Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    North Korea's Elites Are Ditching Facebook for Chinese Social Networks

Featured Deal: Pay What You Want: The 2018 Machine Learning Bundle Deal

Photo

Virtumonde / Trojan infection/s

Started by pandammonia , Jun 30 2009 09:17 AM

  • This topic is locked This topic is locked
4 replies to this topic

#1 pandammonia

pandammonia

  • Members
  • 59 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:57 PM

Posted 30 June 2009 - 09:17 AM

Hi all,
Thanks in advance ;)
I have been having a few issues accessing a couple of websites. Ran spybot and malwarebytes, spybot picked up virtumonde and malwarebytes picked up 2 trojans. both were removed but were back next scan. I also have a few services that i have stopped that were very suspicious; ie Boonty Games, and some random character strings.
Anyways; here are my DDS logs...

DDS (Ver_09-06-26.01) - NTFSx86
Run by Windows User at 13:45:38.74 on Tue 30/06/2009
Internet Explorer: 7.0.6000.16851 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.1023.303 [GMT 10:00]

AV: avast! antivirus 4.7.1098 [VPS 090629-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\vVX3000.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Optus Wireless Broadband\Optus Wireless Broadband.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Windows User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = proxy.netspace.net.au:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\users\window~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {85F15C3D-87BC-40F1-B234-E7C8B3F83471} = 210.15.254.240,210.15.254.241
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\window~1\appdata\roaming\mozilla\firefox\profiles\6hojxni3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin2.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin3.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin4.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin5.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin6.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin7.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin8.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-1-10 45648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-29 1153368]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 AYLQNJCSOZXXS;AYLQNJCSOZXXS;c:\users\window~1\appdata\local\temp\aylqnjcsozxxs.exe --> c:\users\window~1\appdata\local\temp\AYLQNJCSOZXXS.exe [?]
S4 Boonty Games;Boonty Games;"c:\program files\common files\boonty shared\service\boonty.exe" --> c:\program files\common files\boonty shared\service\Boonty.exe [?]
S4 WPEPVXS;WPEPVXS;c:\users\window~1\appdata\local\temp\wpepvxs.exe --> c:\users\window~1\appdata\local\temp\WPEPVXS.exe [?]

