokqq2nvqtq.exe
O4 - HKCU\..\Run: [mxvikaat3l03hbcjhsp] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\lqd64nbb4h.exe
O4 - HKUS\S-1-5-21-2036011836-3765780210-2116737582-1003\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User '?')
O4 - HKUS\S-1-5-21-2036011836-3765780210-2116737582-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\Software\..\Telephony: DomainName = archdem.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = archdem.local
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Argos Billing Dialog - Sepialine, Inc. - C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9861b45c685b2) (gupdate1c9861b45c685b2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9609 bytes



And here is a MBAM log of what occurs when I typically run a fully-updated Quick Scan after using HJT to remove the gibberish temp-folder entries above:

Malwarebytes' Anti-Malware 1.36
Database version: 2032
Windows 5.1.2600 Service Pack 3

4/27/2009 9:05:26 AM
mbam-log-2009-04-27 (09-05-22).txt

Scan type: Quick Scan
Objects scanned: 104188
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Let me know if you have any answers or directions to existing topics that do! I really appreciate your help.

- Kevin


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:00 AM

Posted 24 June 2009 - 12:18 PM

Hi,

First of all, please update MalwareBytes, because the databaseversion and program version is outdated.
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Edited by miekiemoes, 24 June 2009 - 12:18 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kkernagh

kkernagh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 25 June 2009 - 09:16 AM

The HijackThis log and fully updated Malwarebytes' Anti-Malware log are pasted below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:02 AM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sepialine\Argos Print Monitor\SepialineDesktopClient.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\mksno4kgfd4d.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [j6uh1ykiydc7supm7xbocxpci3ezsx] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\h02vddvfko.exe
O4 - HKCU\..\Run: [zcofald670wrw7zz3xl] C:\WINDOWS\TEMP\at2lhcj86.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [ymw1ukugladk6a9edg0hn5mabk1dg74f6q6gsvldu] C:\WINDOWS\TEMP\mprjqnds.exe
O4 - HKCU\..\Run: [lgepycum0bevr3695vzzn68g599tx5pj8s7qiuwku] C:\WINDOWS\TEMP\bamy74.exe
O4 - HKCU\..\Run: [qul128owywpmats8l4pxjbk7dhbiau3ihukybeimogq00pyic] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kbw8x7yxahx6.exe
O4 - HKCU\..\Run: [lvj1x2hi03] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\ur8bs3bc.exe
O4 - HKCU\..\Run: [kl2kdb7vkf5jzqdg7] C:\WINDOWS\TEMP\baqfw3.exe
O4 - HKCU\..\Run: [ghlqb8nawxj4v1q4xrl] C:\WINDOWS\TEMP\ldqtuo3.exe
O4 - HKCU\..\Run: [s8d06mj5nfv] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\fivj76gxhn.exe
O4 - HKCU\..\Run: [jcykhssi6wjq3pqj64y5d3zqzv48qp3knm] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\sqpy5aq4yys.exe
O4 - HKCU\..\Run: [rusv837kd1qcmtk7nacrtvvf8bt87twld2njnnz1ss5] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\u50asmlz9tk.exe
O4 - HKCU\..\Run: [tyc6ve87l8q2vrhqv3wxxva0961rpaoz6u03nq53c1b] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dm17kbl2nb.exe
O4 - HKCU\..\Run: [hgohunn2s073ulxvwe0g1s] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zf7gsn5ygq4.exe
O4 - HKCU\..\Run: [prriooj31] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\kudnsr1.exe
O4 - HKCU\..\Run: [hg8qt5dun3qvdn0wczjo1cdg6kakbnlw4h5y0m2by5mhll] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\k238nik540.exe
O4 - HKCU\..\Run: [tkvmd3efbc5v8] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\zeez6nikkte3d.exe
O4 - HKCU\..\Run: [tjkiaqo7kf2mrt6c61rssdesrz] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\dhp74t9zu5443.exe
O4 - HKCU\..\Run: [oilhzbd3hpbm64bti0gzp5p3090aj0g1f14ti3n9jpz1r943] C:\WINDOWS\TEMP\yrh01q7y5ppb.exe
O4 - HKCU\..\Run: [h3drp3uos1zj0aso] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\mvj1015vx.exe
O4 - HKCU\..\Run: [qwcm6rb6n2o74y2ay8x566i3smqowzxb] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\c9iq3hw7l.exe
O4 - HKCU\..\Run: [gx51rf8ihvi06zkeb1u0zj9ljl7vy] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\i2iyqp.exe
O4 - HKCU\..\Run: [jbvyztgkfisccezt70kunk9] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\btjiur32.exe
O4 - HKCU\..\Run: [vot9t81hkd281tvlk] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\odqnwj882odr.exe
O4 - HKCU\..\Run: [jjc4im6mn88in] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\rokqq2nvqtq.exe
O4 - HKCU\..\Run: [mxvikaat3l03hbcjhsp] C:\DOCUME~1\KEVIN~2.ARC\LOCALS~1\Temp\lqd64nbb4h.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\Software\..\Telephony: DomainName = archdem.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = archdem.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = archdem.local
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\mksno4kgfd4d.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Argos Billing Dialog - Sepialine, Inc. - C:\Program Files\Sepialine\Argos Print Monitor\SepialineBDMonitor.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9861b45c685b2) (gupdate1c9861b45c685b2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9154 bytes








MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2333
Windows 5.1.2600 Service Pack 3

6/25/2009 9:10:38 AM
mbam-log-2009-06-25 (09-10-22).txt

Scan type: Quick Scan
Objects scanned: 124945
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








Thanks guys!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:00 AM

Posted 25 June 2009 - 10:02 PM

Hello kkernagh,

I have merged your latest topic with your previously existing topic. Please keep all posts to this topic by using the Add Reply button at the bottom of the topic. Starting new topics delays the assistance you receive and confuses things for everyone.

