Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC Virus/ Yahoo Hijack


  • Please log in to reply
21 replies to this topic

#1 McClainJa

McClainJa

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 26 June 2009 - 03:26 PM

Hi. I'm running Windows XP SP2. I've been having Yahoo search records hijacked for about a week now, And I just had one of those major Fake anti-spyware objects show up, Its gone now but Im still showing viruses. I have been working with Ad-Aware and Malwarebytes, when I run Ad-Aware I get the same 5-6 files, but they don't exist on my system and every time I try to quarantine or remove the files Explorer.exe restarts and they just pop back up. The files that Ad-Aware says are Win32 Trojan TDSS all start with UAC and these are the two processes:

\\?\globalroot\systemroot\system32\uacyviwexvkbphhmrmkn.dll
\\?\globalroot\systemroot\system32\uacrsbrxdulnqvdlyxmd.dll

And heres my Hijack-This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:41 PM, on 6/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Chronic McBudz\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - C:\WINDOWS\se_spoof.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {D7C81E7F-F39C-D644-C9FC-81FA39DB39E1} - C:\WINDOWS\system32\ubop.dll (file missing)
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video AX Object\smmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163576622312
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O22 - SharedTaskScheduler: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5677 bytes


Thank You Very Much For Your Help

P.S. I use Mozilla Firefox, I have no clue why those Iexplore.exe programs are coming up

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 27 June 2009 - 03:41 PM

Hello McClainJa,


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***************

Please post the last Malwarebytes log so I can see what it finding.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 27 June 2009 - 05:57 PM

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 10 seconds.
`````````End of Log```````````


And Malwarebytes has quit working for me, won't open, won't uninstall and won't install a new version... going to go to safe mode and try it there, If I get it to work I'll post it up.

**update** I tried on Safe Mode, Was able to uninstall the old version but when I try to install the program it opens the process but thats it, it doesn't do anything. Also looked at my other processes and the Iexplore.exe is pointed to www.aportals.net/pubac/ac.php?aid=158&sid=clean12 and has ctfmon.exe running under it and another Iexplore.exe, No visible windows for either instance of iexplore.exe. And I found out that the liser.exe process is a virus, starting to think I have 2 or 3 different things going on.

Edited by McClainJa, 27 June 2009 - 06:51 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 27 June 2009 - 07:09 PM

Hi McClainJa,

The infection you have prevents malware tools from running, but we can usually make them run.

Malwarebytes is designed to run in the Normal Mode, so dont use the Safe Mode.

If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a Full Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply


*****************


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment Standard Edition v1.3.1
    Java 2 Runtime Environment Standard Edition v1.3.1_02
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
*****************

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. 8O
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 27 June 2009 - 11:33 PM

**Truthfully I thought Ad-Aware was anti-virus :thumbup2: But here's the logs.


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/27/2009 9:55:52 PM
mbam-log-2009-06-27 (21-55-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 226915
Time elapsed: 46 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 117

Memory Processes Infected:
C:\program Files\Manson\liser.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\progra~1\manson\liser.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Manson (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\chronic mcbudz\local settings\Temp\id6rjs4r64j6a7io8jkswhvv44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\chronic mcbudz\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETfqmehesi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tpsaxyd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETaajgghsqar.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETajmueaeepr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETanpeixrtde.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETbdmexmspft.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETbgcvvjhikt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETbphwlcitni.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETbpxwucviqq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETbqrckowipb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETcdsvqinnvl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETcorcncwxrq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETdgmyktritg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETdmskdjresj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETdnxuiqynhk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETdpjxwdwcor.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETeiuosfplmu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETeixpdfhwpc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETepvfwoxbtl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETftecbfnnvs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETftojfwvwyq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETgasvibwrij.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETgebddqopwq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETgiwlyqgajs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETgmemmiyhyw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNEThnxxnbfptu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNEThqpcbckfts.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETibftpuseex.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETibqensxdwt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETidxwenentx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETimbyapquqd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETimuidbdeob.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETitnevmpebs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETivrqriryuy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETixvspqqyec.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETiyusipmpuy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETjdbxelyydx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETjuyqrabnmc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETkbqyiedkbw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETkgpmnwylqn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETklpooyntxt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETklxgexqtel.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETlohosamxsn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETlvqhsibcrm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETmdwiowuxty.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETmpdobbdeob.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETmprghuydme.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETmrgraybmrk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETmytmqctixd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETnspwiwtxve.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETntrpphgjki.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETnwhxbdbbqb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETofiucoolwp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNEToqycimqbvp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETowrnstbdwq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETphqyxxorpp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETpitnydjyrx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETpntnlhfbrb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETpqrnmbapoc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETpquqxdsvra.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETpvmwbxmmov.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETqbwwxvcdbx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETqievbcdvsb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETquoshjbwfr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETqxvbvpfdbd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrahyxbvhxt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrdypbakekf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETreobqmhpqu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrmarqqjerh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrnmsltidwo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrpufvrpgpu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrqstvpwtij.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETrwblevnfvg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETsecwkibiqq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETstyibkxoic.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETtabvpesvjq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETterxtapmlk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETtgoudtnayn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETthnjimswvr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETtnhwvxbmyr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETtrqmexneip.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETtspipyrbvx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETttrnopowpm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETucbcqhepxd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETuqylnsmnak.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvbaosongca.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvbbxgntxyl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvbetshcixn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvbyxmbfnqi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvetusipsew.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvqfofihjwi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETvyrpicyqjt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETwctysprrcg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETwfhhggewmv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETwijeqrchgj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETwipfxwquoi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETwtspnaitet.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxcdxbvfxpv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxdmbprxspu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxeqwbucpeq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxnktijpejr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxnsqoporie.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxnsvsmmxcb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxtfpkyfdcv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxtoipuqfwk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETxxsueeocfg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETyqvgntnbpc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\SKYNETyxfptsauly.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETfxyfwcbv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETxivbqerl.sys (Trojan.Agent) -> Quarantined and deleted successfully.



Avira AntiVir Personal
Report file date: Saturday, June 27, 2009 23:11

Scanning for 1429418 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JAMES

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 02:30:31
ANTIVIR2.VDF : 7.1.4.133 2048 Bytes 6/24/2009 02:30:32
ANTIVIR3.VDF : 7.1.4.144 82944 Bytes 6/26/2009 02:30:32
Engineversion : 8.2.0.199
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.10 418171 Bytes 6/28/2009 02:30:46
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/28/2009 02:30:44
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 6/28/2009 02:30:43
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/28/2009 02:30:36
AEGEN.DLL : 8.1.1.46 348533 Bytes 6/28/2009 02:30:35
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Saturday, June 27, 2009 23:11

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SKYNETqrdnqqpc\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\group
[INFO] The registry entry is invisible.
'14871' objects were checked, '22' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindService.exe' - '1' Module(s) have been scanned
Scan process 'slserv.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'zHotkey.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
33 processes with 33 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\bundle\Works\REDIST\IE6\TEMPFILE.CAB
[0] Archive type: CAB (Microsoft)
--> msoe.hlp
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\13156564\13156564.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-71c44e5b.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4e1040f8-23514ece.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7d25d46e.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-33559686.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.1 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2a52b118.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4f461475.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.40 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-9ec854f-2c12dc4c.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-53a7852b.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.B.2 exploit
C:\Documents and Settings\Chronic McBudz\Desktop\Torrents\Alcohol 120% 1.9.5.4327\UniPatch.exe
[DETECTION] Is the TR/Patch.F.28 Trojan
C:\Documents and Settings\Chronic McBudz\Local Settings\Temp\Acr137.tmp
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Documents and Settings\Chronic McBudz\Local Settings\Temp\ro_1245994964.exe
[DETECTION] Is the TR/Drop.Agent.sja Trojan
C:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe
[DETECTION] Is the TR/Virtl.4623 Trojan
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP638\A0111186.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP639\A0112212.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP665\A0116125.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\11_se.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dldr.Small.ddp.37 Trojan
C:\WINDOWS\id6rjs4r64j6a7io8jkswhvv81.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\WINDOWS\ld11.exe
--> Object
[DETECTION] Contains recognition pattern of the WORM/Koobface.UK worm
C:\WINDOWS\system32\wiawow32.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\vaxscsi.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\13156564\13156564.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a77ef06.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-71c44e5b.zip
[NOTE] The file was moved to '4ab3ef49.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4e1040f8-23514ece.zip
[NOTE] The file was moved to '497f4d82.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-7d25d46e.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '497995a2.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-33559686.zip
[NOTE] The file was moved to '497bbc42.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2a52b118.zip
[NOTE] The file was moved to '48a4751a.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4f461475.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '48a69d3a.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-9ec854f-2c12dc4c.zip
[NOTE] The file was moved to '48a0a5da.qua'!
