Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant malware infection


  • This topic is locked This topic is locked
37 replies to this topic

#1 Rethgif

Rethgif

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 20 July 2009 - 12:03 PM

This computer was brought to me with numerous virii, spyware malware, etc.

There was no active anti-virus on it at that time and the user was unable to access the User Access icon in the Control Panel.

AVG 8.x was installed and removed all of the virii that it could find; Spybot S&D found and removed several spy/malware packages as well.

Malwarebytes is finding some further infections however the PC is now displaying a BSOD with the notorious IRQ_not_Less_or_equal message. Also on boot, after loading the user preferances, desktop, etc., it displays the "Windows has recovers from a serious condition" and wants to send the report to MS.

Any and all help would be greatly appreciated.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jolynn at 9:47:37.40 on Mon 07/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.159 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

{17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jolynn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.myspace.com/
uDefault_Search_URL = hxxp://search.msn.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {141ffbbc-4aea-4ba5-8d26-668b4b33ae52} - No File
BHO: {3251A4BC-14E5-43FA-96DE-DE3749C9E643} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program

files\avg\avg8\avgssie.dll
BHO: {5293ed22-dd3c-4edc-a82f-5d9926ee9c8a} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: {5FAB2024-3793-4C62-8E4A-BB270F9AD35A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_02\bin\ssv.dll
BHO: {787e4828-8dbe-45f6-8c87-8dbd7ebb7c4e} - No File
BHO: {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Search Enhancer Toolbar: {bfb5f154-9212-46f3-b547-ac6106030a54} - c:\program files\search

enhancer toolbar\enhancer.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48A0-441B-A342-7C2A440A9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ViewSonic Explorer V5.3] c:\windows\msdtcsw32.exe
uRun: [Legacy VGA Drivers V1.0] c:\windows\certproc32.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} -

c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Canasta - hxxp://download.games.yahoo.com/games/clients/y/yt1_x.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: Yahoo! Dots - hxxp://download.games.yahoo.com/games/clients/y/dtt1_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: Yahoo! Towers 2.0 - hxxp://download.games.yahoo.com/games/clients/y/ywt0_x.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
DPF: {3334504D-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp4

3dmo.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -

hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

hxxp://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?112

8284449625
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.c

ab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BFC2253-B9D9-477E-9488-CA450232620D}
DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -

hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B}
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} -

hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -

hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: axfiye.dll c:\windows\system32\soyabodu.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfCrSmM
LSA: Notification Packages = scecli c:\windows\system32\soyabodu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jolynn\applic~1\mozilla\firefox\profiles\tgxeb9gi.default\
FF - prefs.js: browser.search.defaulturl -

hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9

335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-9

108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-9 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2008-6-15 24652]
S2 EFXFVYMI;EFXFVYMI;\??\c:\windows\system32\efxfvymi.gnf -->

c:\windows\system32\efxfvymi.gnf [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys

[2009-7-19 38160]
S4 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe

[2006-3-16 69120]

