Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kungs Hijack - Roottoolkit removal success?


  • This topic is locked This topic is locked
21 replies to this topic

#1 publicsectorslave

publicsectorslave

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 01 July 2009 - 08:21 PM

Wondering if somone could look at my DDS logs and let me know if everything looks hunky doory.

I had a hijack attempt on Monday morning and believe that with the help of my brother we removed it with UNhackme, I remember all the files that were quartined starting with "kungs". I'd feel alot better knowing that if I do online banking that my information isn't compromised.

Thanks in advance for the great forum you have here.

thks
joe

ps OB - I was a bit premature in asking for my original enquiry to be deleted


DDS (Ver_09-06-26.01) - NTFSx86
Run by Joe Videki at 20:58:31.50 on 01/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2265 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\jrun\bin\jrun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Joe Videki\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.geocities.com/jvideki
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueytray.lnk - c:\program files\pantone\huey\hueyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_13.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244253751593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SENSLogon2 - {a59313b3-a9d1-401b-9c6f-d54dadda32be} - c:\program files\common files\sens\SENSLogon2.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joevid~1\applic~1\mozilla\firefox\profiles\lkobswik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/jvideki/TMWOJV-Index.html
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-11-9 57344]
R2 Cold Fusion Application Server;Cold Fusion Application Server;c:\cfusion\bin\cfserver.exe [2008-9-23 3485696]
R2 Cold Fusion Executive;ColdFusion Executive;c:\cfusion\bin\cfexec.exe [2008-9-23 430080]
R2 Cold Fusion RDS;ColdFusion RDS;c:\cfusion\bin\cfrdsservice.exe [2008-9-23 917504]
R2 ColdFusion Management Repository;ColdFusion Management Repository Server;c:\cfusion\jrun\bin\jrun.exe [2008-9-23 53248]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [2009-4-7 12416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-9-24 1373480]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-11-8 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-6-29 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-6-29 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-6-29 280392]
S2 gupdate1c9b6febd7505e2;Google Update Service (gupdate1c9b6febd7505e2);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 CPSHV;CPSHV;c:\docume~1\joevid~1\locals~1\temp\cpshv.exe --> c:\docume~1\joevid~1\locals~1\temp\CPSHV.exe [?]
S3 RTCore32;RTCore32;c:\documents and settings\joe videki\my documents\rmclock_230_bin_upd1\RTCore32.sys [2008-9-18 4608]
S4 BOCore;BOCore;c:\program files\comodo\cboclean\bocore.exe --> c:\program files\comodo\cboclean\BOCORE.exe [?]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-06-30 16:41 0 a------- c:\windows\system32\GKO
2009-06-30 14:04 <DIR> --d----- C:\RootkitNO
2009-06-30 12:37 2 a--shrot c:\windows\winstart.bat
2009-06-30 12:37 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 11:30 389,120 a------- c:\windows\system32\CF25724.exe
2009-06-30 11:30 <DIR> --ds---- C:\ComboFix
2009-06-29 12:31 <DIR> --d----- c:\program files\VS Revo Group
2009-06-29 12:24 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-29 11:56 <DIR> --d----- C:\cmdcons
2009-06-29 11:54 161,792 a------- c:\windows\SWREG.exe
2009-06-29 11:54 155,136 a------- c:\windows\PEV.exe
2009-06-29 11:54 98,816 a------- c:\windows\sed.exe
2009-06-29 08:50 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-06-28 20:27 <DIR> --d----- c:\program files\Masc software
2009-06-28 20:26 <DIR> --d----- c:\program files\MASC Software BV
2009-06-25 06:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-23 17:00 <DIR> --d----- c:\windows\system32\AGEIA
2009-06-23 16:59 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-06-22 12:19 <DIR> --d----- c:\documents and settings\joe videki\Ekahau Site Survey
2009-06-22 12:19 <DIR> --d----- c:\program files\Ekahau
2009-06-21 21:48 <DIR> --dsh--- c:\documents and settings\joe videki\IECompatCache
2009-06-18 17:20 <DIR> --d----- c:\program files\common files\SENS
2009-06-13 21:38 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-10 02:12 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:12 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 12:52 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-08 12:52 159,232 a------- c:\windows\system32\ptpusd.dll
2009-06-08 10:27 <DIR> --dsh--- c:\documents and settings\joe videki\PrivacIE
2009-06-06 07:08 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-06 07:08 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-06 01:38 <DIR> --dsh--- c:\documents and settings\joe videki\IETldCache
2009-06-05 23:25 <DIR> --d----- c:\windows\ie8updates
2009-06-05 23:24 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-05 23:22 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-07-01 19:38 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-01 19:37 202,448 a------- c:\windows\system32\PnkBstrB.exe
2009-07-01 13:07 73,040 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-29 12:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-29 12:13 182,656 a------- c:\windows\system32\dllcache\cache\ndis.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 08:17 3,616 a------- c:\docume~1\joevid~1\applic~1\wklnhst.dat
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-12 20:33 110,114 a------- c:\windows\system32\nvModes.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 00:30 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\dllcache\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-20 11:21 356 a------- C:\drmHeader.bin
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-26 14:09 60,744 a------- c:\documents and settings\joe videki\g2mdlhlpx.exe
2008-11-03 18:17 243,204 a------- c:\program files\unlocker1.8.7.exe
2008-11-02 13:18 50,688 a------- c:\program files\ATF-Cleaner.exe
2008-09-19 17:57 65,536 a---h--- c:\docume~1\joevid~1\applic~1\noBevelButton.DLL
2008-09-19 17:57 33,792 a---h--- c:\docume~1\joevid~1\applic~1\PLUtil.DLL
2008-09-19 17:57 7,320,576 a---h--- c:\docume~1\joevid~1\applic~1\Mkz1REALA.dll
2008-09-19 17:57 88,576 a---h--- c:\docume~1\joevid~1\applic~1\rbap550.dll
2008-09-19 17:57 57,344 a---h--- c:\docume~1\joevid~1\applic~1\groundControl.DLL
2008-09-19 17:57 28,160 a---h--- c:\docume~1\joevid~1\applic~1\fcPlacard.DLL
2007-12-28 02:21 401,720 a------- c:\program files\HiJackThis.exe
2007-11-24 13:46 76 ---shr-- c:\windows\CT4CET.bin
2008-10-08 13:39 8 ---shr-- c:\windows\system32\2A0DBD0899.sys
2008-10-08 13:39 1,056 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 20:58:37.82 ===============

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 06 July 2009 - 09:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 06 July 2009 - 10:50 PM

Used Unhackme, Malware Anti-Malware, ComboFix, Spybot, CleanUp, CCCleaner, ATF Cleaner to rid myself of a hijack attempt....
after trying to load a portable version of Word.

