Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with vimax ads redirect rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 ercubbies

ercubbies

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 20 August 2009 - 07:26 PM

I got on here wondering if I did have a rootkit and sure enough, I did. Blade Zephon helped me out and with him I had already ran a malwarebytes full scan and I also ran a root repeal scan. topic referenced is here: http://www.bleepingcomputer.com/forums/t/250961/i-think-i-may-have-a-rootkit-vimax-ads-redirecting-really-slow-internet/ ~ OB I then ran a dds scan. Also, for a little more description,, for a little while now I've had very slow internet, and any link I clicked on in google would end up being redirected by mozilla. Also, I've had vimax ads showing up on random websites, and on some where I know they don't belong.

Another DDS log is attached.
Here is the other:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Family at 19:13:31.12 on Thu 08/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.343 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Siber Systems\GoodSync\GoodSync.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [GoodSync] "c:\program files\siber systems\goodsync\GoodSync.exe" /min
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2007\pccguide.exe"
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220110606171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\t2ils920.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleedcubbieblue.com/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=17650705&tool_id=61057&qkw=
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\t2ils920.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\family\application data\mozilla\firefox\profiles\t2ils920.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-29 480784]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-12-29 943696]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-12-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-8-30 288848]
S2 kvqnv;kvqnv;c:\windows\system32\drivers\yakf.sys --> c:\windows\system32\drivers\yakf.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\gamescampus\mlbdugoutheroes\gameguard\dump_wmimmc.sys --> c:\gamescampus\mlbdugoutheroes\gameguard\dump_wmimmc.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-14 33752]
S3 naecd;naecd;\??\c:\docume~1\family\locals~1\temp\naecd.sys --> c:\docume~1\family\locals~1\temp\naecd.sys [?]

=============== Created Last 30 ================

2009-08-19 18:08 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-19 18:02 --d----- c:\windows\ERUNT
2009-08-19 17:58 --d----- C:\SDFix
2009-08-19 17:19 0 a------- C:\backup.reg
2009-08-19 03:01 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-18 20:55 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-18 20:55 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-18 19:20 --d----- c:\docume~1\family\applic~1\Malwarebytes
2009-08-18 10:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 10:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-18 10:56 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 10:56 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 21:01 --d----- c:\program files\THQ
2009-08-11 19:42 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-08-11 13:21 --d----- c:\windows\pss
2009-08-10 13:15 --d----- c:\program files\Global Star Software
2009-08-10 11:58 --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-08-09 15:11 --d----- c:\docume~1\family\applic~1\BitTorrent
2009-08-08 21:38 --d----- c:\program files\Trymedia
2009-08-06 13:13 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-06 03:10 --d----- c:\windows\system32\XPSViewer
2009-08-06 03:08 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 03:08 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-06 03:08 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 03:08 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 03:08 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-06 03:08 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 03:08 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-06 03:08 --d----- c:\windows\SxsCaPendDel
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 12:21 --d----- c:\program files\Activision
2009-08-01 12:20 306,688 a------- c:\windows\IsUninst.exe
2009-08-01 12:20 911 a------- c:\windows\STA2.ini
2009-07-27 08:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-27 08:15 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 11:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 06:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 19:13:52.76 ===============









Also, here is my RootRepeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 15:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAC6F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B40000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA98D0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\WINDOWS\system32\ESQULnntuikalqpmupxdlechwiwqtoqyxomac.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULtwbcmkagwkkyubgrsnkndovkretuvesm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULzxspectrum
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\ESQULwswtxjiflkharusxwpnbidprqpslhrrv.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULtwbcmkagwkkyubgrsnkndovkretuvesm.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULwswtxjiflkharusxwpnbidprqpslhrrv.sys

==EOF==

Attached Files


Edited by Orange Blossom, 21 August 2009 - 12:26 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 29 August 2009 - 03:31 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ercubbies

ercubbies
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 29 August 2009 - 03:52 PM

thanks sam! :D about the only thing is i did install combofix but it's still in the command prompt saying its connecting to http://www.microsoft.com and it's been like that for close to five minutes. My computer isn't frozen though. But is this normal?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 29 August 2009 - 03:57 PM

