Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Security 2009


  • Please log in to reply
9 replies to this topic

#1 jrearle85

jrearle85

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 10 July 2009 - 06:32 PM

This is my first post, so I hope I do this right...

Yesterday, I started getting bombarded by System Security 2009, telling me I had to buy their product to remove the spyware. It doesn't take a genius to know that this is a scam. I tried to search how to remove it, but it took over my browser and wouldn't allow me to search anything on a search engine. I used another computer to get some instructions, but they all involved downloading a program, which I could not do. The virus actually wouldn't allow me to open ANY programs! I tried restarting in safe mode but it wouldn't let me do that either. Finally, I managed to close out the malicious program and run Malwarebytes Anti Malware. It found like 200+ infected items. They were successfully quarantined, but there is still a problem. There are several processes running that I can't find any information on and my computer has been moving VERY slow since I cleaned it. Any help would be GREAT!!! Thanks!!!

Robbie


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 19:11:54.04 on Fri 07/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.79 [GMT -4:00]

AV: 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\MySqi0bx\WinCqUg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;<local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: c:\\windows\\system32\\gsf83iujid.dll - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YmSchZg] "c:\documents and settings\all users\application data\msservisesdbco\YmSchZg.exe"
mRun: [WinCqUg] "c:\documents and settings\owner\local settings\application data\mysqi0bx\WinCqUg.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\imstart.lnk - c:\program files\intermute\IMStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\137903\program\BackWeb-137903.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179706909392
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: awtsQhig - awtsQhig.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\docume~1\owner\locals~1\temp\344635937920mmx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\jf0ihp1b.default\
FF - prefs.js: browser.startup.homepage - www.foxnews.com
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npalnn.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPCpnMgr.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');
FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-10 130936]
R1 avgascln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2009-7-10 3968]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-4-15 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-4-15 1095560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-8 24652]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2009-1-30 457856]
S1 aswSP;avast! Self Protection; [x]
S1 PDIDRV;PDIDRV; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-07-10 16:10 <DIR> --d----- c:\program files\ESET
2009-07-10 13:04 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-10 13:04 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-10 13:04 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-10 13:04 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-10 13:04 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-10 13:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-10 12:40 3,968 a------- c:\windows\system32\drivers\AvgAsCln.sys
2009-07-10 02:54 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-10 02:54 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-10 02:54 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-10 02:54 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-10 02:26 91,852 a------- c:\windows\system32\drivers\c51a6e00.sys
2009-07-10 02:26 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-07-10 02:25 56,320 a------- C:\eughafh.exe
2009-07-10 02:24 26,112 a------- c:\windows\ld12 .exe
2009-07-10 01:29 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-10 01:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 01:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-10 01:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 01:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 18:32 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-07-09 18:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MsServisesDBCO
2009-07-09 18:28 <DIR> --d----- c:\program files\sFX
2009-07-09 18:26 2 a------- C:\1416432991

==================== Find3M ====================

2009-07-10 02:26 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-07-10 01:45 80,376 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-10 01:37 4 ----h--- c:\windows\fonts\mlog
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 15:49 94,360 a------- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-19 01:34 230,432 a------- C:\PA7302.DAT
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:13:09.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 19 July 2009 - 07:59 AM

Sorry for the delay, no shortage of posters. Your log is several days old. If you still need help reply to my post.

How Can I Reduce My Risk to Malware?


#3 jrearle85

jrearle85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 19 July 2009 - 10:07 AM

Well, I'm beginning to think it's more than just this System Security thing. I've ran every virus/malware scan i can get a hold of and it's deleted tons of crap from my computer but there's still a lingering problem. There are still processes running that don't belong and if I force end them, they pop right back up. They are:

WmaPiayGu.exe
YmSchZg.exe
WinCqUg.exe

Aside from that, iexplore.exe is constantly running, but I don't use internet explorer ever. I use Mozilla or Google Chrome. Also, my PC has been running dreadfully slow, especially when the internet is involved. If I'm watching a video or something in my browser and try to open another app like Microsoft Word, it will tell me there is not enough memory to do this. Any ideas?!

Thanks.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 19 July 2009 - 03:08 PM

more than just this System Security thing


Could be, some of these "packages" can install different types of malware or go and download/install more malware to your machine.

ok, we will get a download to use. Its called Combofix. There is a guide to read first. Read the guide, download it to your desktop, disable and AV as explained in the guide, double click the icon and follow the prompts. Post the log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 jrearle85

jrearle85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 19 July 2009 - 05:38 PM

Ok, so I read and ran the combofix, but these strange processes are still there... Here is the combofix log.