Not sure what some of the entries are like "sndlogon2", does my java look clean?
Can I remove "Microsoft's Input Message Editor software and related entries"? As I use thunderbird and Firefox rather than IE and Outlook.

I have an old Hijack this lof from Nov 2008 and there appears to be a few entries that I'm not all that famaliar with especially the multiple instances of svchost not having any directory info.

My computer seems to be running OK, I would just like an "expert" to see if any entries look suspicious and need further removal.
Concerned that my keystrokes may be being tracked... or so the screen said.


thks
joe



DDS (Ver_09-06-26.01) - NTFSx86
Run by Joe at 23:37:49.70 on 06/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2076 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\WINDOWS\Explorer.EXE
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Joe Videki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.geocities.com/jvideki
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueytray.lnk - c:\program files\pantone\huey\hueyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_13.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244253751593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SENSLogon2 - {a59313b3-a9d1-401b-9c6f-d54dadda32be} - c:\program files\common files\sens\SENSLogon2.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joevid~1\applic~1\mozilla\firefox\profiles\lkobswik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/jvideki/TMWOJV-Index.html
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-11-9 57344]
R2 Cold Fusion Application Server;Cold Fusion Application Server;c:\cfusion\bin\cfserver.exe [2008-9-23 3485696]
R2 Cold Fusion Executive;ColdFusion Executive;c:\cfusion\bin\cfexec.exe [2008-9-23 430080]
R2 Cold Fusion RDS;ColdFusion RDS;c:\cfusion\bin\cfrdsservice.exe [2008-9-23 917504]
R2 ColdFusion Management Repository;ColdFusion Management Repository Server;c:\cfusion\jrun\bin\jrun.exe [2008-9-23 53248]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [2009-4-7 12416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-9-24 1373480]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-11-8 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-6-29 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-6-29 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-6-29 280392]
S2 gupdate1c9b6febd7505e2;Google Update Service (gupdate1c9b6febd7505e2);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 CPSHV;CPSHV;c:\docume~1\joevid~1\locals~1\temp\cpshv.exe --> c:\docume~1\joevid~1\locals~1\temp\CPSHV.exe [?]
S3 RTCore32;RTCore32;c:\documents and settings\joe videki\my documents\rmclock_230_bin_upd1\RTCore32.sys [2008-9-18 4608]
S4 BOCore;BOCore;c:\program files\comodo\cboclean\bocore.exe --> c:\program files\comodo\cboclean\BOCORE.exe [?]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-07-05 11:50 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-05 09:48 <DIR> --d----- c:\program files\Seagate
2009-07-03 07:18 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-02 12:23 <DIR> --d----- c:\program files\iPod
2009-07-02 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 16:41 0 a------- c:\windows\system32\GKO
2009-06-30 14:04 <DIR> --d----- C:\RootkitNO
2009-06-30 12:37 2 a--shrot c:\windows\winstart.bat
2009-06-30 12:37 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 11:30 389,120 a------- c:\windows\system32\CF25724.exe
2009-06-30 11:30 <DIR> --ds---- C:\ComboFix
2009-06-29 12:31 <DIR> --d----- c:\program files\VS Revo Group
2009-06-29 12:24 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-29 11:56 <DIR> --d----- C:\cmdcons
2009-06-29 11:54 161,792 a------- c:\windows\SWREG.exe
2009-06-29 11:54 155,136 a------- c:\windows\PEV.exe
2009-06-29 11:54 98,816 a------- c:\windows\sed.exe
2009-06-29 08:50 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-06-28 20:27 <DIR> --d----- c:\program files\Masc software
2009-06-28 20:26 <DIR> --d----- c:\program files\MASC Software BV
2009-06-25 06:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-23 17:00 <DIR> --d----- c:\windows\system32\AGEIA
2009-06-23 16:59 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-06-22 12:19 <DIR> --d----- c:\documents and settings\joe videki\Ekahau Site Survey
2009-06-22 12:19 <DIR> --d----- c:\program files\Ekahau
2009-06-21 21:48 <DIR> --dsh--- c:\documents and settings\joe videki\IECompatCache
2009-06-18 17:20 <DIR> --d----- c:\program files\common files\SENS
2009-06-13 21:38 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-10 02:12 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:12 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-08 12:52 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-08 12:52 159,232 a------- c:\windows\system32\ptpusd.dll
2009-06-08 10:27 <DIR> --dsh--- c:\documents and settings\joe videki\PrivacIE

==================== Find3M ====================

2009-07-06 21:22 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-06 21:22 202,448 a------- c:\windows\system32\PnkBstrB.exe
2009-07-06 09:18 73,040 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-02 12:13 3,944 a------- c:\docume~1\joevid~1\applic~1\wklnhst.dat
2009-06-29 12:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-29 12:13 182,656 a------- c:\windows\system32\dllcache\cache\ndis.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-12 20:33 110,114 a------- c:\windows\system32\nvModes.dat
2009-05-12 01:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 00:30 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\dllcache\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-20 11:21 356 a------- C:\drmHeader.bin
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-26 14:09 60,744 a------- c:\documents and settings\joe videki\g2mdlhlpx.exe
2008-11-03 18:17 243,204 a------- c:\program files\unlocker1.8.7.exe
2008-11-02 13:18 50,688 a------- c:\program files\ATF-Cleaner.exe
2008-09-19 17:57 65,536 a---h--- c:\docume~1\joevid~1\applic~1\noBevelButton.DLL
2008-09-19 17:57 33,792 a---h--- c:\docume~1\joevid~1\applic~1\PLUtil.DLL
2008-09-19 17:57 7,320,576 a---h--- c:\docume~1\joevid~1\applic~1\Mkz1REALA.dll
2008-09-19 17:57 88,576 a---h--- c:\docume~1\joevid~1\applic~1\rbap550.dll
2008-09-19 17:57 57,344 a---h--- c:\docume~1\joevid~1\applic~1\groundControl.DLL
2008-09-19 17:57 28,160 a---h--- c:\docume~1\joevid~1\applic~1\fcPlacard.DLL
2007-12-28 02:21 401,720 a------- c:\program files\HiJackThis.exe
2007-11-24 13:46 76 ---shr-- c:\windows\CT4CET.bin
2008-10-08 13:39 8 ---shr-- c:\windows\system32\2A0DBD0899.sys
2008-10-08 13:39 1,056 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:37:58.37 ===============

Edited by publicsectorslave, 06 July 2009 - 11:04 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 12:42 PM

Hello.

May I see the Combofix report?

It should be located in your system drive (usually C:\) and named Combofix.txt.

That "kungxxxx" is a rootkit backdoor infection. I will describe more about that in details next post once I see the Combofix report.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 08 July 2009 - 01:42 PM

As requested Extremeboy....
Appreciate any assistance you can offer.