=============== Created Last 30 ================

2009-06-29 17:10 <DIR> --d----- c:\users\window~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-29 17:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-29 17:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-29 17:06 <DIR> --d----- c:\users\window~1\appdata\roaming\Malwarebytes
2009-06-29 17:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 17:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 17:06 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-29 17:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 17:06 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-29 16:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-29 16:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-14 14:45 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-14 14:45 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 14:45 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-14 14:45 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-14 14:45 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 14:45 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-14 14:45 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-14 14:45 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-06-14 14:43 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-14 14:41 696,832 a------- c:\windows\system32\localspl.dll
2009-06-14 14:37 788,992 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-29 18:25 2,484 a------- c:\windows\bthservsdp.dat
2009-06-14 14:34 72,704 a------- c:\windows\system32\admparse.dll
2009-06-14 14:34 827,392 a------- c:\windows\system32\wininet.dll
2009-06-14 14:34 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-06-14 14:34 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-14 14:34 48,128 a------- c:\windows\system32\mshtmler.dll
2009-06-14 14:34 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-14 14:34 56,320 a------- c:\windows\system32\iesetup.dll
2009-05-12 04:15 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-12 04:15 51,200 a------- c:\windows\inf\infpub.dat
2009-05-12 04:15 86,016 a------- c:\windows\inf\infstor.dat
2009-05-07 22:11 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-05-07 22:11 14,848 a------- c:\windows\system32\wshrm.dll
2009-05-07 13:47 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-07 13:44 174 a--sh--- c:\program files\desktop.ini
2009-05-07 13:30 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-05-07 13:30 61,440 a------- c:\windows\system32\winipsec.dll
2009-05-07 13:30 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-05-07 13:30 272,896 a------- c:\windows\system32\polstore.dll
2009-05-07 13:28 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-05-07 13:28 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-05-07 13:28 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-05-07 13:25 376,832 a------- c:\windows\system32\winhttp.dll
2009-05-07 13:23 297,472 a------- c:\windows\system32\gdi32.dll
2009-05-07 13:22 1,060,920 a------- c:\windows\system32\drivers\ntfs.sys
2009-05-07 13:22 41,984 a------- c:\windows\system32\drivers\monitor.sys
2009-05-07 13:21 211,456 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-05-07 13:19 500,736 a------- c:\windows\system32\msdtcprx.dll
2009-05-07 13:19 30,208 a------- c:\windows\system32\xolehlp.dll
2009-05-07 13:18 268,800 a------- c:\windows\system32\es.dll
2009-05-07 13:15 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-05-07 13:15 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-05-07 13:15 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-05-07 13:15 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-05-07 13:15 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-05-07 13:15 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-05-07 13:15 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-05-07 13:15 1,687,040 a------- c:\windows\system32\gameux.dll
2009-05-07 13:13 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-05-07 13:12 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-05-07 13:12 2,048 a------- c:\windows\system32\msxml3r.dll
2009-05-07 13:09 2,048 a------- c:\windows\system32\tzres.dll
2009-05-07 13:05 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-05-07 13:05 7,680 a------- c:\windows\system32\spwmp.dll
2009-05-07 13:05 4,096 a------- c:\windows\system32\dxmasf.dll
2009-05-07 12:58 2,923,520 a------- c:\windows\explorer.exe
2009-05-07 12:56 1,793,536 a------- c:\windows\system32\NlsLexicons0045.dll
2009-05-07 12:56 1,808,896 a------- c:\windows\system32\NlsLexicons0046.dll
2009-05-07 12:56 1,558,016 a------- c:\windows\system32\NlsLexicons0049.dll
2009-05-07 12:56 1,411,072 a------- c:\windows\system32\NlsLexicons0047.dll
2009-05-07 12:56 1,236,992 a------- c:\windows\system32\NlsLexicons0020.dll
2009-05-07 12:52 220,160 a------- c:\windows\system32\drivers\bthport.sys
2009-05-07 12:52 181,760 a------- c:\windows\system32\fsquirt.exe
2009-05-07 12:52 29,184 a------- c:\windows\system32\drivers\BTHUSB.SYS
2009-05-07 12:52 19,456 a------- c:\windows\system32\drivers\bthenum.sys
2009-05-07 12:49 371,712 a------- c:\windows\system32\srcore.dll
2009-05-07 12:49 313,856 a------- c:\windows\system32\rstrui.exe
2009-05-07 12:49 40,960 a------- c:\windows\system32\srclient.dll
2009-05-07 12:49 19,000 a------- c:\windows\system32\kd1394.dll
2009-05-07 12:49 16,384 a------- c:\windows\system32\srdelayed.exe
2009-05-07 12:49 944,184 a------- c:\windows\system32\winload.exe
2009-05-07 12:49 620,088 a------- c:\windows\system32\ci.dll
2009-05-07 12:49 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-05-07 12:49 6,656 a------- c:\windows\system32\kbd106n.dll
2009-05-07 12:43 1,233,408 a------- c:\windows\system32\lsasrv.dll
2009-05-07 12:43 72,704 a------- c:\windows\system32\secur32.dll
2009-05-07 12:43 7,680 a------- c:\windows\system32\lsass.exe
2009-05-07 12:43 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-05-07 12:43 25,600 a------- c:\windows\system32\amxread.dll
2009-05-07 12:43 14,848 a------- c:\windows\system32\apilogen.dll
2009-05-07 12:42 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-05-07 12:42 712,192 a------- c:\windows\system32\WindowsCodecs.dll
2009-05-07 12:42 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-05-07 12:24 441,856 a------- c:\windows\system32\win32spl.dll
2009-05-07 12:24 37,376 a------- c:\windows\system32\printcom.dll
2009-05-07 05:09 290,304 a------- c:\windows\system32\drivers\srv.sys
2009-05-07 05:08 83,968 a------- c:\windows\system32\dnsrslvr.dll
2009-05-07 05:08 24,576 a------- c:\windows\system32\dnscacheugc.exe
2009-05-07 05:07 269,824 a------- c:\windows\system32\schannel.dll
2009-05-07 05:01 622,080 a------- c:\windows\system32\icardagt.exe
2009-05-07 05:01 97,800 a------- c:\windows\system32\infocardapi.dll
2009-05-07 05:01 11,264 a------- c:\windows\system32\icardres.dll
2009-05-07 05:01 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-07 05:00 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-05-07 05:00 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-05-07 05:00 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-05-07 04:41 96,760 a------- c:\windows\system32\dfshim.dll
2009-05-07 04:41 41,984 a------- c:\windows\system32\netfxperf.dll
2009-05-07 04:41 282,112 a------- c:\windows\system32\mscoree.dll
2009-05-07 04:41 158,720 a------- c:\windows\system32\mscorier.dll
2009-05-07 04:41 83,968 a------- c:\windows\system32\mscories.dll
2009-05-07 04:24 2,855,424 a------- c:\windows\system32\mf.dll
2009-05-07 04:24 98,816 a------- c:\windows\system32\mfps.dll
2009-05-07 04:24 52,736 a------- c:\windows\system32\rrinstaller.exe
2009-05-07 04:24 24,576 a------- c:\windows\system32\mfpmp.exe
2009-05-07 04:24 2,048 a------- c:\windows\system32\mferror.dll
2009-05-07 04:24 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-05-07 04:24 94,720 a------- c:\windows\system32\logagent.exe
2009-05-07 04:23 737,792 a------- c:\windows\system32\inetcomm.dll
2009-05-07 04:23:22 A------- 84,480 c:\windows\system32\INETRES.dll
2007-12-12 21:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-12-12 21:00 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-12-12 21:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 13:46:31.70 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 04 July 2009 - 01:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 pandammonia