Give it another five minutes or so and if it's still kind of stuck, stop it and then delete combofix.exe
Follow these steps instead.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 ercubbies

ercubbies
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 29 August 2009 - 04:24 PM

alright man here ya go. ComboFix 09-08-29.01 - Family 08/29/2009 16:01.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ESQULwswtxjiflkharusxwpnbidprqpslhrrv.sys
c:\windows\system32\ESQULnntuikalqpmupxdlechwiwqtoqyxomac.dll
c:\windows\system32\ESQULtwbcmkagwkkyubgrsnkndovkretuvesm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-21 00:44 . 2009-08-21 00:47 -------- d-----w- c:\windows\system32\NtmsData
2009-08-19 23:08 . 2009-08-19 23:08 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-19 23:02 . 2009-08-19 23:02 -------- d-----w- c:\windows\ERUNT
2009-08-19 22:58 . 2009-08-20 03:55 -------- d-----w- C:\SDFix
2009-08-19 22:19 . 2009-08-19 22:19 0 ----a-w- C:\backup.reg
2009-08-19 08:01 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-19 01:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-19 00:20 . 2009-08-19 00:20 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2009-08-18 15:56 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 15:56 . 2009-08-18 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 15:56 . 2009-08-18 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 15:56 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-15 02:01 . 2009-08-15 02:01 -------- d-----w- c:\program files\THQ
2009-08-12 00:42 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-11 17:25 . 2009-08-11 17:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-10 18:15 . 2009-08-10 18:15 -------- d-----w- c:\program files\Global Star Software
2009-08-10 16:59 . 2009-02-09 12:10 714752 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
2009-08-10 16:59 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
2009-08-10 16:59 . 2009-08-10 16:59 611 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E2019AD6F9910A343AB6E64F08186A85.dll
2009-08-10 16:59 . 2009-08-10 16:59 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDA39468D428E8B4DB27C8D5DC5CA217.dll
2009-08-10 16:59 . 2009-08-10 16:59 1180 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
2009-08-10 16:59 . 2009-08-10 16:59 115 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E37341D10797F2F44A76CA4A0FAE123E.dll
2009-08-10 16:59 . 2009-08-10 16:59 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DC3BF90CC0D3D2F398A9A6D1762F70F3.dll
2009-08-10 16:59 . 2009-08-10 16:59 265 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D169751270508A44CB2FE12E4D938EFD.dll
2009-08-10 16:59 . 2009-08-10 16:59 26 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9F2FDFE0D6387BE43AD230B83D1FBFA2.dll
2009-08-10 16:59 . 2009-08-10 16:59 1232 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_BA5544CE551F1CC44A5C883F77F78968.dll
2009-08-09 20:11 . 2009-08-10 05:04 -------- d-----w- c:\documents and settings\Family\Application Data\BitTorrent
2009-08-09 02:38 . 2009-08-09 02:38 -------- d-----w- c:\program files\Trymedia
2009-08-06 08:10 . 2009-08-06 08:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-06 08:10 . 2009-08-06 08:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 08:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 08:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-06 08:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 08:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-06 08:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-06 08:08 . 2009-08-06 08:26 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 06:32 . 2009-07-06 21:33 65536 ----a-w- c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
2009-08-01 17:21 . 2009-08-01 17:21 -------- d-----w- c:\program files\Activision
2009-08-01 17:20 . 2001-05-24 20:00 306688 ----a-w- c:\windows\IsUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 05:00 . 2009-06-22 00:07 -------- d-----w- c:\program files\Greetings Workshop
2009-08-29 03:54 . 2008-11-13 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-19 08:02 . 2008-08-30 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-18 15:40 . 2008-09-27 19:50 81176 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 15:05 . 2008-11-14 21:45 -------- d-----w- c:\program files\FlightGear
2009-08-12 00:43 . 2008-08-30 14:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 00:30 . 2008-12-19 01:13 -------- d-----w- c:\program files\Microsoft Games
2009-08-11 17:25 . 2008-08-30 14:39 -------- d-----w- c:\program files\Common Files\InstallShield1
2009-08-10 16:59 . 2009-08-10 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-10 16:59 . 2009-08-10 16:58 1864 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9DBD3F2B2D9A83844BD59C71AD3BB23C.dll
2009-08-10 16:29 . 2009-04-25 03:32 -------- d-----w- c:\program files\18 WoS Across America
2009-08-09 20:13 . 2008-08-31 12:36 -------- d-----w- c:\documents and settings\Family\Application Data\GoodSync
2009-08-06 08:10 . 2008-08-30 15:29 -------- d-----w- c:\program files\MSBuild
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 05:00 . 2008-08-31 04:26 -------- d-----w- c:\program files\Trillian
2009-07-27 13:27 . 2009-07-27 13:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-27 13:27 . 2009-07-27 13:27 -------- d-----w- c:\program files\Java
2009-07-27 13:24 . 2009-07-27 13:13 152576 ----a-w- c:\documents and settings\Family\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-27 13:11 . 2008-08-31 12:29 -------- d-----w- c:\documents and settings\Family\Application Data\Apple Computer
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 00:02 . 2009-05-01 22:06 -------- d-----w- c:\program files\Starcraft
2009-07-05 08:01 . 2009-07-05 08:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 08:01 . 2009-07-05 08:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:50 . 2006-03-04 03:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-08-30 05:08 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 20:08 . 2009-06-05 20:08 0 ----a-w- c:\windows\PowerReg.dat
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"GoodSync"="c:\program files\Siber Systems\GoodSync\GoodSync.exe" [2008-07-11 2145976]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-27 148888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-29 3429904]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-02 1529856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1997-9-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\FlightGear\\bin\\win32\\fgfs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II The Conquerors Expansion Trial\\age2_x1t.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Firaxis Games\\Civilization III Complete\\Conquests\\Civ3Conquests.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Majesty - Gold Edition\\MajX\\MajX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Global Star Software\\Airport Tycoon 3\\at3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/29/2006 1:53 AM 480784]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [12/29/2006 1:53 AM 943696]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2008 9:29 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [12/29/2006 1:53 AM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/30/2008 9:29 AM 288848]
S2 kvqnv;kvqnv;c:\windows\system32\drivers\yakf.sys --> c:\windows\system32\drivers\yakf.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\gamescampus\MLBDugoutHeroes\GameGuard\dump_wmimmc.sys --> c:\gamescampus\MLBDugoutHeroes\GameGuard\dump_wmimmc.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/14/2008 1:39 PM 33752]
S3 naecd;naecd;\??\c:\docume~1\Family\LOCALS~1\Temp\naecd.sys --> c:\docume~1\Family\LOCALS~1\Temp\naecd.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-28 c:\windows\Tasks\Backup Time Baby!!.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