ComboFix 09-07-19.02 - Owner 07/19/2009 17:08.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.300 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\auto.exe
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\All Users\Application Data\96182496.ini
c:\documents and settings\Owner\Application Data\bcrypt.html
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
c:\program files\My AccessMedia
c:\program files\My AccessMedia\media\active.ico
c:\program files\My AccessMedia\media\am_buttons.bmp
c:\program files\My AccessMedia\media\am_chevron.bmp
c:\program files\My AccessMedia\media\am_icons.bmp
c:\program files\My AccessMedia\media\bg-off.bmp
c:\program files\My AccessMedia\media\bg-over-sub.bmp
c:\program files\My AccessMedia\media\bg-over.bmp
c:\program files\My AccessMedia\media\config.zip
c:\program files\My AccessMedia\media\content.zip
c:\program files\My AccessMedia\media\downloads.zip
c:\program files\My AccessMedia\media\idle.ico
c:\program files\My AccessMedia\media\mainmenu.zip
c:\program files\My AccessMedia\media\Thumbs.db
c:\program files\My AccessMedia\v2\amc.dll
c:\program files\My AccessMedia\v2\ams.exe
c:\program files\sFX
c:\recycler\S-1-5-21-1292428093-507921405-854245398-14400
c:\recycler\S-1-5-21-2108639113-4273975784-1078960694-1003
c:\recycler\S-1-5-21-2516047634-4061956411-076670661-3220
c:\recycler\S-1-5-21-2682806312-2328425337-2319916136-1003
c:\recycler\S-1-5-21-2682806312-2328425337-2319916136-500
c:\recycler\S-1-5-21-3668925909-240102628-902196625-1003
C:\secure.exe
c:\windows\agvptf.tmp2
c:\windows\Fonts\mlog
c:\windows\inf\itnasa.tmp2
c:\windows\inf\tacptf.tmp
c:\windows\inf\tacptf.tmp2
c:\windows\Install.txt
c:\windows\Installer\1023e3e.msp
c:\windows\Installer\1091d22.msp
c:\windows\Installer\11106444.msi
c:\windows\Installer\120ed2.msi
c:\windows\Installer\12abb4.msi
c:\windows\Installer\12d1c5.msi
c:\windows\Installer\1487403d.msi
c:\windows\Installer\14ae2715.msi
c:\windows\Installer\14e4dbe.msi
c:\windows\Installer\14e4dc4.msi
c:\windows\Installer\14e4dca.msi
c:\windows\Installer\14e4dd0.msi
c:\windows\Installer\15348ebd.msi
c:\windows\Installer\156d0a9.msi
c:\windows\Installer\156d151.msi
c:\windows\Installer\156d178.msi
c:\windows\Installer\156d180.msi
c:\windows\Installer\156d188.msi
c:\windows\Installer\156d18f.msi
c:\windows\Installer\156d195.msi
c:\windows\Installer\1633533.msi
c:\windows\Installer\167d2c.msi
c:\windows\Installer\16968.msi
c:\windows\Installer\1795cd5.msp
c:\windows\Installer\17f7eb7.msi
c:\windows\Installer\180fbc3b.msi
c:\windows\Installer\195b1b.msi
c:\windows\Installer\1a7fb762.msi
c:\windows\Installer\1a9492.msp
c:\windows\Installer\1aa0014.msi
c:\windows\Installer\1ba22f7e.msp
c:\windows\Installer\1c2f469d.msi
c:\windows\Installer\1db97765.msi
c:\windows\Installer\2538c95c.msi
c:\windows\Installer\2538c963.msi
c:\windows\Installer\2538c969.msi
c:\windows\Installer\2538c96f.msi
c:\windows\Installer\25d15b.msi
c:\windows\Installer\261f75.msi
c:\windows\Installer\266220a.msi
c:\windows\Installer\26baf5c.msi
c:\windows\Installer\2804a1.msp
c:\windows\Installer\2964db1f.msi
c:\windows\Installer\2da3ed4.msi
c:\windows\Installer\32106b.msi
c:\windows\Installer\398fc6.msi
c:\windows\Installer\3a92c0f.msi
c:\windows\Installer\3f4328.msi
c:\windows\Installer\3f4329.msp
c:\windows\Installer\3f4334.msi
c:\windows\Installer\41e88b4.msi
c:\windows\Installer\4428423.msi
c:\windows\Installer\45da6b53.msi
c:\windows\Installer\45da6b8b.msi
c:\windows\Installer\45da6b92.msi