pandammonia
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:02:57 PM

Posted 06 July 2009 - 11:05 AM

Hi again,
Thanks for the reply. As stated my problem remains the same, yet am having more issues with firefox, eg- random warnings and errors about parsing values and other stuff, buttons disappear like back, home, etc. Have tried disabling all addons but it still happens randomly.
Anyway, here's more dds logs...

DDS (Ver_09-06-26.01) - NTFSx86
Run by Windows User at 1:59:56.06 on Tue 07/07/2009
Internet Explorer: 7.0.6000.16851 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.1023.174 [GMT 10:00]

AV: avast! antivirus 4.7.1098 [VPS 090705-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\vVX3000.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Optus Wireless Broadband\Optus Wireless Broadband.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Windows User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12

\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\users\window~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program

files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\setpoint\SetPoint.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12

\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12

\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {2462039F-A3DA-4366-9096-AA313EA93BF4} = 61.88.88.88 61.88.88.88
TCP: {85F15C3D-87BC-40F1-B234-E7C8B3F83471} = 210.15.254.240,210.15.254.241
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12

\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12

\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\window~1\appdata\roaming\mozilla\firefox\profiles\6hojxni3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-

GB:official
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin2.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin3.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin4.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin5.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin6.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin7.dll
FF - plugin: c:\program files\vistacodecpack\qt\plugins\npqtplugin8.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-1-10 45648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-29 1153368]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30

106496]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 AYLQNJCSOZXXS;AYLQNJCSOZXXS;c:\users\window~1\appdata\local\temp\aylqnjcsozxxs.exe --> c:\users\window~1

\appdata\local\temp\AYLQNJCSOZXXS.exe [?]
S4 Boonty Games;Boonty Games;"c:\program files\common files\boonty shared\service\boonty.exe" --> c:\program files\common

files\boonty shared\service\Boonty.exe [?]
S4 WPEPVXS;WPEPVXS;c:\users\window~1\appdata\local\temp\wpepvxs.exe --> c:\users\window~1\appdata\local\temp\WPEPVXS.exe [?]