2009-08-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-13 21:47]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleedcubbieblue.com/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=17650705&tool_id=61057&qkw=
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-29 16:39
ComboFix-quarantined-files.txt 2009-08-29 21:39

Pre-Run: 28,907,704,320 bytes free
Post-Run: 29,252,038,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

224 --- E O F --- 2009-08-27 08:00

Edited by ercubbies, 29 August 2009 - 04:43 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 29 August 2009 - 05:39 PM

Looking good! :thumbup2:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
naecd
kvqnv
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



======================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 ercubbies

ercubbies
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 30 August 2009 - 08:02 PM

MBAM log

Malwarebytes' Anti-Malware 1.40
Database version: 2666
Windows 5.1.2600 Service Pack 3

8/30/2009 8:01:36 PM
mbam-log-2009-08-30 (20-01-36).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 434838
Time elapsed: 1 hour(s), 11 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULnntuikalqpmupxdlechwiwqtoqyxomac.dll.vir (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULtwbcmkagwkkyubgrsnkndovkretuvesm.dll.vir (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULwswtxjiflkharusxwpnbidprqpslhrrv.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{776EEFEE-E554-4625-9708-625E1ECBBFA1}\RP6\A0000001.dll (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{776EEFEE-E554-4625-9708-625E1ECBBFA1}\RP6\A0000002.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{776EEFEE-E554-4625-9708-625E1ECBBFA1}\RP6\A0000003.dll (Trojan.Alureon) -> Quarantined and deleted successfully.






ComboFix Log
ComboFix 09-08-30.01 - Family 08/30/2009 15:41.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.410 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFscript.txt
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KVQNV
-------\Legacy_NAECD
-------\Service_kvqnv
-------\Service_naecd