C:\Documents and Settings\Chronic McBudz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-53a7852b.zip
[NOTE] The file was moved to '48a2cdfa.qua'!
C:\Documents and Settings\Chronic McBudz\Desktop\Torrents\Alcohol 120% 1.9.5.4327\UniPatch.exe
[DETECTION] Is the TR/Patch.F.28 Trojan
[NOTE] The file was moved to '4aafef41.qua'!
C:\Documents and Settings\Chronic McBudz\Local Settings\Temp\Acr137.tmp
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4ab8ef36.qua'!
C:\Documents and Settings\Chronic McBudz\Local Settings\Temp\ro_1245994964.exe
[DETECTION] Is the TR/Drop.Agent.sja Trojan
[NOTE] The file was moved to '4aa5ef42.qua'!
C:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe
[DETECTION] Is the TR/Virtl.4623 Trojan
[NOTE] The file was moved to '4abaef35.qua'!
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP638\A0111186.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a77ef04.qua'!
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP639\A0112212.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a77ef05.qua'!
C:\System Volume Information\_restore{BABF27AF-98B1-46AD-8AEE-3507E0DEE2FA}\RP665\A0116125.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a77ef07.qua'!
C:\WINDOWS\11_se.exe
[NOTE] The file was moved to '4aa5ef08.qua'!
C:\WINDOWS\id6rjs4r64j6a7io8jkswhvv81.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a7cef3b.qua'!
C:\WINDOWS\ld11.exe
[NOTE] The file was moved to '4a77ef3b.qua'!
C:\WINDOWS\system32\wiawow32.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4aa7ef40.qua'!


End of the scan: Sunday, June 28, 2009 00:17
Used time: 1:05:53 Hour(s)

The scan has been done completely.

12378 Scanned directories
460011 Files were scanned
21 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
20 Files were moved to quarantine
0 Files were renamed
4 Files cannot be scanned
459985 Files not concerned
7819 Archives were scanned
6 Warnings
22 Notes
14871 Objects were scanned with rootkit scan
22 Hidden objects were found


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:42 AM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Chronic McBudz\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - C:\WINDOWS\se_spoof.dll (file missing)
O2 - BHO: (no name) - {D7C81E7F-F39C-D644-C9FC-81FA39DB39E1} - C:\WINDOWS\system32\ubop.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video AX Object\smmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163576622312
O22 - SharedTaskScheduler: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6148 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 27 June 2009 - 11:45 PM

Hi McClainJa,

Database version: 2297 is an old database. :thumbup2: The latest Database is 2341

Update Malwarebytes, run it again and post the log.




We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 28 June 2009 - 12:16 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 June 2009 - 01:01 PM

Well here's the Malwarebytes log, ComboFix isn't doing anything, the process shows in process explorer but it never starts.

Malwarebytes' Anti-Malware 1.38
Database version: 2350
Windows 5.1.2600 Service Pack 2

6/29/2009 1:23:57 PM
mbam-log-2009-06-29 (13-23-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 236514
Time elapsed: 45 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Chronic McBudz\Local Settings\Temp\db.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 29 June 2009 - 01:13 PM

Hi McClainJa,


Delete the ComboFix you have on your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

You need to disable your Avira AntiVir Antivirus before running ComboFix, it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.




Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 June 2009 - 01:57 PM

Thanks, renamed it and it worked :D Also, ComboFix restarted my computer in the middle and Avira Guard reactivated, it said 2 of the things combofix was doing were viruses but i told it to ignore them.