It appears that I have 3 combofix.txt files (Combofix2.txt, combofix3.txt) and a combofix-quarantined-files.txt

This is the most recent one from June 30th the day after the hijack attempt occurred

ComboFix 09-06-29.04 - Joe 30/06/2009 11:31:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2218 [GMT -4:00]
Running from: C:\Documents and Settings\Joe Videki\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-29 16:31:29 . 2009-06-29 16:31:29 0 d-----w- C:\Program Files\VS Revo Group
2009-06-29 15:17:09 . 2009-06-29 15:23:52 117760 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-29 13:46:46 . 2009-06-29 13:46:46 0 d-sh--w- C:\WINDOWS\system32\config\systemprofile\IETldCache
2009-06-29 13:37:56 . 2009-06-29 13:37:56 0 d-sh--w- C:\WINDOWS\system32\config\systemprofile\PrivacIE
2009-06-29 13:35:59 . 2009-06-29 13:35:59 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2009-06-29 12:50:06 . 2009-06-29 16:05:08 182656 ----a-w- C:\WINDOWS\system32\dllcache\ndis.sys
2009-06-29 00:27:44 . 2009-06-29 00:27:44 7406 ----a-r- C:\Documents and Settings\Joe Videki\Application Data\Microsoft\Installer\{FF0F8E63-36EC-4180-8DF2-0F3CE3D91966}\sudokupuzzel.exe
2009-06-29 00:27:44 . 2009-06-29 00:27:44 45056 ----a-r- C:\Documents and Settings\Joe Videki\Application Data\Microsoft\Installer\{FF0F8E63-36EC-4180-8DF2-0F3CE3D91966}\_A5C5CF1EA2FB_4796_84A7_A253DE2030D5.exe
2009-06-29 00:27:37 . 2009-06-29 00:27:37 0 d-----w- C:\Program Files\Masc software
2009-06-29 00:26:54 . 2009-06-29 00:26:54 0 d-----w- C:\Program Files\MASC Software BV
2009-06-25 10:38:33 . 2009-06-25 10:38:10 410984 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-06-25 10:37:10 . 2009-06-25 10:37:10 152576 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-23 21:00:17 . 2009-06-23 21:00:17 0 d-----w- C:\WINDOWS\system32\AGEIA
2009-06-23 21:00:17 . 2009-06-23 21:00:17 0 d-----w- C:\Program Files\AGEIA Technologies
2009-06-23 20:59:13 . 2009-04-26 13:32:26 457248 ----a-w- C:\WINDOWS\system32\NVUNINST.EXE
2009-06-23 20:37:11 . 2009-06-23 20:37:11 290816 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-23 20:37:11 . 2009-06-23 20:37:11 290816 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-23 20:37:11 . 2009-06-23 20:37:11 290816 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-23 20:37:11 . 2009-06-23 20:37:11 290816 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-22 16:19:47 . 2009-06-22 16:21:26 0 d-----w- C:\Documents and Settings\Joe Videki\Ekahau Site Survey
2009-06-22 16:19:03 . 2009-06-22 16:19:03 0 d-----w- C:\Program Files\Ekahau
2009-06-22 01:48:13 . 2009-06-22 01:48:13 0 d-sh--w- C:\Documents and Settings\Joe Videki\IECompatCache
2009-06-21 01:34:39 . 2008-04-14 00:12:07 26624 ----a-w- C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-18 21:20:03 . 2009-06-18 21:20:03 0 d-----w- C:\Program Files\Common Files\SENS
2009-06-15 13:22:00 . 2009-06-15 13:22:00 0 d-sh--w- C:\Documents and Settings\NetworkService\IETldCache
2009-06-14 01:38:47 . 2009-06-14 01:38:48 0 d-----w- C:\Program Files\Windows Media Connect 2
2009-06-14 01:37:05 . 2009-06-14 01:37:54 0 d-----w- C:\WINDOWS\system32\drivers\UMDF
2009-06-14 01:32:48 . 2009-06-14 01:36:09 0 d-----w- C:\Documents and Settings\Joe Videki\Application Data\dvdcss
2009-06-10 07:02:48 . 2009-06-10 07:02:48 0 d-sh--w- C:\Documents and Settings\Default User\IETldCache
2009-06-10 06:12:53 . 2009-04-30 21:22:34 12800 ------w- C:\WINDOWS\system32\dllcache\xpshims.dll
2009-06-10 06:12:53 . 2009-04-30 21:22:31 246272 ------w- C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-06-08 16:52:30 . 2001-08-18 02:36:30 5632 ----a-w- C:\WINDOWS\system32\ptpusb.dll
2009-06-08 16:52:29 . 2008-04-14 00:12:04 159232 ----a-w- C:\WINDOWS\system32\ptpusd.dll
2009-06-08 14:27:36 . 2009-06-08 14:27:36 0 d-sh--w- C:\Documents and Settings\Joe Videki\PrivacIE
2009-06-06 11:08:51 . 2008-10-16 18:06:48 268648 ----a-w- C:\WINDOWS\system32\mucltui.dll
2009-06-06 05:38:49 . 2009-06-06 05:38:49 0 d-sh--w- C:\Documents and Settings\Joe Videki\IETldCache
2009-06-06 03:25:14 . 2009-06-06 03:25:14 0 d-----w- C:\WINDOWS\ie8updates
2009-06-06 03:24:37 . 2009-05-12 05:11:53 102912 ------w- C:\WINDOWS\system32\dllcache\iecompat.dll
2009-06-06 03:22:41 . 2009-06-06 03:23:50 0 dc-h--w- C:\WINDOWS\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 15:43:03 . 2008-09-24 12:14:42 0 d-----w- C:\Documents and Settings\Joe Videki\Application Data\WTablet
2009-06-30 15:42:59 . 2008-09-27 05:16:12 0 d-----w- C:\Documents and Settings\LocalService\Application Data\WTablet
2009-06-30 15:23:24 . 2008-09-19 17:20:44 0 d-----w- C:\Program Files\Call of Duty
2009-06-30 15:13:31 . 2008-09-19 18:04:25 138376 ----a-w- C:\WINDOWS\system32\drivers\PnkBstrK.sys
2009-06-30 15:13:22 . 2008-09-19 18:04:18 202448 ----a-w- C:\WINDOWS\system32\PnkBstrB.exe
2009-06-29 22:23:13 . 2008-09-18 22:15:59 0 d-----w- C:\Program Files\Mozilla Thunderbird
2009-06-29 17:32:56 . 2008-11-02 11:31:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 16:35:29 . 2007-11-24 17:42:49 0 d-----w- C:\Program Files\Java
2009-06-29 16:13:51 . 2004-08-10 18:51:15 182656 ----a-w- C:\WINDOWS\system32\drivers\ndis.sys
2009-06-29 15:52:52 . 2009-03-14 15:20:47 1324 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-06-29 13:28:34 . 2008-11-02 05:48:01 73040 ----a-w- C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2009-06-29 04:41:04 . 2008-09-19 00:21:24 0 d-----w- C:\Program Files\QuickTime
2009-06-29 04:38:32 . 2008-09-19 00:19:49 0 d-----w- C:\Program Files\Common Files\Apple
2009-06-26 08:21:18 . 2007-11-24 17:59:39 0 d-----w- C:\Program Files\Google
2009-06-23 21:00:05 . 2008-11-03 02:24:23 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-23 20:37:12 . 2009-03-14 22:28:48 0 d-----w- C:\Program Files\SystemRequirementsLab
2009-06-23 20:37:11 . 2009-03-14 22:28:46 0 d-----w- C:\Documents and Settings\Joe Videki\Application Data\SystemRequirementsLab
2009-06-22 01:51:20 . 2008-09-20 16:12:22 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-22 01:51:12 . 2008-11-02 10:53:08 3561743 ----a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-20 18:04:57 . 2008-09-20 14:41:54 0 d-----w- C:\Documents and Settings\Joe Videki\Application Data\uTorrent
2009-06-18 12:40:13 . 2008-09-22 12:51:15 0 d-----w- C:\Documents and Settings\Joe Videki\Application Data\U3
2009-06-17 15:27:56 . 2008-09-20 16:12:25 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27:44 . 2008-09-20 16:12:27 19096 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-06-14 12:17:35 . 2008-09-21 22:10:37 3616 ----a-w- C:\Documents and Settings\Joe Videki\Application Data\wklnhst.dat
2009-06-10 07:03:54 . 2009-05-30 10:06:41 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-06-10 07:03:34 . 2007-11-24 18:01:16 0 d-----w- C:\Program Files\Microsoft Works
2009-06-08 10:00:18 . 2008-09-28 13:58:07 0 d-----w- C:\Program Files\MSECACHE
2009-05-30 10:08:18 . 2009-05-30 10:08:18 0 d-----w- C:\Program Files\Microsoft.NET
2009-05-13 05:15:55 . 2004-08-10 18:51:29 915456 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-05-13 00:33:22 . 2007-11-24 17:27:47 110114 ----a-w- C:\WINDOWS\system32\nvModes.dat
2009-05-07 15:32:35 . 2004-08-10 18:51:11 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-05-01 04:30:58 . 2009-05-01 04:30:58 1194528 ----a-w- C:\WINDOWS\system32\nvcplui.exe
2009-05-01 02:02:00 . 2009-06-29 12:48:59 8055584 ----a-w- C:\WINDOWS\system32\drivers\nv4_mini.sys