Updated post - yesterdays was deleted


From the title of your merged topic. I don't know what you mean by that as no posts of yours have been deleted.

Back to you miekiemoes

Orange Blossom ~ forum moderator
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:00 AM

Posted 26 June 2009 - 02:32 AM

Hi,

It appears that you didn't tell Malwarebytes to remove the files, because your log shows that no action was taken.
So please let mbam remove the files and then reboot.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 kkernagh

kkernagh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 29 June 2009 - 09:40 AM

Pardon my delay (and attempt to create a new topic), here is the ComboFix log I received about 10 minutes ago:

ComboFix 09-06-28.04 - Kevin 06/29/2009 9:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2823 [GMT -5:00]
Running from: c:\documents and settings\Kevin.ARCHDEM\My Documents\installer files\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-11 14:14 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 14:14 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 16:23 . 2009-06-09 16:23 -------- d-----w- c:\documents and settings\KEVIN~2~ARC\LOCALS~1
2009-06-09 16:23 . 2009-06-09 16:23 -------- d-----w- c:\documents and settings\KEVIN~2~ARC
2009-06-03 15:18 . 2009-06-03 15:18 -------- d-sh--w- c:\documents and settings\Kevin.ARCHDEM\PrivacIE
2009-06-02 13:53 . 2009-06-18 14:09 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 14:08 . 2009-02-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-26 23:02 . 2009-05-20 16:45 487440 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-19 18:05 . 2009-05-04 14:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-18 14:09 . 2009-04-23 18:26 -------- d-----w- c:\program files\MAM
2009-06-17 16:27 . 2009-04-23 18:26 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-04-23 18:26 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-01 22:47 . 2008-05-19 16:22 -------- d-----w- c:\documents and settings\Kevin.ARCHDEM\Application Data\AdobeUM
2009-05-29 15:28 . 2009-05-22 15:25 -------- d-----w- c:\program files\Ppt-2-Ppt
2009-05-27 14:09 . 2009-01-13 15:24 -------- d-----w- c:\program files\Google
2009-05-26 14:33 . 2009-04-16 14:36 -------- d-----w- c:\program files\Lavasoft
2009-05-26 14:26 . 2008-05-19 14:38 54384 ----a-w- c:\documents and settings\Kevin.ARCHDEM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 15:44 . 2009-05-22 15:44 -------- d-----w- c:\program files\MSECache
2009-05-20 15:52 . 2009-05-20 15:52 -------- d-----w- c:\program files\Trend Micro
2009-05-20 14:23 . 2009-05-20 14:23 -------- d-----w- c:\documents and settings\Administrator.USER-D75B93B10D\Application Data\Malwarebytes
2009-05-13 14:24 . 2008-05-20 19:10 -------- d-----w- c:\program files\Sepialine
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 15:22 . 2009-04-30 15:22 220256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\MEP2010\9.0\1033\ResourceCache.dll
2009-04-30 15:20 . 2009-04-30 15:20 -------- d-----w- c:\program files\Autodesk Revit MEP 2010
2009-04-30 15:20 . 2008-05-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-04-21 14:06 . 2009-04-21 14:06 220256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\Architecture2010\9.0\1033\ResourceCache.dll
2009-04-21 14:03 . 2009-04-21 14:03 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-04-21 03:12 . 2007-06-19 23:08 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 14:04 . 2009-04-13 14:04 152576 ----a-w- c:\documents and settings\Kevin.ARCHDEM\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-01-16 20:05 . 2009-01-16 20:03 9636896 -c--a-w- c:\program files\LS_Update_1.17.90.1_.exe
2009-01-16 19:59 . 2009-01-16 19:58 9954992 -c--a-w- c:\program files\LightScribeTemplateLabeler_1.17.90.1.exe
2009-01-16 19:55 . 2009-01-16 19:52 17701816 ----a-w- c:\program files\LightScribeSimpleLabeler_1.17.90.1.exe
2009-01-13 23:28 . 2009-01-13 23:03 164412304 ----a-w- c:\program files\Autodesk_NavisWorks_Freedom_2009.1_English_Win_32bit.exe
2009-01-13 15:37 . 2009-01-13 15:37 1248953 ----a-w- c:\program files\EarthConnectorRevit.exe
2009-01-13 15:23 . 2009-01-13 15:23 1035408 ----a-w- c:\program files\Google Updater.exe
2008-05-19 13:46 . 2008-05-19 13:45 2400784 -c--a-w- c:\program files\WLinstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-07-04 148776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Rpcdf2gsphuu"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/17/2009 7:52 AM 101936]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9861b45c685b2;Google Update Service (gupdate1c9861b45c685b2);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 11:20 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 2:55 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:04]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 16:19]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Kevin.ARCHDEM\Application Data\Mozilla\Firefox\Profiles\r9zhpyyi.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-511591595-1187453103-3816814527-1147\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-29 9:34
ComboFix-quarantined-files.txt 2009-06-29 14:34

Pre-Run: 421,178,945,536 bytes free
Post-Run: 421,806,190,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional 3GB" /3GB /noexecute=optin /fastdetect

166 --- E O F --- 2009-06-11 22:54

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:00 AM

Posted 29 June 2009 - 09:46 AM

Hi,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Rpcdf2gsphuu"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 kkernagh

kkernagh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 29 June 2009 - 10:17 AM

As far as I can tell, everything is fine. I appreciate your assistance and will be happy to use bleepingcomputer for any future problems, but hopefully using MBAM regularly will clear up many problems.

Let me know if there is anything else to do,

Thanks,

Kevin

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:00 AM

Posted 29 June 2009 - 10:20 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:00 AM

Posted 07 July 2009 - 07:27 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users