ComboFix 09-06-29.01 - Chronic McBudz 06/29/2009 14:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.170 [GMT -4:00]
Running from: c:\documents and settings\Chronic McBudz\Desktop\Newtool1.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chronic McBudz\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Chronic McBudz\Local Settings\Temporary Internet Files\CPV.stt
c:\progra~1\COMMON~1\{3CF2B~1
c:\progra~1\COMMON~1\{4CF2B~1
c:\progra~1\COMMON~1\{4CF2B~2
c:\progra~1\COMMON~1\{4CF2B~3
c:\program files\crosof~1
c:\windows\system32\drivers\UACmpmqlhtpdubquur.sys
c:\windows\system32\mbols~1
c:\windows\system32\SKYNETdjesdmxf.dat
c:\windows\system32\SKYNETxpuwknev.dat
c:\windows\system32\svchosts.lzma
c:\windows\system32\UACielwegbelfooefbmn.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmjgenkdaspkwbjd.dll
c:\windows\system32\UAComylvlyvtysydjo.db
c:\windows\system32\UACqoqvstillirvitx.dll
c:\windows\system32\UACrsbrxdulnqvdlyxmd.dll
c:\windows\system32\UACsbpafjnpbaxxvyusd.log
c:\windows\system32\uactmp.db
c:\windows\system32\UACuibdtfxtbhlrhfpyw.log
c:\windows\system32\UACwrrbkiompjnqhji.dat
c:\windows\system32\UACwsnkipsrcuohbos.dll
c:\windows\system32\UACxfroyxrrkpaiqqa.dll
c:\windows\system32\UACyviwexvkbphhmrmkn.dll
c:\windows\system32\wnsxs~1
c:\windows\ystem~1

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Service_SKYNETqrdnqqpc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-28 02:28 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-28 02:28 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-28 02:28 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-28 02:28 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-28 02:27 . 2009-06-28 02:27 -------- d-----w- c:\program files\Avira
2009-06-28 02:27 . 2009-06-28 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-28 02:21 . 2009-06-28 02:21 -------- d-----w- c:\program files\JavaFX
2009-06-28 02:20 . 2009-06-28 02:20 -------- d-----w- c:\program files\Sun
2009-06-28 02:20 . 2009-06-28 02:19 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 00:41 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 00:41 . 2009-06-28 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 00:41 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 07:50 . 2009-06-26 07:50 -------- d-sh--w- c:\documents and settings\Chronic McBudz\PrivacIE
2009-06-26 07:50 . 2009-06-26 07:50 -------- d-sh--w- c:\documents and settings\Chronic McBudz\IECompatCache
2009-06-26 07:45 . 2009-06-26 07:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-sh--w- c:\documents and settings\Chronic McBudz\IETldCache
2009-06-26 07:28 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-26 07:28 . 2009-06-26 07:28 -------- d-----w- c:\windows\ie8updates
2009-06-26 07:27 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 07:27 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 07:27 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 07:27 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 07:25 . 2009-06-26 07:26 -------- dc-h--w- c:\windows\ie8
2009-06-26 04:14 . 2009-06-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\13156564
2009-06-21 07:10 . 2009-06-21 07:10 1594550 ----a-w- c:\windows\WANEUninstaller.exe
2009-06-21 07:05 . 2009-06-21 07:05 -------- d-----w- C:\Games
2009-06-18 19:36 . 2009-06-26 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-06-07 03:36 . 1998-06-17 08:00 18944 ----a-w- c:\windows\system32\BORLNDMM.DLL
2009-06-01 22:26 . 2009-06-01 22:26 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-01 22:26 . 2009-06-01 22:26 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 02:19 . 2006-11-21 12:06 -------- d-----w- c:\program files\Java
2009-06-22 20:50 . 2006-12-10 07:11 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\Azureus
2009-06-22 00:44 . 2007-08-31 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-28 20:31 . 2007-03-28 05:07 -------- d-----w- c:\program files\QuickTime
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\program files\IrfanView
2009-05-13 19:24 . 2006-12-10 08:21 -------- d-----w- c:\program files\DivX
2009-05-13 19:21 . 2009-05-13 19:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-13 18:57 . 2006-12-12 10:59 -------- d-----w- c:\program files\Xvid
2009-05-13 05:15 . 2006-06-23 16:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 16:41 . 2006-11-14 20:54 -------- d-s---w- c:\program files\Xfire
2009-05-11 04:44 . 2006-11-14 20:54 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\Xfire