2009-05-01 02:02:00 . 2009-05-01 02:02:00 663552 ----a-w- C:\WINDOWS\system32\nvcuvid.dll
2009-05-01 02:02:00 . 2009-05-01 02:02:00 1720320 ----a-w- C:\WINDOWS\system32\nvcuda.dll
2009-05-01 02:02:00 . 2009-05-01 02:02:00 1579630 ----a-w- C:\WINDOWS\system32\nvdata.bin
2009-05-01 02:02:00 . 2009-05-01 02:02:00 1314816 ----a-w- C:\WINDOWS\system32\nvcuvenc.dll
2009-05-01 02:02:00 . 2007-11-24 17:27:32 457248 ----a-w- C:\WINDOWS\system32\nvudisp.exe
2009-05-01 02:02:00 . 2007-11-24 17:18:18 9994240 ----a-w- C:\WINDOWS\system32\nvoglnt.dll
2009-05-01 02:02:00 . 2007-11-24 17:18:14 806912 ----a-w- C:\WINDOWS\system32\nvapi.dll
2009-05-01 02:02:00 . 2007-11-24 17:18:14 143360 ----a-w- C:\WINDOWS\system32\nvcodins.dll
2009-05-01 02:02:00 . 2007-11-24 17:18:14 143360 ----a-w- C:\WINDOWS\system32\nvcod.dll
2009-05-01 02:02:00 . 2004-08-10 18:59:09 5896320 ----a-w- C:\WINDOWS\system32\nv4_disp.dll
2009-04-20 15:21:05 . 2008-10-12 04:54:12 356 ----a-w- C:\drmHeader.bin
2009-04-17 12:26:40 . 2004-08-10 18:51:28 1847168 ----a-w- C:\WINDOWS\system32\win32k.sys
2009-04-15 14:51:25 . 2004-08-10 18:51:21 585216 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2009-04-07 12:45:24 . 2009-04-07 12:45:24 12416 ----a-w- C:\WINDOWS\system32\drivers\ekauio.sys
2008-11-03 22:17:14 . 2008-11-03 22:23:51 243204 ----a-w- C:\Program Files\unlocker1.8.7.exe
2008-11-02 17:18:59 . 2008-11-03 22:24:22 50688 ----a-w- C:\Program Files\ATF-Cleaner.exe
2007-12-28 06:21:46 . 2008-11-03 22:23:51 401720 ----a-w- C:\Program Files\HiJackThis.exe
2009-02-08 12:03:04 . 2009-02-08 12:03:04 27976 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2009-02-08 12:03:04 . 2009-02-08 12:03:04 126360 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
2009-02-08 12:33:09 . 2009-02-08 12:33:12 98712 ----a-w- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
2007-11-24 17:46:04 . 2007-11-24 17:46:04 76 --sh--r- C:\WINDOWS\CT4CET.bin
2008-10-08 17:39:12 . 2008-10-08 17:39:12 8 --sh--r- C:\WINDOWS\system32\2A0DBD0899.sys
2008-10-08 17:39:36 . 2008-10-08 17:39:12 1056 --sha-w- C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_16.18.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 15:42:44 . 2009-06-30 15:42:44 16384 C:\WINDOWS\Temp\Perflib_Perfdata_c88.dat
+ 2009-06-30 15:43:21 . 2009-06-30 15:43:21 16384 C:\WINDOWS\Temp\Perflib_Perfdata_a28.dat
+ 2009-06-30 15:42:35 . 2009-06-30 15:42:35 16384 C:\WINDOWS\Temp\Perflib_Perfdata_4e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 22:15:28 321040]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 18:09:36 460784]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-30 22:31:28 4608]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 00:25:38 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 04:21:56 851968]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-03 19:57:38 1228800]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 22:43:34 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-05-16 00:28:40 1392640]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 20:05:50 282624]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 18:02:24 1807960]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 22:10:26 184320]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 21:40:06 289576]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 22:58:30 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 06:08:13 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 06:38:00 34672]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 11:58:34 611712]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 16:22:16 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-06-25 10:38:12 148888]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 02:32:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 11:00:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 02:31:50 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 02:32:16 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 02:32:16 455168]
"BellCanada_McciTrayApp"="C:\Program Files\BellCanada\McciTrayApp.exe" [2008-05-28 20:19:45 1468928]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-05-01 04:30:16 13750272]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-05-01 04:30:16 86016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-05-26 21:18:30 413696]
"SigmatelSysTrayApp"="stsystra.exe" - C:\WINDOWS\stsystra.exe [2007-07-10 04:03:06 405504]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2009-05-01 04:31:10 1657376]
"NVHotkey"="nvHotkey.dll" - C:\WINDOWS\system32\nvhotkey.dll [2009-05-01 04:30:48 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-24 50688]
hueyTray.lnk - C:\Program Files\Pantone\huey\hueyTray.exe [2008-10-6 901120]
Suitcase 11.0.lnk - C:\WINDOWS\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2008-9-18 9062]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 15:13:36 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SENSLogon2"= {a59313b3-a9d1-401b-9c6f-d54dadda32be} - C:\Program Files\Common Files\SENS\SENSLogon2.dll [2009-06-18 21:20:03 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-27 12:34:08 352256 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Extensis\\Extensis Suitcase 11\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Call of Duty\\CoDUOMP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [03/09/2008 3:07:14 PM 8944]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 3:07:12 PM 55024]
R2 ASTSRV;Nalpeiron Licensing Service;C:\WINDOWS\system32\ASTSRV.EXE [09/11/2008 9:08:38 AM 57344]
R2 Cold Fusion Application Server;Cold Fusion Application Server;C:\CFusion\BIN\cfserver.exe [23/09/2008 9:55:15 AM 3485696]
R2 Cold Fusion Executive;ColdFusion Executive;C:\CFusion\BIN\cfexec.exe [23/09/2008 9:55:15 AM 430080]
R2 Cold Fusion RDS;ColdFusion RDS;C:\CFusion\BIN\cfrdsservice.exe [23/09/2008 9:55:15 AM 917504]
R2 ColdFusion Management Repository;ColdFusion Management Repository Server;C:\CFusion\jrun\bin\jrun.exe [23/09/2008 9:55:23 AM 53248]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;C:\WINDOWS\system32\drivers\ekauio.sys [07/04/2009 8:45:24 AM 12416]
R2 TabletServicePen;TabletServicePen;C:\WINDOWS\system32\Pen_Tablet.exe [24/09/2008 8:13:33 AM 1373480]
R2 Tmntsrv;Trend Micro Real-time Service;C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [08/11/2007 9:19:18 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [08/11/2007 9:19:22 PM 923216]
R2 tmpreflt;tmpreflt;C:\WINDOWS\system32\drivers\tmpreflt.sys [08/11/2007 9:20:22 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [08/11/2007 9:19:28 PM 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\drivers\OEM02Dev.sys [29/06/2009 8:48:59 AM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\drivers\OEM02Vfx.sys [29/06/2009 8:48:59 AM 7424]
R3 tmcfw;Trend Micro Common Firewall Service;C:\WINDOWS\system32\drivers\TM_CFW.sys [29/06/2009 8:48:59 AM 280392]
S2 gupdate1c9b6febd7505e2;Google Update Service (gupdate1c9b6febd7505e2);C:\Program Files\Google\Update\GoogleUpdate.exe [06/04/2009 5:29:14 PM 133104]
S3 RTCore32;RTCore32;C:\Documents and Settings\Joe Videki\My Documents\rmclock_230_bin_upd1\RTCore32.sys [18/09/2008 9:02:07 PM 4608]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 3:07:16 PM 7408]
S4 BOCore;BOCore;C:\Program Files\Comodo\CBOClean\BOCORE.exe --> C:\Program Files\Comodo\CBOClean\BOCORE.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12]