============== File Associations ===============

txtfile=%windir%\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-07-19 16:25 <DIR> --d----- c:\docume~1\jolynn\applic~1\Malwarebytes
2009-07-19 16:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 16:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-19 16:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 16:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 10:36 <DIR> --d----- c:\documents and settings\jolynn\.housecall6.6
2009-07-18 15:45 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-15 14:26 <DIR> --dsh--- c:\documents and settings\jolynn\IECompatCache
2009-07-15 09:08 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 14:53 <DIR> --dsh--- c:\documents and settings\jolynn\PrivacIE
2009-07-10 11:04 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-09 12:21 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-07-09 11:53 <DIR> --dsh--- c:\documents and settings\jolynn\IETldCache
2009-07-09 09:07 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-09 09:06 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-09 09:06 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-09 09:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-09 09:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-09 09:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-09 09:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-07-09 09:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-09 09:05 <DIR> --d----- C:\e5501bbc2d597e645df055b958b6
2009-07-09 08:51 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-09 08:51 <DIR> --d----- c:\windows\ie8updates
2009-07-09 08:50 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-09 08:50 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-09 08:50 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-09 08:50 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-09 08:48 <DIR> -cd-h--- c:\windows\ie8
2009-07-09 08:40 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-09 08:27 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-07-09 08:27 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-09 08:27 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-09 08:27 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-09 08:27 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-09 08:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-09 08:27 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-09 08:26 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-07-09 08:25 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-07-09 08:24 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-09 08:24 1,106,944 a------- c:\windows\system32\SETCF.tmp
2009-07-09 08:24 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-07-09 08:24 337,408 a------- c:\windows\system32\SETCB.tmp
2009-07-09 08:24 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-07-09 08:24 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-07-09 08:23 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-07-09 08:22 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-09 08:22 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-07-09 01:14 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-09 00:52 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-09 00:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-09 00:52 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-09 00:52 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-09 00:52 <DIR> --d----- c:\program files\AVG
2009-07-09 00:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-08 23:34 <DIR> --d----- c:\windows\system32\scripting
2009-07-08 23:34 <DIR> --d----- c:\windows\l2schemas
2009-07-08 23:34 <DIR> --d----- c:\windows\system32\en
2009-07-08 23:26 <DIR> --d----- c:\windows\network diagnostic
2009-07-08 22:42 412,160 -------- c:\windows\system32\photometadatahandler.dll
2009-07-08 22:41 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-07-08 22:40 136,192 -------- c:\windows\system32\aaclient.dll
2009-07-08 21:07 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-07-08 20:40 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-08 20:38 <DIR> --d----- c:\windows\peernet
2009-07-08 20:38 <DIR> --d----- c:\windows\provisioning
2009-07-08 20:34 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-08 20:23 <DIR> --d----- c:\windows\EHome
2009-07-08 17:03 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-08 16:52 100,352 a------- c:\windows\system32\SETD8.tmp
2009-07-08 16:52 100,352 -------- c:\windows\system32\SET7C.tmp
2009-07-08 16:52 280,064 -------- c:\windows\system32\SETB6.tmp
2009-07-08 16:52 280,064 -------- c:\windows\system32\SET70.tmp
2009-07-08 16:52 181,248 a------- c:\windows\system32\SETB1.tmp
2009-07-08 16:52 181,248 -------- c:\windows\system32\SET6C.tmp
2009-07-08 16:50 129,024 -------- c:\windows\system32\xmlprov.dll
2009-07-08 16:50 50,176 -------- c:\windows\system32\xmlprovi.dll
2009-07-08 16:50 80,896 a------- c:\windows\system32\wscsvc.dll
2009-07-08 16:50 148,480 -------- c:\windows\system32\wscui.cpl
2009-07-08 16:50 108,032 -------- c:\windows\system32\wshbth.dll
2009-07-08 16:50 13,824 -------- c:\windows\system32\wscntfy.exe
2009-07-08 16:50 1,229 -------- c:\windows\system32\wbem\wscenter.mof
2009-07-08 16:48 452,736 -------- c:\windows\system32\drivers\mtxparhm.sys
2009-07-08 16:47 19,528 a------- c:\windows\002527_.tmp
2009-07-08 16:45 94,720 a------- c:\windows\system32\SET8B.tmp
2009-07-08 16:45 148,480 -------- c:\windows\system32\SET8C.tmp
2009-07-08 16:45 148,480 -------- c:\windows\system32\SET50.tmp
2009-07-08 16:45 94,720 -------- c:\windows\system32\SET4D.tmp
2009-07-08 16:05 280,064 a------- c:\windows\system32\SET66.tmp
2009-07-08 16:05 280,064 -------- c:\windows\system32\SET3B.tmp
2009-07-08 15:35 354,304 a------- c:\windows\system32\winhttp.dll
2009-07-08 15:35 331,776 a------- c:\windows\system32\SET43.tmp
2009-07-08 15:35 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-07-08 15:33 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-07-08 15:20 12,620 a------- c:\windows\system32\wpa.bak
2009-07-08 11:24 155,648 a------- c:\windows\system32\igfxres.dll
2009-07-08 10:22 131,584 ac------ c:\windows\system32\dllcache\pmxviceo.dll
2009-07-08 10:21 471,102 ac------ c:\windows\system32\dllcache\imskdic.dll
2009-07-08 10:20 54,528 ac------ c:\windows\system32\dllcache\cap7146.sys
2009-07-08 10:13 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-08 10:13 <DIR> --d----- c:\program files\Online Services
2009-07-08 10:10 13,608 a----r-- c:\windows\SET77.tmp
2009-07-08 10:10 1,086,182 a----r-- c:\windows\SET62.tmp
2009-06-30 13:46 129,536 a------- c:\windows\system32\ksproxy.ax
2009-06-30 13:46 4,096 a------- c:\windows\system32\ksuser.dll
2009-06-30 12:37 13,608 a----r-- c:\windows\SETA8.tmp
2009-06-30 12:37 1,086,182 a----r-- c:\windows\SET93.tmp