2009-05-08 15:21 . 2007-05-21 17:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-07 15:44 . 2003-04-23 23:52 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 22:21 . 2009-05-06 22:22 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-06 22:21 . 2009-05-06 22:21 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-06 22:18 . 2009-05-06 22:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-06 22:17 . 2009-05-06 22:17 -------- d-----w- c:\program files\Lavasoft
2009-05-06 22:17 . 2008-04-25 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-06 03:50 . 2003-04-24 00:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-06 03:45 . 2009-05-06 03:45 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\InstallShield
2009-05-06 03:26 . 2009-05-06 03:26 -------- d-----w- c:\program files\Firaxis Games
2009-05-05 17:20 . 2007-05-16 06:41 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\uTorrent
2009-05-05 16:09 . 2009-05-05 16:09 -------- d-----w- c:\program files\WildTangent
2009-05-02 01:36 . 2006-11-19 08:57 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-01 01:45 . 2006-12-10 07:11 -------- d-----w- c:\program files\Azureus
2009-05-01 00:13 . 2007-08-23 07:05 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\iWin
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-04-17 09:58 . 2003-04-23 23:52 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2006-12-10 08:22 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2006-11-14 21:21 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:25 . 2006-11-14 21:21 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-13 06:06 . 2007-07-13 06:06 5 --sha-w- c:\windows\system32\daebdfed_s.dll
2007-07-13 07:20 . 2007-07-13 07:20 23 --sha-w- c:\windows\system32\dbafadffd4_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle Professional"="c:\program files\RAM Idle LE\RAM_XP.exe" [2006-01-17 135168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-05-01 4640768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/6/2009 6:22 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2009 10:27 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904]
S4 id6rjs4r64j6a7io8jkswhvv80;id6rjs4r64j6a7io8jkswhvv80;c:\windows\id6rjs4r64j6a7io8jkswhvv81.exe --> c:\windows\id6rjs4r64j6a7io8jkswhvv81.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D7C81E7F-F39C-D644-C9FC-81FA39DB39E1} - c:\windows\system32\ubop.dll
HKLM-Run-showicon2k - c:\program files\\eM\Bay Reader\Shwicon2k.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chronic McBudz\Application Data\Mozilla\Firefox\Profiles\o667p8p6.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 14:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mnmsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-06-29 14:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 18:54

Pre-Run: 98,041,286,656 bytes free
Post-Run: 97,987,215,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

232 --- E O F --- 2009-06-28 00:03

P.S. Everything seems to be fine now, no more Yahoo hijacks, and ad awares not going crazy saying theres viruses anymore.

Edited by McClainJa, 29 June 2009 - 01:58 PM.


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 29 June 2009 - 03:13 PM

Hi McClainJa,

Thanks, renamed it and it worked :
Running from: c:\documents and settings\Chronic McBudz\Desktop\Newtool1.exe



Why did you rename it Newtool1.exe and not Combo-Fix? Was there a problem?

Your just making my job more difficult. :thumbup2: You need to follow the instructions exactly. If there is a problem then notify me.


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\daebdfed_s.dll
      c:\windows\system32\dbafadffd4_r.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Edited by SifuMike, 29 June 2009 - 03:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 June 2009 - 04:32 PM

I apologize, I tried the renaming before I read your reply to rename it... Figured it worked for Malwarebytes so it might work for Combo-Fix. And there is no View Tab in my Folder Options, only a File Types tab.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 29 June 2009 - 06:56 PM

Thats OK, you should be able to find the files anyway. ComboFix set the files so you can see them.
Run the scan and post the results.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 June 2009 - 09:48 PM

Copy to clipboard didn't work, dunno if it changes the format at all, but i just copy & pasted.