c:\windows\Installer\45da6b9d.msi
c:\windows\Installer\45da6bcf.msi
c:\windows\Installer\45da6bd5.msi
c:\windows\Installer\45da6bdb.msi
c:\windows\Installer\45da6bf8.msi
c:\windows\Installer\45da6bfe.msi
c:\windows\Installer\45da6c0a.msi
c:\windows\Installer\45da6c2f.msi
c:\windows\Installer\45da6c4d.msi
c:\windows\Installer\45da6c5b.msi
c:\windows\Installer\45da6c87.msi
c:\windows\Installer\45da6cae.msi
c:\windows\Installer\45da6cb4.msi
c:\windows\Installer\45da6ce1.msi
c:\windows\Installer\45da6cee.msi
c:\windows\Installer\45da6cf4.msi
c:\windows\Installer\45da6cfa.msi
c:\windows\Installer\45da6d00.msi
c:\windows\Installer\45da6d1a.msi
c:\windows\Installer\45da6d2e.msi
c:\windows\Installer\45da6d3b.msi
c:\windows\Installer\4a5fe85.msi
c:\windows\Installer\4a5fe91.msi
c:\windows\Installer\4a5fe9f.msi
c:\windows\Installer\4a5fede.msi
c:\windows\Installer\4a5fef0.msi
c:\windows\Installer\4ad4aaa.msi
c:\windows\Installer\4b63039.msi
c:\windows\Installer\4d1a94.msi
c:\windows\Installer\542b6c9.msi
c:\windows\Installer\552de37.msi
c:\windows\Installer\552de3e.msi
c:\windows\Installer\5548765.msp
c:\windows\Installer\55487b3.msp
c:\windows\Installer\562df6.msi
c:\windows\Installer\56704bc.msp
c:\windows\Installer\5687a02.msi
c:\windows\Installer\5687acd.msi
c:\windows\Installer\58c8666.msp
c:\windows\Installer\5985d85.msi
c:\windows\Installer\5ae4458.msi
c:\windows\Installer\5e367.msi
c:\windows\Installer\5e4ef.msp
c:\windows\Installer\5e563.msp
c:\windows\Installer\5e5cb.msp
c:\windows\Installer\5e628.msp
c:\windows\Installer\5e684.msi
c:\windows\Installer\63b2c4.msp
c:\windows\Installer\64e0b8.msi
c:\windows\Installer\64e0bd.msi
c:\windows\Installer\70afaf4.msi
c:\windows\Installer\74d8541.msp
c:\windows\Installer\75cbd.msi
c:\windows\Installer\75cc3.msi
c:\windows\Installer\75cca.msi
c:\windows\Installer\75cd0.msi
c:\windows\Installer\75cd6.msi
c:\windows\Installer\75cdc.msi
c:\windows\Installer\7ab285f.msi
c:\windows\Installer\7bd6e8a.msi
c:\windows\Installer\7bd6e91.msi
c:\windows\Installer\7bd6e97.msi
c:\windows\Installer\7bd6e9d.msi
c:\windows\Installer\7bd6ea9.msi
c:\windows\Installer\7bd6ec3.msi
c:\windows\Installer\7bd6ecf.msi
c:\windows\Installer\7bd6ed6.msi
c:\windows\Installer\7bd6edc.msi
c:\windows\Installer\7bd6ee2.msi
c:\windows\Installer\8158618.msp
c:\windows\Installer\815861e.msp
c:\windows\Installer\8158624.msp
c:\windows\Installer\81692a4.msi
c:\windows\Installer\8358e89.msp
c:\windows\Installer\846c7f.msi
c:\windows\Installer\89509e.msi
c:\windows\Installer\8abe8.msi
c:\windows\Installer\aedec79.msp
c:\windows\Installer\b14563.msi
c:\windows\Installer\b28004f.msi
c:\windows\Installer\b280056.msi
c:\windows\Installer\b363a85.msi
c:\windows\Installer\b55629a.msp
c:\windows\Installer\b86de11.msi
c:\windows\Installer\bd872d2.msi
c:\windows\Installer\bd874f2.msi
c:\windows\Installer\d2b7b.msi
c:\windows\Installer\d2b8d.msi
c:\windows\Installer\dac9379.msi
c:\windows\Installer\db1a6.msi
c:\windows\Installer\db1bf.msi
c:\windows\Installer\db1ca.msi
c:\windows\Installer\f2239.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\repair\tenisii.bak2
c:\windows\smwitna.tmp
c:\windows\smwitna.tmp2
c:\windows\system\oeminfo.ini
c:\windows\system\tacssv.bak2
c:\windows\system\tenbv.tmp
c:\windows\system\tenbv.tmp2
c:\windows\system\yalplmx.bak2
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\drivers\c51a6e00.sys
c:\windows\system32\Install.txt
c:\windows\Web\ofninur.bak1
c:\windows\Web\ofninur.bak2
c:\windows\Web\ofninur.ini