==================== Find3M ====================

2009-07-08 23:39 86,665 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-08 10:17 2,678 a------- c:\windows\java\packages\data\T3DND77V.DAT
2009-07-08 10:17 2,678 a------- c:\windows\java\packages\data\XFVJNXJ9.DAT
2009-07-08 10:17 2,678 a------- c:\windows\java\packages\data\P3JRB5ZX.DAT
2009-07-08 10:17 2,678 a------- c:\windows\java\packages\data\VLZVJ9JX.DAT
2009-07-08 10:17 2,678 a------- c:\windows\java\packages\data\B9BFNFHR.DAT
2009-07-08 10:14 23,348 a------- c:\windows\system32\emptyregdb.dat
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 81,920 -------- c:\windows\system32\ieencode.dll
2008-05-02 09:00 62,910 a------- c:\program files\Uninstall.exe
2008-05-02 09:00 0 a------- c:\program files\uninstall.dat
2008-04-19 03:02 374 a------- c:\docume~1\jolynn\applic~1\internaldb6334.dat
2008-04-19 02:57 18,432 a------- c:\docume~1\jolynn\applic~1\internaldb41.dat
2008-04-19 02:38 555 a------- c:\docume~1\jolynn\applic~1\internaldb8467.dat
2007-01-25 21:32 1,443,213 a------- c:\docume~1\jolynn\applic~1\Install.dat
2005-03-16 23:24 3,895,808 a------- c:\program files\sspsetup1_1788740160.exe
2005-02-01 04:33 10,810,909 a------- c:\program files\avg70free_300a419.exe
2004-04-29 15:01 784 a------- c:\docume~1\jolynn\applic~1\mpauth.dat
2004-01-21 11:07 2,899,708 a--sh--- c:\windows\system32\atadniw.dat

============= FINISH: 9:48:55.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:03 PM

Posted 30 July 2009 - 11:37 PM

Hello Rethgif and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 31 July 2009 - 12:05 AM

Thank you for the response, Schrauber.

The infected PC has been shut down completely since I posted the original message with the DDS logs already posted.

I anxiously await further instructions.

Regards,
Rethgif

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 31 July 2009 - 12:56 PM

Hello.

May I see the new set of DDS logs that Schrauber requested?

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 31 July 2009 - 01:25 PM

As the PC has been shut down and disconnected, I didn't run another set.

Am booting up the infected PC now to do so.

Rethgif

#6 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 31 July 2009 - 02:10 PM

DDS.TXT contents below:

Am now receiving "Access Denied" while trying to open either dds.txt or attach.txt.

I'll see if it will allow me to attch them both.

Thank you for your assistance.

Rethgif

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 31 July 2009 - 03:41 PM

Hello.

You seem to have a nasty infection on board. Let's see what Combofix has to say.