2009-06-30 C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-04-06 21:29:14 . 2009-04-06 21:29:03]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.geocities.com/jvideki
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - C:\Documents and Settings\Joe Videki\Application Data\Mozilla\Firefox\Profiles\lkobswik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/jvideki/TMWOJV-Index.html
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: C:\Program Files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files\Photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.
.
------- File Associations -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

Edited by publicsectorslave, 08 July 2009 - 01:52 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 03:18 PM

Hello.

It appears Combofix was ran more than once.

I would like you to attach the combofix3.txt log for me, since it's the first one.

Then regarding that infection, please take a read below and let me know what you decide to do.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 08 July 2009 - 03:25 PM

Can we try to clean rather than a reformat....

Here is combofix3

ComboFix 09-06-28.06 - Joe Videki 29/06/2009 12:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2429 [GMT -4:00]
Running from: c:\documents and settings\Joe Videki\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\drivers\kungsfxdujnalr.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\kungsfavadccxj.dat
c:\windows\system32\kungsflkayxdxt.dll
c:\windows\system32\kungsfnyityevb.dll
c:\windows\system32\kungsfuoenbowm.dat
c:\windows\system32\mlfcache.dat
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfldlxmpfn
-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_BNDMSS
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 15:17 . 2009-06-29 15:23 117760 ----a-w- c:\documents and settings\Joe Videki\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-29 13:46 . 2009-06-29 13:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-29 13:37 . 2009-06-29 13:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-29 13:35 . 2009-06-29 13:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-29 12:50 . 2009-06-29 16:05 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-06-29 12:49 . 2009-06-29 16:18 88320 ----a-w- c:\windows\system32\drivers\e21b93de.sys
2009-06-29 00:27 . 2009-06-29 00:27 7406 ----a-r- c:\documents and settings\Joe Videki\Application Data\Microsoft\Installer\{FF0F8E63-36EC-4180-8DF2-0F3CE3D91966}\sudokupuzzel.exe
2009-06-29 00:27 . 2009-06-29 00:27 45056 ----a-r- c:\documents and settings\Joe Videki\Application Data\Microsoft\Installer\{FF0F8E63-36EC-4180-8DF2-0F3CE3D91966}\_A5C5CF1EA2FB_4796_84A7_A253DE2030D5.exe
2009-06-29 00:27 . 2009-06-29 00:27 -------- d-----w- c:\program files\Masc software
2009-06-29 00:26 . 2009-06-29 00:26 -------- d-----w- c:\program files\MASC Software BV
2009-06-25 10:38 . 2009-06-25 10:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-25 10:37 . 2009-06-25 10:37 152576 ----a-w- c:\documents and settings\Joe Videki\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-23 21:00 . 2009-06-23 21:00 -------- d-----w- c:\windows\system32\AGEIA
2009-06-23 21:00 . 2009-06-23 21:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-23 20:59 . 2009-04-26 13:32 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-23 20:37 . 2009-06-23 20:37 290816 ----a-w- c:\documents and settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-23 20:37 . 2009-06-23 20:37 290816 ----a-w- c:\documents and settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-23 20:37 . 2009-06-23 20:37 290816 ----a-w- c:\documents and settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-23 20:37 . 2009-06-23 20:37 290816 ----a-w- c:\documents and settings\Joe Videki\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-22 16:19 . 2009-06-22 16:21 -------- d-----w- c:\documents and settings\Joe Videki\Ekahau Site Survey
2009-06-22 16:19 . 2009-06-22 16:19 -------- d-----w- c:\program files\Ekahau
2009-06-22 01:48 . 2009-06-22 01:48 -------- d-sh--w- c:\documents and settings\Joe Videki\IECompatCache
2009-06-21 01:34 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-18 21:20 . 2009-06-18 21:20 -------- d-----w- c:\program files\Common Files\SENS
2009-06-15 13:22 . 2009-06-15 13:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-14 01:38 . 2009-06-14 01:38 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-14 01:37 . 2009-06-14 01:37 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-14 01:32 . 2009-06-14 01:36 -------- d-----w- c:\documents and settings\Joe Videki\Application Data\dvdcss
2009-06-10 07:02 . 2009-06-10 07:02 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 06:12 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:12 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 16:52 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-08 16:52 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-08 14:27 . 2009-06-08 14:27 -------- d-sh--w- c:\documents and settings\Joe Videki\PrivacIE
2009-06-06 11:08 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-06 05:38 . 2009-06-06 05:38 -------- d-sh--w- c:\documents and settings\Joe Videki\IETldCache
2009-06-06 03:25 . 2009-06-06 03:25 -------- d-----w- c:\windows\ie8updates
2009-06-06 03:24 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 03:22 . 2009-06-06 03:23 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 16:16 . 2008-09-24 12:14 -------- d-----w- c:\documents and settings\Joe Videki\Application Data\WTablet
2009-06-29 16:13 . 2004-08-10 18:51 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-29 15:52 . 2009-03-14 15:20 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-29 13:28 . 2008-11-02 05:48 73040 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-29 10:57 . 2008-09-18 22:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-29 04:41 . 2008-09-19 00:21 -------- d-----w- c:\program files\QuickTime
2009-06-29 04:38 . 2008-09-19 00:19 -------- d-----w- c:\program files\Common Files\Apple
2009-06-29 03:41 . 2008-09-19 17:20 -------- d-----w- c:\program files\Call of Duty
2009-06-29 01:15 . 2008-09-19 18:04 138376 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-29 01:14 . 2008-09-19 18:04 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-26 08:21 . 2007-11-24 17:59 -------- d-----w- c:\program files\Google
2009-06-25 10:50 . 2008-09-27 05:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-06-25 10:38 . 2007-11-24 17:42 -------- d-----w- c:\program files\Java
2009-06-23 21:00 . 2008-11-03 02:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 20:37 . 2009-03-14 22:28 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-23 20:37 . 2009-03-14 22:28 -------- d-----w- c:\documents and settings\Joe Videki\Application Data\SystemRequirementsLab
2009-06-22 01:51 . 2008-09-20 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 01:51 . 2008-11-02 10:53 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-22 01:48 . 2008-11-02 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-20 18:04 . 2008-09-20 14:41 -------- d-----w- c:\documents and settings\Joe Videki\Application Data\uTorrent
2009-06-18 12:40 . 2008-09-22 12:51 -------- d-----w- c:\documents and settings\Joe Videki\Application Data\U3