File Name : daebdfed_s.dll
File Size : 5 byte
File Type : Non-ISO extended-ASCII text, with no line terminators, with
MD5 : 2298b1d2377364ec15695e8db63f9c17
SHA1 : 0c121e4bd3e1ae7d28b10f6a3e3bbf2a083a134c

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/06/29 22:35:41 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090628180534 2009-06-28
-
2.247
AhnLab V3 2009.06.30.00 2009.06.30 2009-06-30
-
0.793
AntiVir 8.2.0.199 7.1.4.144 2009-06-26
-
0.279
Antiy 2.0.18 20090629.2580177 2009-06-29
-
0.119
Arcavir 2009 200906291512 2009-06-29
-
0.017
Authentium 5.1.1 200906291520 2009-06-29
-
1.139
AVAST! 4.7.4 090629-0 2009-06-29
-
0.002
AVG 8.5.286 270.13.0/2209 2009-06-29
-
3.330
BitDefender 7.81008.3770387 7.26267 2009-06-30
-
3.631
CA (VET) 9.0.0.143 31.6.6588 2009-06-30
-
6.979
ClamAV 0.95.1 9519 2009-06-30
-
0.003
Comodo 3.9 1496 2009-06-30
-
0.739
CP Secure 1.1.0.715 2009.06.29 2009-06-29
-
10.941
Dr.Web 4.44.0.9170 2009.06.29 2009-06-29
-
5.367
F-Prot 4.4.4.56 20090629 2009-06-29
-
1.113
F-Secure 5.51.6100 2009.06.30.01 2009-06-30
-
0.036
Fortinet 2.81-3.117 10.549 2009-06-29
-
0.159
GData 19.6166/19.380 20090630 2009-06-30
-
4.496
Ikarus T3.1.01.64 2009.06.30.72947 2009-06-30
-
3.329
JiangMin 11.0.800 2009.06.29 2009-06-29
-
3.260
Kaspersky 5.5.10 2009.06.30 2009-06-30
-
0.023
KingSoft 2009.2.5.15 2009.6.30.7 2009-06-30
-
0.478
McAfee 5.3.00 5661 2009-06-29
-
2.997
Microsoft 1.4803 2009.06.29 2009-06-29
-
4.831
mks_vir 2.01 2009.06.29 2009-06-29
-
3.132
Norman 6.01.09 6.01.00 2009-06-26
-
4.009
nProtect 20090629.01 4728070 2009-06-29
-
6.350
Panda 9.05.01 2009.06.29 2009-06-29
-
3.027
Quick Heal 10.00 2009.06.29 2009-06-29
-
0.974
Rising 20.0 21.36.04.00 2009-06-29
-
0.258
Sophos 2.88.0 4.43 2009-06-30
-
2.522
Sunbelt 5218 5218 2009-06-29
-
0.969
Symantec 1.3.0.24 20090629.003 2009-06-29
-
0.257
The Hacker 6.3.4.3 v00356 2009-06-26
-
0.576
Trend Micro 8.700-1004 6.234.12 2009-06-29
-
0.020
VBA32 3.12.10.7 20090629.1523 2009-06-29
-
1.997
ViRobot 20090629 2009.06.29 2009-06-29
-
0.412
VirusBuster 4.5.11.10 10.107.30/1709365 2009-06-29
-
2.045
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

*****************************************

File Name : dbafadffd4_r.dll
File Size : 23 byte
File Type : data
MD5 : bf94d9316341f62bdccf738970965b00
SHA1 : 47683c6385e7cd8f4a0c4a168692d650ce23ba2f

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/06/29 22:41:48 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090628180534 2009-06-28
-
2.820
AhnLab V3 2009.06.30.00 2009.06.30 2009-06-30
-
0.792
AntiVir 8.2.0.199 7.1.4.144 2009-06-26
-
1.077
Antiy 2.0.18 20090629.2580177 2009-06-29
-
0.118
Arcavir 2009 200906291512 2009-06-29
-
0.019
Authentium 5.1.1 200906291520 2009-06-29
-
1.120
AVAST! 4.7.4 090629-0 2009-06-29
-
0.002
AVG 8.5.286 270.13.0/2209 2009-06-29
-
3.352
BitDefender 7.81008.3770387 7.26267 2009-06-30
-
3.582
CA (VET) 9.0.0.143 31.6.6588 2009-06-30
-
8.815
ClamAV 0.95.1 9519 2009-06-30
-
0.003
Comodo 3.9 1496 2009-06-30
-
0.731
CP Secure 1.1.0.715 2009.06.29 2009-06-29
-
10.753
Dr.Web 4.44.0.9170 2009.06.29 2009-06-29
-
4.771
F-Prot 4.4.4.56 20090629 2009-06-29
-
1.124
F-Secure 5.51.6100 2009.06.30.01 2009-06-30
-
4.340
Fortinet 2.81-3.117 10.549 2009-06-29
-
0.267
GData 19.6166/19.380 20090630 2009-06-30
-
4.482
Ikarus T3.1.01.64 2009.06.30.72947 2009-06-30
-
3.361
JiangMin 11.0.800 2009.06.29 2009-06-29
-
5.071
Kaspersky 5.5.10 2009.06.30 2009-06-30
-
0.025
KingSoft 2009.2.5.15 2009.6.30.7 2009-06-30
-
0.522
McAfee 5.3.00 5661 2009-06-29
-
3.011
Microsoft 1.4803 2009.06.29 2009-06-29
-
5.776
mks_vir 2.01 2009.06.29 2009-06-29
-
3.109
Norman 6.01.09 6.01.00 2009-06-26
-
2.006
nProtect 20090629.01 4728070 2009-06-29
-
7.518
Panda 9.05.01 2009.06.29 2009-06-29
-
1.631
Quick Heal 10.00 2009.06.29 2009-06-29
-
0.993
Rising 20.0 21.36.04.00 2009-06-29
-
0.266
Sophos 2.88.0 4.43 2009-06-30
-
2.542
Sunbelt 5218 5218 2009-06-29
-
0.848
Symantec 1.3.0.24 20090629.003 2009-06-29
-
0.293
The Hacker 6.3.4.3 v00356 2009-06-26
-
0.586
Trend Micro 8.700-1004 6.234.12 2009-06-29
-
0.020
VBA32 3.12.10.7 20090629.1523 2009-06-29
-
2.035
ViRobot 20090629 2009.06.29 2009-06-29
-
0.425
VirusBuster 4.5.11.10 10.107.30/1709365 2009-06-29
-
2.083
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 PM