Instructions on running Combofix is below.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 31 July 2009 - 06:09 PM

ComboFix Log below:

ComboFix 09-07-31.02 - Jolynn 07/31/2009 14:42.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.133 [GMT -7:00]
Running from: c:\documents and settings\Jolynn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jolynn\Application Data\Install.dat
c:\documents and settings\Jolynn\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\nexus only\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\nexus only\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\nexus only\Local Settings\Temporary Internet Files\fbk.sts
c:\recycler\S-1-5-21-3600722359-1952902800-2937310470-1003
c:\recycler\S-1-5-21-583907252-2049760794-682003330-1003
c:\recycler\S-1-5-21-606747145-1326574676-725345543-1003
c:\temp\sanR24
c:\temp\sanR24\lDii.log
c:\windows\1001177843.exe
c:\windows\1002406250.exe
c:\windows\985431859.exe
c:\windows\986635578.exe
c:\windows\987838703.exe
c:\windows\989041609.exe
c:\windows\990245453.exe
c:\windows\991448500.exe
c:\windows\992651984.exe
c:\windows\993883187.exe
c:\windows\996314328.exe
c:\windows\997525671.exe
c:\windows\998743140.exe
c:\windows\999966734.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\96c13.msi
c:\windows\patch.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\_000001_.tmp.dll
c:\windows\system32\_000002_.tmp.dll
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000014_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000020_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\_003840_.tmp.dll
c:\windows\system32\_004005_.tmp.dll
c:\windows\system32\_004006_.tmp.dll
c:\windows\system32\_004007_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\pal_nmw_a353_r15950.exe
c:\windows\system32\Cache\spywarewall.exe
c:\windows\system32\Cache\sww_searchtool.exe
c:\windows\system32\crosof~1
c:\windows\system32\enegekil.ini
c:\windows\system32\isilivuj.ini
c:\windows\system32\kxvwephk.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_SCAGENT
-------\Legacy_SVCPROC
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-19 23:25 . 2009-07-19 23:25 -------- d-----w- c:\documents and settings\Jolynn\Application Data\Malwarebytes
2009-07-19 23:25 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 23:25 . 2009-07-19 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 23:25 . 2009-07-19 23:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 23:25 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 17:36 . 2009-07-19 23:17 -------- d-----w- c:\documents and settings\Jolynn\.housecall6.6
2009-07-19 03:49 . 2009-07-09 07:52 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-19 03:49 . 2009-07-09 07:52 1107224 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssie.dll
2009-07-19 03:49 . 2009-07-09 07:52 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-19 03:49 . 2009-07-09 07:52 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 03:49 . 2009-07-09 07:52 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-18 22:45 . 2009-07-18 22:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-15 21:26 . 2009-07-15 21:26 -------- d-sh--w- c:\documents and settings\Jolynn\IECompatCache
2009-07-15 16:08 . 2009-07-15 16:08 -------- d-----w- c:\program files\Trend Micro
2009-07-15 05:47 . 2009-07-15 05:48 -------- d-----w- c:\program files\Apple Software Update
2009-07-15 05:47 . 2009-07-15 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-15 02:43 . 2009-07-15 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-15 02:43 . 2009-07-15 02:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-10 21:53 . 2009-07-10 21:53 -------- d-sh--w- c:\documents and settings\Jolynn\PrivacIE
2009-07-09 18:53 . 2009-07-09 18:53 -------- d-sh--w- c:\documents and settings\Jolynn\IETldCache
2009-07-09 16:07 . 2009-07-09 16:07 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-09 16:07 . 2009-07-09 16:07 -------- d-----w- c:\program files\MSBuild
2009-07-09 16:07 . 2009-07-09 16:07 -------- d-----w- c:\program files\Reference Assemblies
2009-07-09 16:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-09 16:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-09 16:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-09 16:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-09 16:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-09 16:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-09 16:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-09 16:05 . 2009-07-09 16:06 -------- d-----w- C:\e5501bbc2d597e645df055b958b6
2009-07-09 15:51 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-09 15:51 . 2009-07-09 15:51 -------- d-----w- c:\windows\ie8updates
2009-07-09 15:50 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-09 15:50 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-09 15:50 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-09 15:50 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-09 15:48 . 2009-07-09 15:50 -------- dc-h--w- c:\windows\ie8