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_c51a6e00
-------\Service_sfx


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-14 23:36 . 2009-07-14 23:36 -------- d-----w- c:\program files\MSECache
2009-07-10 20:53 . 2009-07-10 20:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2009-07-10 20:10 . 2009-07-10 20:10 -------- d-----w- c:\program files\ESET
2009-07-10 20:10 . 2009-07-10 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-10 19:32 . 2009-07-10 19:32 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 17:04 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-10 17:04 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-10 17:04 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-10 17:04 . 2009-07-10 17:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-10 17:04 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-10 17:04 . 2009-07-10 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-10 16:56 . 2009-07-10 16:56 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-10 16:40 . 2006-09-05 16:03 3968 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-10 06:26 . 2009-07-10 06:26 212224 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-10 06:25 . 2009-07-10 06:25 56320 ----a-w- C:\eughafh.exe
2009-07-10 06:24 . 2009-07-10 06:24 26112 ----a-w- c:\windows\ld12 .exe
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-10 05:29 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 05:29 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 22:30 . 2009-07-09 22:29 997376 ---h--r- c:\documents and settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe
2009-07-09 22:30 . 2009-07-14 22:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx
2009-07-09 22:30 . 2009-07-09 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MsServisesDBCO
2009-07-05 23:15 . 2009-07-17 08:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 03:56 . 2009-01-30 05:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-07-19 03:28 . 2008-10-08 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\MiniLyrics
2009-07-19 02:20 . 2009-01-30 05:48 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-07-18 23:23 . 2007-05-25 05:48 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-07-17 18:44 . 2007-08-21 17:19 80376 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-14 23:41 . 2007-07-11 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 23:11 . 2005-07-14 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 22:57 . 2004-09-13 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-11 08:57 . 2007-04-16 06:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 19:35 . 2004-04-01 07:28 -------- d-----w- c:\program files\Java
2009-07-10 19:07 . 2006-03-07 18:44 -------- d-----w- c:\program files\Spyware Doctor
2009-07-10 06:33 . 2007-06-30 18:29 -------- d-----w- c:\program files\Uniblue
2009-07-10 06:26 . 2004-04-01 04:49 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-10 05:48 . 2004-09-01 00:02 -------- d-----w- c:\program files\Google
2009-05-28 04:42 . 2007-05-25 04:51 -------- d-----w- c:\program files\LimeWire
2009-05-21 15:33 . 2009-04-27 07:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 19:49 . 2009-05-14 19:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-04-29 18:04 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 15:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2007-05-21 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 07:41 . 2009-04-27 07:41 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-05 22:56 . 2009-03-01 21:48 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2004-07-04 02:09 . 2005-01-17 05:19 140800 -c--a-w- c:\program files\mozilla firefox\plugins\al2np.dll
2005-01-11 20:56 . 2005-01-11 18:13 708406 -csh--w- c:\windows\cmger.tmp
2005-01-12 21:07 . 2005-01-12 18:58 709947 -csh--w- c:\windows\drahsmw.tmp
2005-01-24 06:19 . 2005-01-24 02:34 736575 -csha-w- c:\windows\ipatsii.tmp
2005-02-15 04:13 . 2005-02-15 03:36 712343 -csh--w- c:\windows\Config\pctofni.tmp
2005-01-11 23:32 . 2005-01-11 21:20 708863 -csh--w- c:\windows\Driver Cache\niwcod.tmp
2005-01-19 00:15 . 2005-01-18 21:44 741133 -csh--w- c:\windows\DRIVERS\ipatrc.tmp
2005-01-13 03:47 . 2005-01-13 02:52 712031 -csh--w- c:\windows\Help\mail\cvsmavaj.tmp
2005-01-13 08:41 . 2005-01-13 05:46 710059 -csh--w- c:\windows\Help\mui\0419\cacp.tmp
2005-01-19 07:33 . 2005-01-19 06:48 742511 -csh--w- c:\windows\Help\SBSI\siiger.tmp
2005-01-31 00:02 . 2005-01-31 00:02 708833 -csh--w- c:\windows\java\itnanib.tmp
2005-01-13 01:42 . 2005-01-13 01:34 710391 -csh--w- c:\windows\java\wsar.tmp
2005-02-09 20:08 . 2005-02-09 19:26 705342 -csh--w- c:\windows\Registration\sarsod.tmp
2005-01-12 18:35 . 2005-01-12 16:11 710057 -csh--w- c:\windows\system\codten.tmp
2005-01-23 06:04 . 2005-01-23 05:31 742972 -csh--w- c:\windows\Tasks\nibten.tmp
.