Posted 29 June 2009 - 09:57 PM

Hi McClainJa,

Those two files are OK. :thumbup2: )


You need to disable your Avira AntiVir Antivirus before running ComboFix, it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\id6rjs4r64j6a7io8jkswhvv81.exe

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
id6rjs4r64j6a7io8jkswhvv80


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into NewTool1.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 29 June 2009 - 10:55 PM

ComboFix 09-06-29.01 - Chronic McBudz 06/29/2009 23:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.257 [GMT -4:00]
Running from: c:\documents and settings\Chronic McBudz\Desktop\Newtool1.exe
Command switches used :: c:\documents and settings\Chronic McBudz\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\id6rjs4r64j6a7io8jkswhvv81.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ID6RJS4R64J6A7IO8JKSWHVV80
-------\Service_id6rjs4r64j6a7io8jkswhvv80


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-29 22:29 . 2009-06-29 22:30 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-29 22:29 . 2009-06-29 22:29 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-29 22:29 . 2009-06-29 22:29 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-29 22:29 . 2009-06-29 22:29 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-29 22:29 . 2009-06-29 22:29 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-29 22:29 . 2009-06-29 22:29 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 22:29 . 2009-06-29 22:29 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-29 22:27 . 2009-06-29 22:27 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 22:27 . 2009-06-29 22:27 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-29 22:27 . 2009-06-29 22:27 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-29 22:27 . 2009-06-29 22:27 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-29 22:27 . 2009-06-29 22:27 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-29 22:27 . 2009-06-29 22:27 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-29 22:26 . 2009-06-29 22:26 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-29 22:26 . 2009-06-29 22:26 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-29 22:26 . 2009-06-29 22:26 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-29 22:25 . 2009-06-29 22:25 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-29 18:35 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-29 18:35 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-28 02:28 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-28 02:28 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-28 02:28 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-28 02:28 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-28 02:27 . 2009-06-28 02:27 -------- d-----w- c:\program files\Avira
2009-06-28 02:27 . 2009-06-28 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-28 02:21 . 2009-06-28 02:21 -------- d-----w- c:\program files\JavaFX
2009-06-28 02:20 . 2009-06-28 02:20 -------- d-----w- c:\program files\Sun
2009-06-28 02:20 . 2009-06-28 02:19 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 00:41 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 00:41 . 2009-06-28 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 00:41 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 07:50 . 2009-06-26 07:50 -------- d-sh--w- c:\documents and settings\Chronic McBudz\PrivacIE
2009-06-26 07:50 . 2009-06-26 07:50 -------- d-sh--w- c:\documents and settings\Chronic McBudz\IECompatCache
2009-06-26 07:45 . 2009-06-26 07:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-sh--w- c:\documents and settings\Chronic McBudz\IETldCache
2009-06-26 07:28 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-26 07:28 . 2009-06-26 07:28 -------- d-----w- c:\windows\ie8updates
2009-06-26 07:27 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 07:27 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 07:27 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 07:27 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 07:25 . 2009-06-26 07:26 -------- dc-h--w- c:\windows\ie8
2009-06-26 04:14 . 2009-06-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\13156564
2009-06-21 07:10 . 2009-06-21 07:10 1594550 ----a-w- c:\windows\WANEUninstaller.exe