2009-07-09 15:40 . 2009-07-09 15:40 -------- d-----w- c:\program files\MSXML 4.0
2009-07-09 15:28 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-09 15:28 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-09 15:28 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-09 15:28 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-09 15:28 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-09 15:28 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-09 15:28 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-09 15:28 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-09 15:27 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-09 15:27 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-09 15:27 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-09 15:27 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-09 15:27 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-09 15:27 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-09 15:26 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-09 15:25 . 2008-10-03 10:02 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2009-07-09 15:24 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-09 15:24 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-09 15:24 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-09 15:24 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-09 15:23 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-09 15:22 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-09 15:22 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-09 08:14 . 2009-07-31 18:51 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-09 07:52 . 2009-07-09 07:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-09 07:52 . 2009-07-09 07:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-09 07:52 . 2009-07-09 07:52 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-09 07:52 . 2009-07-31 18:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-09 07:52 . 2009-07-09 07:52 -------- d-----w- c:\program files\AVG
2009-07-09 07:52 . 2009-07-09 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 06:34 . 2009-07-09 06:34 -------- d-----w- c:\windows\system32\scripting
2009-07-09 06:34 . 2009-07-09 06:34 -------- d-----w- c:\windows\l2schemas
2009-07-09 06:34 . 2009-07-09 06:34 -------- d-----w- c:\windows\system32\en
2009-07-09 05:42 . 2008-04-14 00:12 412160 ------w- c:\windows\system32\photometadatahandler.dll
2009-07-09 05:41 . 2008-04-14 00:11 37376 ------w- c:\windows\system32\l2gpstore.dll
2009-07-09 05:40 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll
2009-07-09 04:07 . 2009-07-09 16:09 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-07-09 03:40 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-09 03:38 . 2009-07-09 06:34 -------- d-----w- c:\windows\peernet
2009-07-09 03:38 . 2009-07-09 03:38 -------- d-----w- c:\windows\provisioning
2009-07-09 03:34 . 2009-07-09 03:34 -------- d-----w- c:\windows\ServicePackFiles
2009-07-09 03:23 . 2009-07-09 06:19 -------- d-----w- c:\windows\EHome
2009-07-09 00:03 . 2009-07-09 00:03 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-08 23:50 . 2008-04-14 00:12 50176 ------w- c:\windows\system32\xmlprovi.dll
2009-07-08 23:50 . 2008-04-14 00:12 129024 ------w- c:\windows\system32\xmlprov.dll
2009-07-08 23:50 . 2008-04-14 00:12 13824 ------w- c:\windows\system32\wscntfy.exe
2009-07-08 23:50 . 2008-04-14 00:12 80896 ----a-w- c:\windows\system32\wscsvc.dll
2009-07-08 23:50 . 2008-04-14 00:12 108032 ------w- c:\windows\system32\wshbth.dll
2009-07-08 23:48 . 2008-04-13 18:43 12672 ------w- c:\windows\system32\drivers\mutohpen.sys
2009-07-08 23:47 . 2008-04-14 00:12 23040 ------w- c:\windows\system32\fltmc.exe
2009-07-08 22:35 . 2008-12-16 12:30 354304 ----a-w- c:\windows\system32\winhttp.dll
2009-07-08 22:35 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2009-07-08 18:24 . 2003-04-07 07:05 155648 ----a-w- c:\windows\system32\igfxres.dll
2009-07-08 17:22 . 2002-08-29 12:00 6144 -c--a-w- c:\windows\system32\dllcache\pmxgl.dll
2009-07-08 17:21 . 2008-04-14 00:09 315455 -c--a-w- c:\windows\system32\dllcache\imskf.dll
2009-07-08 17:20 . 2002-08-29 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2009-07-08 17:17 . 2009-07-08 17:17 -------- d-----w- c:\documents and settings\Default User\Application Data\AVG7
2009-07-08 17:15 . 2002-08-29 12:00 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2009-07-08 17:15 . 2002-08-29 12:00 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2009-07-08 17:15 . 2002-08-29 12:00 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2009-07-08 17:15 . 2002-08-29 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-07-08 17:15 . 2008-04-14 00:12 409088 ----a-w- c:\windows\system32\qmgr.dll
2009-07-08 17:15 . 2008-04-14 00:12 239104 ----a-w- c:\windows\system32\srrstr.dll
2009-07-08 17:09 . 2009-07-08 17:09 -------- d-s---w- c:\windows\system32\config\systemprofile\History