------- Sigcheck -------

[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtUninstallKB893066_0$\tcpip.sys
[-] 2002-08-29 12:00 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\tcpip.sys
[-] 2009-04-13 19:56 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-04-13 19:56 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS

[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ndis.sys
[-] 2009-07-10 06:26 212224 58357C46BEB236D8D1566F3530DDFBF2 c:\windows\system32\dllcache\ndis.sys
[-] 2009-07-10 06:26 212224 58357C46BEB236D8D1566F3530DDFBF2 c:\windows\system32\drivers\ndis.sys

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-20 1859864]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-27 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-03 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"YmSchZg"="c:\documents and settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe" [2009-07-09 997376]
"WinCqUg"="c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx\WinCqUg.exe" [2009-07-09 997376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-17 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IMStart.lnk - c:\program files\InterMute\IMStart.exe [2004-4-1 57344]

c:\documents and settings\jrearle\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-29 446464]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-5-23 1806336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Avid\\Avid Free DV\\AvidFreeDV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Sharaza
"6346:UDP"= 6346:UDP:Sharaza

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/10/2009 1:04 PM 130936]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/8/2007 2:07 AM 24652]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [1/30/2009 1:56 AM 457856]
S1 aswSP;avast! Self Protection; [x]
S1 PDIDRV;PDIDRV; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 mrtRate;mrtRate; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/15/2008 10:55 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-106077332-195903101-2869447165-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-27 06:51]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-106077332-195903101-2869447165-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-27 06:51]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe
Notify-awtsQhig - awtsQhig.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;<local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jf0ihp1b.default\
FF - prefs.js: browser.startup.homepage - www.foxnews.com
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPCpnMgr.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');
FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-106077332-195903101-2869447165-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterMute\IMInstall.exe
c:\docume~1\Owner\LOCALS~1\Temp\WmaPiayGo.exe
.
**************************************************************************
.
Completion time: 2009-07-19 18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 22:12

Pre-Run: 16,373,297,152 bytes free
Post-Run: 17,198,002,176 bytes free

516 --- E O F --- 2009-06-13 06:04

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 19 July 2009 - 06:18 PM

ok. we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File:
C:\eughafh.exe
c:\windows\ld12 .exe
c:\documents and settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe
c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YmSchZg"="-
"WinCqUg"="-

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log. check MBAM for updates do a full scan and post that log also

How Can I Reduce My Risk to Malware?


#7 jrearle85

jrearle85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 19 July 2009 - 10:28 PM

Here's the log after I followed the last instruction.