2009-06-17 15:27 . 2008-09-20 16:12 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-09-20 16:12 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 12:17 . 2008-09-21 22:10 3616 ----a-w- c:\documents and settings\Joe Videki\Application Data\wklnhst.dat
2009-06-10 07:03 . 2009-05-30 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-10 07:03 . 2007-11-24 18:01 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 10:00 . 2008-09-28 13:58 -------- d-----w- c:\program files\MSECACHE
2009-05-30 10:08 . 2009-05-30 10:08 -------- d-----w- c:\program files\Microsoft.NET
2009-05-13 05:15 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-13 00:33 . 2007-11-24 17:27 110114 ----a-w- c:\windows\system32\nvModes.dat
2009-05-07 15:32 . 2004-08-10 18:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 04:30 . 2009-05-01 04:30 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-05-01 02:02 . 2009-06-29 12:48 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 02:02 . 2009-05-01 02:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 02:02 . 2009-05-01 02:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 02:02 . 2009-05-01 02:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 02:02 . 2009-05-01 02:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 02:02 . 2007-11-24 17:27 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-01 02:02 . 2007-11-24 17:18 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 02:02 . 2007-11-24 17:18 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 02:02 . 2007-11-24 17:18 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 02:02 . 2007-11-24 17:18 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 02:02 . 2004-08-10 18:59 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-20 15:21 . 2008-10-12 04:54 356 ----a-w- C:\drmHeader.bin
2009-04-17 12:26 . 2004-08-10 18:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 18:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 12:45 . 2009-04-07 12:45 12416 ----a-w- c:\windows\system32\drivers\ekauio.sys
2008-11-03 22:17 . 2008-11-03 22:23 243204 ----a-w- c:\program files\unlocker1.8.7.exe
2008-11-02 17:18 . 2008-11-03 22:24 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2007-12-28 06:21 . 2008-11-03 22:23 401720 ----a-w- c:\program files\HiJackThis.exe
2009-02-08 12:03 . 2009-02-08 12:03 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-02-08 12:03 . 2009-02-08 12:03 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-02-08 12:33 . 2009-02-08 12:33 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-11-24 17:46 . 2007-11-24 17:46 76 --sh--r- c:\windows\CT4CET.bin
2008-10-08 17:39 . 2008-10-08 17:39 8 --sh--r- c:\windows\system32\2A0DBD0899.sys
2008-10-08 17:39 . 2008-10-08 17:39 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-30 4608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-16 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-25 148888]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-05-28 1468928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-07-10 405504]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2009-05-01 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-24 50688]
hueyTray.lnk - c:\program files\Pantone\huey\hueyTray.exe [2008-10-6 901120]
Suitcase 11.0.lnk - c:\windows\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2008-9-18 9062]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SENSLogon2"= {a59313b3-a9d1-401b-9c6f-d54dadda32be} - c:\program files\Common Files\SENS\SENSLogon2.dll [2009-06-18 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-27 12:34 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Extensis\\Extensis Suitcase 11\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [03/09/2008 3:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 3:07 PM 55024]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [09/11/2008 9:08 AM 57344]
R2 Cold Fusion Application Server;Cold Fusion Application Server;c:\cfusion\BIN\cfserver.exe [23/09/2008 9:55 AM 3485696]
R2 Cold Fusion Executive;ColdFusion Executive;c:\cfusion\BIN\cfexec.exe [23/09/2008 9:55 AM 430080]
R2 Cold Fusion RDS;ColdFusion RDS;c:\cfusion\BIN\cfrdsservice.exe [23/09/2008 9:55 AM 917504]
R2 ColdFusion Management Repository;ColdFusion Management Repository Server;c:\cfusion\jrun\bin\jrun.exe [23/09/2008 9:55 AM 53248]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [07/04/2009 8:45 AM 12416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [24/09/2008 8:13 AM 1373480]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [08/11/2007 9:19 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [08/11/2007 9:19 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [08/11/2007 9:20 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [08/11/2007 9:19 PM 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [29/06/2009 8:48 AM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [29/06/2009 8:48 AM 7424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [29/06/2009 8:48 AM 280392]
S2 gupdate1c9b6febd7505e2;Google Update Service (gupdate1c9b6febd7505e2);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 5:29 PM 133104]
S3 RTCore32;RTCore32;c:\documents and settings\Joe Videki\My Documents\rmclock_230_bin_upd1\RTCore32.sys [18/09/2008 9:02 PM 4608]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 3:07 PM 7408]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 lich;lich;"c:\windows\system32\lich.exe" --> c:\windows\system32\lich.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 21:29]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.geocities.com/jvideki
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Joe Videki\Application Data\Mozilla\Firefox\Profiles\lkobswik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/jvideki/TMWOJV-Index.html
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\e21b93de]
"ImagePath"="\SystemRoot\System32\drivers\e21b93de.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3502109869-846365106-1334001928-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_AVAST!ANTIVIRUS\0000]
@DACL=(02 0000)
"Service"="avast!Antivirus"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="avast!Antivirus"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_NDISPROT\0000]
@DACL=(02 0000)
"Service"="Ndisprot"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ArcNet NDIS Protocol Driver"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0021"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\WINSPOOL.DRV
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\SENS\SENSLogon2.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
c:\cfusion\cfam\program\ccmgr.exe
c:\cfusion\cfam\program\dfp.exe
c:\cfusion\cfam\program\WSM.exe
c:\cfusion\cfam\program\wsprobe.exe
c:\cfusion\jre\bin\ntConsoleJava.exe
c:\cfusion\jre\bin\ntConsoleJava.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\msiexec.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\PSIService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\cfusion\cfam\bin\CANamingAdapter.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Extensis\Extensis Suitcase 11\Suitcase.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2009-06-29 12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 16:25