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 18:27 . 2004-01-13 23:39 28136 ----a-w- c:\documents and settings\Jolynn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 16:05 . 2005-03-17 07:18 -------- d-----w- c:\program files\Yahoo!
2009-07-16 16:04 . 2008-11-09 06:52 -------- d-----w- c:\program files\Windows Live Toolbar
2009-07-16 15:56 . 2006-06-25 08:10 -------- d-----w- c:\documents and settings\Jolynn\Application Data\Yahoo!
2009-07-16 15:56 . 2006-06-25 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-07-16 15:48 . 2005-11-10 03:53 -------- d-----w- c:\documents and settings\Jolynn\Application Data\Image Zone Express
2009-07-15 17:36 . 2006-11-07 21:41 -------- d--h--w- c:\documents and settings\All Users\Application Data\Move Networks
2009-07-14 08:37 . 2009-06-01 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 22:54 . 2005-02-21 02:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-10 22:30 . 2005-02-21 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 18:12 . 2008-02-28 00:36 -------- d-----w- c:\program files\Spyware Doctor
2009-07-10 18:08 . 2008-02-28 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 08:39 . 2004-03-01 18:38 -------- d-----w- c:\documents and settings\Guest\Application Data\winpv
2009-07-09 07:52 . 2009-06-01 23:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-09 06:39 . 2009-07-08 17:16 86665 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-07-08 17:17 . 2009-07-08 17:17 2678 ----a-w- c:\windows\java\Packages\Data\T3DND77V.DAT
2009-07-08 17:17 . 2009-07-08 17:17 2678 ----a-w- c:\windows\java\Packages\Data\XFVJNXJ9.DAT
2009-07-08 17:17 . 2009-07-08 17:17 2678 ----a-w- c:\windows\java\Packages\Data\P3JRB5ZX.DAT
2009-07-08 17:17 . 2009-07-08 17:17 2678 ----a-w- c:\windows\java\Packages\Data\VLZVJ9JX.DAT
2009-07-08 17:17 . 2009-07-08 17:17 2678 ----a-w- c:\windows\java\Packages\Data\B9BFNFHR.DAT
2009-07-08 17:14 . 2003-08-26 17:32 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-16 14:36 . 2002-08-29 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2002-08-29 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:15 . 2006-06-23 18:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2008-05-02 16:00 . 2008-05-02 06:10 62910 ----a-w- c:\program files\Uninstall.exe
2008-05-02 16:00 . 2008-05-02 06:10 0 ----a-w- c:\program files\uninstall.dat
2005-03-17 06:24 . 2005-03-17 06:24 3895808 ----a-w- c:\program files\sspsetup1_1788740160.exe
2005-02-01 11:33 . 2005-02-01 11:33 10810909 ----a-w- c:\program files\avg70free_300a419.exe
2008-12-20 21:36 . 2007-02-25 23:02 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 21:36 . 2007-02-25 23:02 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 21:36 . 2007-02-25 23:02 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 21:36 . 2007-02-25 23:02 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 21:36 . 2007-02-25 23:02 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2004-01-21 18:07 . 2004-01-03 20:13 2899708 --sha-w- c:\windows\system32\atadniw.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-05-13 21:09 . 2004-05-13 21:09 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2005-05-12 06:12 . 2005-05-12 06:12 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