ComboFix 09-07-19.04 - Owner 07/19/2009 21:59.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.201 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-20 02:23 . 2009-07-20 02:23 -------- d-----w- c:\windows\LastGood
2009-07-14 23:36 . 2009-07-14 23:36 -------- d-----w- c:\program files\MSECache
2009-07-10 20:53 . 2009-07-10 20:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2009-07-10 20:10 . 2009-07-10 20:10 -------- d-----w- c:\program files\ESET
2009-07-10 20:10 . 2009-07-10 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-10 19:32 . 2009-07-10 19:32 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 17:04 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-10 17:04 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-10 17:04 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-10 17:04 . 2009-07-10 17:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-10 17:04 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-10 17:04 . 2009-07-10 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-10 16:56 . 2009-07-10 16:56 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-10 16:40 . 2006-09-05 16:03 3968 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-10 06:54 . 2009-07-10 06:54 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-10 06:26 . 2009-07-10 06:26 212224 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-10 06:25 . 2009-07-10 06:25 56320 ----a-w- C:\eughafh.exe
2009-07-10 06:24 . 2009-07-10 06:24 26112 ----a-w- c:\windows\ld12 .exe
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-10 05:29 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 05:29 . 2009-07-10 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 05:29 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 22:30 . 2009-07-09 22:29 997376 ---h--r- c:\documents and settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe
2009-07-09 22:30 . 2009-07-14 22:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx
2009-07-09 22:30 . 2009-07-09 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MsServisesDBCO
2009-07-05 23:15 . 2009-07-17 08:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 03:56 . 2009-01-30 05:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-07-19 03:28 . 2008-10-08 19:50 -------- d-----w- c:\documents and settings\Owner\Application Data\MiniLyrics
2009-07-19 02:20 . 2009-01-30 05:48 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-07-18 23:23 . 2007-05-25 05:48 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-07-17 18:44 . 2007-08-21 17:19 80376 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-14 23:41 . 2007-07-11 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 23:11 . 2005-07-14 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 22:57 . 2004-09-13 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-11 08:57 . 2007-04-16 06:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 19:35 . 2004-04-01 07:28 -------- d-----w- c:\program files\Java
2009-07-10 19:07 . 2006-03-07 18:44 -------- d-----w- c:\program files\Spyware Doctor
2009-07-10 06:33 . 2007-06-30 18:29 -------- d-----w- c:\program files\Uniblue
2009-07-10 06:26 . 2004-04-01 04:49 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-10 05:48 . 2004-09-01 00:02 -------- d-----w- c:\program files\Google
2009-05-28 04:42 . 2007-05-25 04:51 -------- d-----w- c:\program files\LimeWire
2009-05-21 15:33 . 2009-04-27 07:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 19:49 . 2009-05-14 19:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:32 . 2004-04-29 18:04 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 15:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2007-05-21 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 07:41 . 2009-04-27 07:41 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-05 22:56 . 2009-03-01 21:48 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2004-07-04 02:09 . 2005-01-17 05:19 140800 -c--a-w- c:\program files\mozilla firefox\plugins\al2np.dll
2005-01-11 20:56 . 2005-01-11 18:13 708406 -csh--w- c:\windows\cmger.tmp
2005-01-12 21:07 . 2005-01-12 18:58 709947 -csh--w- c:\windows\drahsmw.tmp
2005-01-24 06:19 . 2005-01-24 02:34 736575 -csha-w- c:\windows\ipatsii.tmp
2005-02-15 04:13 . 2005-02-15 03:36 712343 -csh--w- c:\windows\Config\pctofni.tmp
2005-01-11 23:32 . 2005-01-11 21:20 708863 -csh--w- c:\windows\Driver Cache\niwcod.tmp
2005-01-19 00:15 . 2005-01-18 21:44 741133 -csh--w- c:\windows\DRIVERS\ipatrc.tmp
2005-01-13 03:47 . 2005-01-13 02:52 712031 -csh--w- c:\windows\Help\mail\cvsmavaj.tmp
2005-01-13 08:41 . 2005-01-13 05:46 710059 -csh--w- c:\windows\Help\mui\0419\cacp.tmp
2005-01-19 07:33 . 2005-01-19 06:48 742511 -csh--w- c:\windows\Help\SBSI\siiger.tmp
2005-01-31 00:02 . 2005-01-31 00:02 708833 -csh--w- c:\windows\java\itnanib.tmp
2005-01-13 01:42 . 2005-01-13 01:34 710391 -csh--w- c:\windows\java\wsar.tmp
2005-02-09 20:08 . 2005-02-09 19:26 705342 -csh--w- c:\windows\Registration\sarsod.tmp
2005-01-12 18:35 . 2005-01-12 16:11 710057 -csh--w- c:\windows\system\codten.tmp
2005-01-23 06:04 . 2005-01-23 05:31 742972 -csh--w- c:\windows\Tasks\nibten.tmp
.