Pre-Run: 17,942,577,152 bytes free
Post-Run: 17,803,128,832 bytes free

357 --- E O F --- 2009-06-14 11:05

and here is the text from the combofix quarantined files....
2009-06-29 16:24:39 . 2009-06-30 11:40:05 161 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034}.reg.dat
2009-06-29 16:24:33 . 2009-06-29 16:24:33 98 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AdobeBridge.reg.dat
2009-06-29 16:13:49 . 2009-06-29 16:13:49 212,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir
2009-06-29 16:13:41 . 2009-06-29 16:13:41 2,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2009-06-29 16:13:41 . 2009-06-29 16:13:41 870 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_BNDMSS.reg.dat
2009-06-29 16:13:41 . 2009-06-30 11:22:12 300 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_AVAST!ANTIVIRUS.reg.dat
2009-06-29 16:10:05 . 2009-06-30 11:18:07 9,470 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-06-29 16:01:11 . 2009-06-29 16:01:11 63,772 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_kungsfxdujnalr_.sys.zip
2009-06-29 16:01:10 . 2009-06-29 16:01:23 1,305 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_kungsfldlxmpfn.reg.dat
2009-06-29 15:53:48 . 2009-06-30 11:13:16 794 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-06-29 12:50:06 . 2009-06-29 15:49:44 93 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfuoenbowm.dat.vir
2009-06-29 12:48:59 . 2008-10-11 14:49:37 42,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2009-06-29 12:48:56 . 2009-06-29 15:49:41 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsflkayxdxt.dll.vir
2009-06-29 12:48:20 . 2009-06-29 15:49:44 16,948 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfavadccxj.dat.vir
2009-06-29 12:48:20 . 2009-06-29 12:48:20 43,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfnyityevb.dll.vir
2009-04-28 02:12:52 . 2009-06-02 21:07:51 60,412 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mlfcache.dat.vir
2008-11-11 14:04:21 . 2008-11-11 14:04:22 1,082 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2008-10-11 14:49:37 . 2008-10-11 14:49:37 88,704 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2008-10-11 14:49:37 . 2008-10-11 14:49:37 240,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir


I believe my brother was able to remove these or so he told me....

Is there anthing I can run that will tell you whats going on today?
If the infection is on my laptop through a wireless network will I have to reformat my desktop as well?

Edited by publicsectorslave, 08 July 2009 - 03:50 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 03:53 PM

Hello.

Can we try to clean rather than a reformat....

That's what I wanted to know.

Okay, please post a fresh brand new DDS logs for me by running DDS again so I can see the current condition of your machine.

Also, what problems/symptoms have you been experiencing lately after Combofix?

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 08 July 2009 - 04:35 PM

Here it is....
See anyhting that looks suspicious...