2006-04-11 00:32 . 2005-04-13 10:48 36975 c:\program files\Java\jre1.5.0_03\bin\bak\jusched.exe

2004-03-09 16:20 . 2004-03-09 16:20 98304 c:\program files\QuickTime\bak\qttask.exe
2007-12-11 17:56 . 2007-12-11 17:56 286720 c:\program files\QuickTime\QTTask.exe

2006-03-20 04:22 . 2006-05-31 15:24 1003520 c:\program files\Real\RealPlayer\bak\realplay.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [N/A]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [N/A]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"ViewSonic Explorer V5.3"="c:\windows\msdtcsw32.exe" [N/A]
"Legacy VGA Drivers V1.0"="c:\windows\certproc32.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-09 07:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\df_kmd.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/9/2009 12:52 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/9/2009 12:52 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/9/2009 12:52 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 12:52 AM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2008 1:30 PM 24652]
S2 EFXFVYMI;EFXFVYMI;\??\c:\windows\System32\efxfvymi.gnf --> c:\windows\System32\efxfvymi.gnf [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/19/2009 4:25 PM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Legacy VGA Drivers V1.0]
c:\windows\certproc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Explorer V5.3]
c:\windows\msdtcsw32.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{141ffbbc-4aea-4ba5-8d26-668b4b33ae52} - (no file)
BHO-{3251A4BC-14E5-43FA-96DE-DE3749C9E643} - (no file)
BHO-{5293ed22-dd3c-4edc-a82f-5d9926ee9c8a} - (no file)
BHO-{5FAB2024-3793-4C62-8E4A-BB270F9AD35A} - (no file)
BHO-{787e4828-8dbe-45f6-8c87-8dbd7ebb7c4e} - (no file)
ShellIconOverlayIdentifiers-{D82EE906-5D55-4869-CE8C-87DB47137BD7} - (no file)
Notify-iawbgpqf - (no file)
Notify-mljkiij - (no file)
Notify-windata - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uDefault_Search_URL = hxxp://search.msn.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
FF - ProfilePath - c:\documents and settings\Jolynn\Application Data\Mozilla\Firefox\Profiles\tgxeb9gi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 15:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EFXFVYMI]
"ImagePath"="\??\c:\windows\System32\efxfvymi.gnf"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~2\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-07-31 15:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 22:30

Pre-Run: 23,070,896,128 bytes free
Post-Run: 25,359,515,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

348 --- E O F --- 2009-07-15 06:16

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 02 August 2009 - 08:51 AM

Hello again.

We are going to run Combofix again with a script.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Folder::
    c:\program files\Java\jre1.5.0_03\bak
    c:\program files\HP\HP Software Update\bak
    c:\program files\Common Files\Real\Update_OB\bak
    c:\program files\Real\RealPlayer\bak
    DDS::
    Trusted Zone: microsoft.com\*.update
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: windowsupdate.com
    Trusted Zone: windowsupdate.com\download
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EFXFVYMI]
    File::
    c:\windows\System32\efxfvymi.gnf
    Driver::
    EFXFVYMI
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back wtih both logs in your next reply please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 02 August 2009 - 10:24 AM

Extremeboy,

After copied and pasted the text, saved and dragged the CFScript.txt icon onto the ComboFix.exe icon it started as expected.

I now have a dialog box with as follows:

"There's a newer version of ComboFix available.
Would you like to update ComboFix?"

<Yes> <No>

I want to make sure that the updated version won't throuw out the changes that txt file made.

Standing by......

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 02 August 2009 - 10:41 AM

Yes, please press Yes and let Combofix update itself. :thumbup2:

Thanks for letting me know.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 02 August 2009 - 11:00 AM

No problel, Sir.

ComboFix running now and I'll report back w/ requested log files after Malwarebytes runs as well.

Also, do you want a DDS scan as well after Malwarebytes?

Rethgif

Edited by Rethgif, 02 August 2009 - 11:01 AM.


#13 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 02 August 2009 - 11:31 AM

Ok, ComboFix ran, rebooted and generated the log file.

Downloaded and started running Malwarebytes.

While still scanning the Registry, popped a BSOD:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

*** STOP: 0X000000D1 (0X64A552A0, 0X00000002, 0X00000000,0X82A215D8)

Do you want me to attach the MS logs that it will generate after rebooting?

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 02 August 2009 - 11:54 AM

Hello.

Do you want me to attach the MS logs that it will generate after rebooting?

Sure, post the log and I'll see what it says. More info the better.

~Extremeboy

Post the Combofix log file as well. I want to see what happened.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Rethgif

Rethgif
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 02 August 2009 - 11:55 AM

rebooting now and will post soon.....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users