=============== Created Last 30 ================

2009-07-01 02:39 <DIR> --d----- C:\etax2009
2009-06-29 17:10 <DIR> --d----- c:\users\window~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-29 17:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-29 17:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-29 17:06 <DIR> --d----- c:\users\window~1\appdata\roaming\Malwarebytes
2009-06-29 17:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 17:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 17:06 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-29 17:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 17:06 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-29 16:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-29 16:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-14 14:45 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-14 14:45 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 14:45 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-14 14:45 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-14 14:45 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 14:45 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-14 14:45 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-14 14:45 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-06-14 14:43 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-14 14:41 696,832 a------- c:\windows\system32\localspl.dll
2009-06-14 14:37 788,992 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-29 18:25 2,484 a------- c:\windows\bthservsdp.dat
2009-06-14 14:34 72,704 a------- c:\windows\system32\admparse.dll
2009-06-14 14:34 827,392 a------- c:\windows\system32\wininet.dll
2009-06-14 14:34 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-06-14 14:34 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-14 14:34 48,128 a------- c:\windows\system32\mshtmler.dll
2009-06-14 14:34 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-14 14:34 56,320 a------- c:\windows\system32\iesetup.dll
2009-05-12 04:15 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-12 04:15 51,200 a------- c:\windows\inf\infpub.dat
2009-05-12 04:15 86,016 a------- c:\windows\inf\infstor.dat
2009-05-07 22:11 14,848 a------- c:\windows\system32\wshrm.dll
2009-05-07 13:47 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-07 13:44 174 a--sh--- c:\program files\desktop.ini
2009-05-07 13:30 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-05-07 13:30 61,440 a------- c:\windows\system32\winipsec.dll
2009-05-07 13:30 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-05-07 13:30 272,896 a------- c:\windows\system32\polstore.dll
2009-05-07 13:28 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-05-07 13:28 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-05-07 13:28 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-05-07 13:25 376,832 a------- c:\windows\system32\winhttp.dll
2009-05-07 13:23 297,472 a------- c:\windows\system32\gdi32.dll
2009-05-07 13:19 500,736 a------- c:\windows\system32\msdtcprx.dll
2009-05-07 13:19 30,208 a------- c:\windows\system32\xolehlp.dll
2009-05-07 13:18 268,800 a------- c:\windows\system32\es.dll
2009-05-07 13:15 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-05-07 13:15 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-05-07 13:15 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-05-07 13:15 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-05-07 13:15 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-05-07 13:15 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-05-07 13:15 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-05-07 13:15 1,687,040 a------- c:\windows\system32\gameux.dll
2009-05-07 13:13 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-05-07 13:12 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-05-07 13:12 2,048 a------- c:\windows\system32\msxml3r.dll
2009-05-07 13:09 2,048 a------- c:\windows\system32\tzres.dll
2009-05-07 13:05 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-05-07 13:05 7,680 a------- c:\windows\system32\spwmp.dll
2009-05-07 13:05 4,096 a------- c:\windows\system32\dxmasf.dll
2009-05-07 12:58 2,923,520 a------- c:\windows\explorer.exe
2009-05-07 12:56 1,793,536 a------- c:\windows\system32\NlsLexicons0045.dll
2009-05-07 12:56 1,808,896 a------- c:\windows\system32\NlsLexicons0046.dll
2009-05-07 12:56 1,558,016 a------- c:\windows\system32\NlsLexicons0049.dll
2009-05-07 12:56 1,411,072 a------- c:\windows\system32\NlsLexicons0047.dll
2009-05-07 12:56 1,236,992 a------- c:\windows\system32\NlsLexicons0020.dll