------- Sigcheck -------

[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtUninstallKB893066_0$\tcpip.sys
[-] 2002-08-29 12:00 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\tcpip.sys
[-] 2009-04-13 19:56 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-04-13 19:56 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS

[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ndis.sys
[-] 2009-07-10 06:26 212224 58357C46BEB236D8D1566F3530DDFBF2 c:\windows\system32\dllcache\ndis.sys
[-] 2009-07-10 06:26 212224 58357C46BEB236D8D1566F3530DDFBF2 c:\windows\system32\drivers\ndis.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-19_21.37.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-20 02:18 . 2009-07-20 02:18 16384 c:\windows\Temp\Perflib_Perfdata_a40.dat
+ 2004-04-01 06:01 . 2009-07-20 02:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-04-01 06:01 . 2009-07-19 21:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-19 05:53 . 2009-07-20 02:42 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071920090720\index.dat
+ 2004-04-01 06:01 . 2009-07-20 02:42 8093696 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-04-01 06:01 . 2009-07-20 02:42 1654784 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-20 1859864]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-27 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-03 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"YmSchZg"="c:\documents and settings\All Users\Application Data\MsServisesDBCO\YmSchZg.exe" [2009-07-09 997376]
"WinCqUg"="c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx\WinCqUg.exe" [2009-07-09 997376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-01-17 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IMStart.lnk - c:\program files\InterMute\IMStart.exe [2004-4-1 57344]

c:\documents and settings\jrearle\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-1-29 446464]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-5-23 1806336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsQhig]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Avid\\Avid Free DV\\AvidFreeDV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Sharaza
"6346:UDP"= 6346:UDP:Sharaza

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/10/2009 1:04 PM 130936]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/8/2007 2:07 AM 24652]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [1/30/2009 1:56 AM 457856]
S1 aswSP;avast! Self Protection; [x]
S1 PDIDRV;PDIDRV; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 mrtRate;mrtRate; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/15/2008 10:55 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-106077332-195903101-2869447165-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-27 06:51]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-106077332-195903101-2869447165-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-27 06:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;<local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jf0ihp1b.default\
FF - prefs.js: browser.startup.homepage - www.foxnews.com
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPCpnMgr.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');
FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 22:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-106077332-195903101-2869447165-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5212)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\InterMute\IMInstall.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-07-20 23:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 03:11
ComboFix2.txt 2009-07-19 22:12

Pre-Run: 17,190,977,536 bytes free
Post-Run: 17,122,865,152 bytes free

319 --- E O F --- 2009-06-13 06:04

#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 20 July 2009 - 06:28 PM

to help show all files you can do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Next you can boot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list: safe mode.
Once at the safe mode desktop you will be looking for files and deleting them. you might want to copy/paste this part into notepad and save it so you can find it in safe mode.

Once in safe mode--navigate to:
c:\documents and settings\All Users\Application Data
look for two folders and delete them both:

MsServisesDBCO
MySqi0bx

you can also do this in safe mode:

using explorer(right click on start>explore) drill down to these and delete whats inside the folder.

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

reboot normally
update, run and post the MBAM log please.

How Can I Reduce My Risk to Malware?


#9 jrearle85

jrearle85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 23 July 2009 - 12:31 AM

I followed these instructions very closely. The only problem I had was that 'MySqi0bx' was nowhere to be found. I deleted 'MsServisesDBCO' like you said, but the other was not in the folder. I even ran a search on it and it didn't show. After I emptied the folders listed and all, I restarted and the machine seems to be running faster, but the internet is still much slower than it should be. I opened the task manager and there are still processes running that don't belong. They are:

YmSchSm.exe
WmaPiayUj.exe (this one does not run constantly but flashes on and off)
WinCqUg.exe

also, iexplorer.exe is constantly running although I do not use internet explorer. I am traditionally with firefox and recently using Google Chrome.


Here is the log file after running MBAM:


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/23/2009 1:18:16 AM
mbam-log-2009-07-23 (01-18-16).txt

Scan type: Quick Scan
Objects scanned: 135954
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully.
c:\eughafh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

#10 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 24 July 2009 - 04:47 PM

ok we will use combofix again. before using it disable your AV and any anti-malware and also Spybots tea timer if running. you would see the icon in the tray if it was. how to disable tea timer;

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YmSchZg"="-
"WinCqUg"="-

File::
c:\docume~1\Owner\LOCALS~1\Temp\WmaPiayGo.exe
c:\documents and settings\Owner\Local Settings\Application Data\MySqi0bx\WinCqUg.exe
c:\windows\cmger.tmp
c:\windows\drahsmw.tmp
c:\windows\ipatsii.tmp
c:\windows\Config\pctofni.tmp

Iam not seeing these two in any of the logs:
YmSchSm.exe
WmaPiayUj.exe

Can you search for them and find them on your machine? Is your AV up to date?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users