2009-06-21 07:05 . 2009-06-21 07:05 -------- d-----w- C:\Games
2009-06-18 19:36 . 2009-06-26 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-06-07 03:36 . 1998-06-17 08:00 18944 ----a-w- c:\windows\system32\BORLNDMM.DLL
2009-06-01 22:27 . 2009-06-01 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 02:30 . 2006-12-10 07:11 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\Azureus
2009-06-28 02:19 . 2006-11-21 12:06 -------- d-----w- c:\program files\Java
2009-06-22 00:44 . 2007-08-31 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-01 22:27 . 2009-05-07 00:04 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-28 20:31 . 2007-03-28 05:07 -------- d-----w- c:\program files\QuickTime
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\program files\IrfanView
2009-05-13 19:24 . 2006-12-10 08:21 -------- d-----w- c:\program files\DivX
2009-05-13 19:21 . 2009-05-13 19:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-13 18:57 . 2006-12-12 10:59 -------- d-----w- c:\program files\Xvid
2009-05-13 05:15 . 2006-06-23 16:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 16:41 . 2006-11-14 20:54 -------- d-s---w- c:\program files\Xfire
2009-05-11 04:44 . 2006-11-14 20:54 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\Xfire
2009-05-08 15:21 . 2007-05-21 17:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-07 15:44 . 2003-04-23 23:52 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 22:21 . 2009-05-06 22:22 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-06 22:21 . 2009-05-06 22:21 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-06 22:18 . 2009-05-06 22:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-06 22:17 . 2009-05-06 22:17 -------- d-----w- c:\program files\Lavasoft
2009-05-06 22:17 . 2008-04-25 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-06 03:50 . 2003-04-24 00:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-06 03:45 . 2009-05-06 03:45 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\InstallShield
2009-05-06 03:26 . 2009-05-06 03:26 -------- d-----w- c:\program files\Firaxis Games
2009-05-05 17:20 . 2007-05-16 06:41 -------- d-----w- c:\documents and settings\Chronic McBudz\Application Data\uTorrent
2009-05-05 16:09 . 2009-05-05 16:09 -------- d-----w- c:\program files\WildTangent
2009-05-02 01:36 . 2006-11-19 08:57 -------- d-----w- c:\program files\Full Tilt Poker
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-04-17 09:58 . 2003-04-23 23:52 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2006-12-10 08:22 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2006-11-14 21:21 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:25 . 2006-11-14 21:21 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-15 15:11 . 2004-03-06 02:16 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-13 06:06 . 2007-07-13 06:06 5 --sha-w- c:\windows\system32\daebdfed_s.dll
2007-07-13 07:20 . 2007-07-13 07:20 23 --sha-w- c:\windows\system32\dbafadffd4_r.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_18.41.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 03:38 . 2009-06-30 03:38 16384 c:\windows\temp\Perflib_Perfdata_57c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle Professional"="c:\program files\RAM Idle LE\RAM_XP.exe" [2006-01-17 135168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-05-01 4640768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"!CleanupNetMeetingDispDriver"="msconf.dll" - c:\windows\system32\msconf.dll [2004-08-04 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/6/2009 6:22 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2009 10:27 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D7C81E7F-F39C-D644-C9FC-81FA39DB39E1} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chronic McBudz\Application Data\Mozilla\Firefox\Profiles\o667p8p6.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 23:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mnmsrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-06-30 23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 03:53
ComboFix2.txt 2009-06-29 18:54

Pre-Run: 97,372,303,360 bytes free
Post-Run: 97,356,431,360 bytes free

217 --- E O F --- 2009-06-28 00:03




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users