DDS (Ver_09-06-26.01) - NTFSx86
Run by Joe Videki at 17:31:18.07 on 08/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2142 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Joe Videki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.geocities.com/jvideki
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueytray.lnk - c:\program files\pantone\huey\hueyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_13.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244253751593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SENSLogon2 - {a59313b3-a9d1-401b-9c6f-d54dadda32be} - c:\program files\common files\sens\SENSLogon2.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joevid~1\applic~1\mozilla\firefox\profiles\lkobswik.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geocities.com/jvideki/TMWOJV-Index.html
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-11-9 57344]
R2 Cold Fusion Application Server;Cold Fusion Application Server;c:\cfusion\bin\cfserver.exe [2008-9-23 3485696]
R2 Cold Fusion Executive;ColdFusion Executive;c:\cfusion\bin\cfexec.exe [2008-9-23 430080]
R2 Cold Fusion RDS;ColdFusion RDS;c:\cfusion\bin\cfrdsservice.exe [2008-9-23 917504]
R2 ColdFusion Management Repository;ColdFusion Management Repository Server;c:\cfusion\jrun\bin\jrun.exe [2008-9-23 53248]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [2009-4-7 12416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-9-24 1373480]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-11-8 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-6-29 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-6-29 7424]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-6-29 280392]
S2 gupdate1c9b6febd7505e2;Google Update Service (gupdate1c9b6febd7505e2);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 CPSHV;CPSHV;c:\docume~1\joevid~1\locals~1\temp\cpshv.exe --> c:\docume~1\joevid~1\locals~1\temp\CPSHV.exe [?]
S3 RTCore32;RTCore32;c:\documents and settings\joe videki\my documents\rmclock_230_bin_upd1\RTCore32.sys [2008-9-18 4608]
S4 BOCore;BOCore;c:\program files\comodo\cboclean\bocore.exe --> c:\program files\comodo\cboclean\BOCORE.exe [?]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-07-08 10:07 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-07-07 19:43 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-07 19:43 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-07 19:43 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-07 19:43 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-07 19:43 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-07 19:43 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-07 19:43 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-07 19:43 <DIR> --d----- C:\8207a4fe6f5851b7ff10d0
2009-07-07 19:38 <DIR> --d----- C:\bb97c293485d839108dd4f83
2009-07-07 19:38 <DIR> --d----- C:\d10fdc812bf6ae0b1e88
2009-07-05 11:50 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-05 09:48 <DIR> --d----- c:\program files\Seagate
2009-07-03 07:18 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-02 12:23 <DIR> --d----- c:\program files\iPod
2009-07-02 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 16:41 0 a------- c:\windows\system32\GKO
2009-06-30 14:04 <DIR> --d----- C:\RootkitNO
2009-06-30 12:37 2 a--shrot c:\windows\winstart.bat
2009-06-30 12:37 <DIR> --d----- c:\program files\UnHackMe
2009-06-30 11:30 389,120 a------- c:\windows\system32\CF25724.exe
2009-06-30 11:30 <DIR> --ds---- C:\ComboFix
2009-06-29 12:31 <DIR> --d----- c:\program files\VS Revo Group
2009-06-29 12:24 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-29 11:56 <DIR> --d----- C:\cmdcons
2009-06-29 11:54 161,792 a------- c:\windows\SWREG.exe
2009-06-29 11:54 155,136 a------- c:\windows\PEV.exe
2009-06-29 11:54 98,816 a------- c:\windows\sed.exe
2009-06-29 08:50 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-06-28 20:27 <DIR> --d----- c:\program files\Masc software
2009-06-28 20:26 <DIR> --d----- c:\program files\MASC Software BV
2009-06-25 06:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-23 17:00 <DIR> --d----- c:\windows\system32\AGEIA
2009-06-23 16:59 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-06-22 12:19 <DIR> --d----- c:\documents and settings\joe videki\Ekahau Site Survey
2009-06-22 12:19 <DIR> --d----- c:\program files\Ekahau
2009-06-21 21:48 <DIR> --dsh--- c:\documents and settings\joe videki\IECompatCache
2009-06-18 17:20 <DIR> --d----- c:\program files\common files\SENS
2009-06-13 21:38 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-06-10 02:12 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:12 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-07-08 07:11 73,040 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-07 22:41 138,376 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-07 22:41 202,448 a------- c:\windows\system32\PnkBstrB.exe
2009-07-02 12:13 3,944 a------- c:\docume~1\joevid~1\applic~1\wklnhst.dat
2009-06-29 12:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-29 12:13 182,656 a------- c:\windows\system32\dllcache\cache\ndis.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-12 20:33 110,114 a------- c:\windows\system32\nvModes.dat
2009-05-12 01:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 00:30 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\dllcache\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-20 11:21 356 a------- C:\drmHeader.bin
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-26 14:09 60,744 a------- c:\documents and settings\joe videki\g2mdlhlpx.exe
2008-11-03 18:17 243,204 a------- c:\program files\unlocker1.8.7.exe
2008-11-02 13:18 50,688 a------- c:\program files\ATF-Cleaner.exe
2008-09-19 17:57 65,536 a---h--- c:\docume~1\joevid~1\applic~1\noBevelButton.DLL
2008-09-19 17:57 33,792 a---h--- c:\docume~1\joevid~1\applic~1\PLUtil.DLL
2008-09-19 17:57 7,320,576 a---h--- c:\docume~1\joevid~1\applic~1\Mkz1REALA.dll
2008-09-19 17:57 88,576 a---h--- c:\docume~1\joevid~1\applic~1\rbap550.dll
2008-09-19 17:57 57,344 a---h--- c:\docume~1\joevid~1\applic~1\groundControl.DLL
2008-09-19 17:57 28,160 a---h--- c:\docume~1\joevid~1\applic~1\fcPlacard.DLL
2007-12-28 02:21 401,720 a------- c:\program files\HiJackThis.exe
2007-11-24 13:46 76 ---shr-- c:\windows\CT4CET.bin
2008-10-08 13:39 8 ---shr-- c:\windows\system32\2A0DBD0899.sys
2008-10-08 13:39 1,056 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:31:26.92 ===============


good luck...
One of the things I've noticed is that when I try to use IE8, windows installer windows pops up everytime.

Edited by publicsectorslave, 08 July 2009 - 04:38 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 04:39 PM

Hello.

A few "dead" things we can remove.

Please post the attach.txt log as well in your next reply with a new DDS.txt log as well.

Run malwarebytes.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 08 July 2009 - 04:46 PM

Here it is.....

Malwarebytes' Anti-Malware 1.38
Database version: 2396
Windows 5.1.2600 Service Pack 3

08/07/2009 5:45:58 PM
mbam-log-2009-07-08 (17-45-58).txt

Scan type: Quick Scan
Objects scanned: 98519
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ps dds attachment this time.

THANK YOU VERY MUCH FOR THE QUICK REPLIES!!!!

Edited by publicsectorslave, 08 July 2009 - 04:48 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 04:53 PM

Hello.

Please don't edit your posts, just reply it here because I miss it sometimes.

One of the things I've noticed is that when I try to use IE8, windows installer windows pops up everytime.

Can you provide a screenshot when this happens.

Let's update Java run an online scan and once I see the reports, we will remove the leftovers. :thumbup2:

One program to warn you about. This is related to P2P.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire 4.16.7
). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.


Update Java to Version 6 Update 14

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterwards and post back with both logs in your next reply in addition to the above.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 08 July 2009 - 05:36 PM

Limewire removed
haven't used since Sept 08
see limewire-crop.png

Java updated 6-14

Just waiting for Kapersky to update the database

Here's a screen grab of the windows installer opening when IE8 starts....
it normally goes away when it loads my homepage
Does this everytime I open IE8, but I'm strictly a FF kinda guy (with No-scripts add-on running) save for when I need to do Microsft updates
windowsinstaller.png

Its been awhile since I've used Cold Fusion 5 - the Macromedia version rather than the newer Adobe version....
could that have been infected.... should that be deleted? I believe its java related.

thanks again,

Edited by publicsectorslave, 08 July 2009 - 05:38 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 AM

Posted 08 July 2009 - 08:44 PM

Hello.

Yes, you can remove it.

I'll review the logs once it comes in. The kaspersky may take a while.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 publicsectorslave

publicsectorslave
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 09 July 2009 - 09:37 AM

Kapersky took awhile, but came back clean....

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 09, 2009 11:47:31
Records in database: 2448549
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 289198
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 03:40:37

No malware has been detected. The scan area is clean.
The selected area was scanned.

I've also attached both the dds logs....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users