2009-05-07 12:52 181,760 a------- c:\windows\system32\fsquirt.exe
2009-05-07 12:49 371,712 a------- c:\windows\system32\srcore.dll
2009-05-07 12:49 313,856 a------- c:\windows\system32\rstrui.exe
2009-05-07 12:49 40,960 a------- c:\windows\system32\srclient.dll
2009-05-07 12:49 19,000 a------- c:\windows\system32\kd1394.dll
2009-05-07 12:49 16,384 a------- c:\windows\system32\srdelayed.exe
2009-05-07 12:49 944,184 a------- c:\windows\system32\winload.exe
2009-05-07 12:49 620,088 a------- c:\windows\system32\ci.dll
2009-05-07 12:49 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-05-07 12:49 6,656 a------- c:\windows\system32\kbd106n.dll
2009-05-07 12:43 1,233,408 a------- c:\windows\system32\lsasrv.dll
2009-05-07 12:43 72,704 a------- c:\windows\system32\secur32.dll
2009-05-07 12:43 7,680 a------- c:\windows\system32\lsass.exe
2009-05-07 12:43 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-05-07 12:43 25,600 a------- c:\windows\system32\amxread.dll
2009-05-07 12:43 14,848 a------- c:\windows\system32\apilogen.dll
2009-05-07 12:42 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-05-07 12:42 712,192 a------- c:\windows\system32\WindowsCodecs.dll
2009-05-07 12:42 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-05-07 12:24 441,856 a------- c:\windows\system32\win32spl.dll
2009-05-07 12:24 37,376 a------- c:\windows\system32\printcom.dll
2009-05-07 05:08 83,968 a------- c:\windows\system32\dnsrslvr.dll
2009-05-07 05:08 24,576 a------- c:\windows\system32\dnscacheugc.exe
2009-05-07 05:07 269,824 a------- c:\windows\system32\schannel.dll
2009-05-07 05:01 622,080 a------- c:\windows\system32\icardagt.exe
2009-05-07 05:01 97,800 a------- c:\windows\system32\infocardapi.dll
2009-05-07 05:01 11,264 a------- c:\windows\system32\icardres.dll
2009-05-07 05:01 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-07 05:00 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-05-07 05:00 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-05-07 05:00 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-05-07 04:41 96,760 a------- c:\windows\system32\dfshim.dll
2009-05-07 04:41 41,984 a------- c:\windows\system32\netfxperf.dll
2009-05-07 04:41 282,112 a------- c:\windows\system32\mscoree.dll
2009-05-07 04:41 158,720 a------- c:\windows\system32\mscorier.dll
2009-05-07 04:41 83,968 a------- c:\windows\system32\mscories.dll
2009-05-07 04:24 2,855,424 a------- c:\windows\system32\mf.dll
2009-05-07 04:24 98,816 a------- c:\windows\system32\mfps.dll
2009-05-07 04:24 52,736 a------- c:\windows\system32\rrinstaller.exe
2009-05-07 04:24 24,576 a------- c:\windows\system32\mfpmp.exe
2009-05-07 04:24 2,048 a------- c:\windows\system32\mferror.dll
2009-05-07 04:24 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-05-07 04:24 94,720 a------- c:\windows\system32\logagent.exe
2009-05-07 04:23 737,792 a------- c:\windows\system32\inetcomm.dll
2009-05-07 04:23 84,480 a------- c:\windows\system32\INETRES.dll
2009-05-07 04:22 1,645,568 a------- c:\windows\system32\connect.dll
2009-05-07 04:22 1,327,104 a------- c:\windows\system32\quartz.dll
2009-05-07 04:20 99,840 a------- c:\windows\system32\poqexec.exe
2009-05-07 04:19 1,341,440 a------- c:\windows\system32\msxml6.dll
2009-05-07 04:19 2,048 a------- c:\windows\system32\msxml6r.dll
2009-04-11 00:40 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-04-11 00:40 83,456 a------- c:\windows\system32\wudriver.dll
2009-04-11 00:39:44 A------- 162,064 c:\windows\system32\wuwebv.dll
2007-12-12 21:00 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-12-12 21:00 32,768 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-12-12 21:00 16,384 a--sh---

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 2:00:53.97 ===============

Attached Files


#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
    •  
  • Location:Mikado Michigan
  • Local time:11:57 PM

Posted 08 July 2009 - 06:36 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.


Can you update Malwarebytes' Anti-Malware and run a new scan, but make it a full scan instead of a quick scan. Also updater Superantispyware and run a full scan with it as well. Post both logs when they are done.


* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
    •  
  • Location:Mikado Michigan
  • Local time:11:57 PM

Posted 24 July 2009 - 10:55 AM

This thread is closed due to inactivity.
If you need this topic reopened, please send me a PM. This applies to the thread originator only, all others start a new thread.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·