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 22:06 . 2009-08-29 22:06 -------- d-----w- c:\program files\EA Games
2009-08-21 00:44 . 2009-08-21 00:47 -------- d-----w- c:\windows\system32\NtmsData
2009-08-19 23:08 . 2009-08-19 23:08 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-19 23:02 . 2009-08-19 23:02 -------- d-----w- c:\windows\ERUNT
2009-08-19 22:58 . 2009-08-20 03:55 -------- d-----w- C:\SDFix
2009-08-19 22:19 . 2009-08-19 22:19 0 ----a-w- C:\backup.reg
2009-08-19 08:01 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-19 01:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-19 00:20 . 2009-08-19 00:20 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2009-08-18 15:56 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 15:56 . 2009-08-18 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 15:56 . 2009-08-18 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 15:56 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-15 02:01 . 2009-08-15 02:01 -------- d-----w- c:\program files\THQ
2009-08-12 00:42 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-11 17:25 . 2009-08-11 17:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-10 18:15 . 2009-08-10 18:15 -------- d-----w- c:\program files\Global Star Software
2009-08-10 16:59 . 2009-02-09 12:10 714752 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
2009-08-10 16:59 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
2009-08-10 16:59 . 2009-08-10 16:59 611 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E2019AD6F9910A343AB6E64F08186A85.dll
2009-08-10 16:59 . 2009-08-10 16:59 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDA39468D428E8B4DB27C8D5DC5CA217.dll
2009-08-10 16:59 . 2009-08-10 16:59 1180 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
2009-08-10 16:59 . 2009-08-10 16:59 115 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E37341D10797F2F44A76CA4A0FAE123E.dll
2009-08-10 16:59 . 2009-08-10 16:59 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DC3BF90CC0D3D2F398A9A6D1762F70F3.dll
2009-08-10 16:59 . 2009-08-10 16:59 265 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D169751270508A44CB2FE12E4D938EFD.dll
2009-08-10 16:59 . 2009-08-10 16:59 26 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9F2FDFE0D6387BE43AD230B83D1FBFA2.dll
2009-08-10 16:59 . 2009-08-10 16:59 1232 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_BA5544CE551F1CC44A5C883F77F78968.dll
2009-08-09 20:11 . 2009-08-10 05:04 -------- d-----w- c:\documents and settings\Family\Application Data\BitTorrent
2009-08-09 02:38 . 2009-08-09 02:38 -------- d-----w- c:\program files\Trymedia
2009-08-06 08:10 . 2009-08-06 08:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-06 08:10 . 2009-08-06 08:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 08:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 08:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-06 08:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 08:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 08:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-06 08:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 08:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-06 08:08 . 2009-08-06 08:26 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 06:32 . 2009-07-06 21:33 65536 ----a-w- c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
2009-08-01 17:21 . 2009-08-01 17:21 -------- d-----w- c:\program files\Activision
2009-08-01 17:20 . 2001-05-24 20:00 306688 ----a-w- c:\windows\IsUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 21:00 . 2009-06-22 00:07 -------- d-----w- c:\program files\Greetings Workshop
2009-08-30 04:55 . 2008-11-13 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-29 22:06 . 2008-11-02 19:17 827 ----a-w- c:\windows\eReg.dat
2009-08-19 08:02 . 2008-08-30 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-18 15:40 . 2008-09-27 19:50 81176 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 15:05 . 2008-11-14 21:45 -------- d-----w- c:\program files\FlightGear
2009-08-12 00:43 . 2008-08-30 14:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 00:30 . 2008-12-19 01:13 -------- d-----w- c:\program files\Microsoft Games
2009-08-11 17:25 . 2008-08-30 14:39 -------- d-----w- c:\program files\Common Files\InstallShield1
2009-08-10 16:59 . 2009-08-10 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-10 16:59 . 2009-08-10 16:58 1864 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9DBD3F2B2D9A83844BD59C71AD3BB23C.dll
2009-08-10 16:29 . 2009-04-25 03:32 -------- d-----w- c:\program files\18 WoS Across America
2009-08-09 20:13 . 2008-08-31 12:36 -------- d-----w- c:\documents and settings\Family\Application Data\GoodSync
2009-08-06 08:10 . 2008-08-30 15:29 -------- d-----w- c:\program files\MSBuild
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 05:00 . 2008-08-31 04:26 -------- d-----w- c:\program files\Trillian
2009-07-27 13:27 . 2009-07-27 13:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-27 13:27 . 2009-07-27 13:27 -------- d-----w- c:\program files\Java
2009-07-27 13:24 . 2009-07-27 13:13 152576 ----a-w- c:\documents and settings\Family\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-27 13:11 . 2008-08-31 12:29 -------- d-----w- c:\documents and settings\Family\Application Data\Apple Computer
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 00:02 . 2009-05-01 22:06 -------- d-----w- c:\program files\Starcraft
2009-07-05 08:01 . 2009-07-05 08:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 08:01 . 2009-07-05 08:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-26 16:50 . 2006-03-04 03:33 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-08-30 05:08 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 20:08 . 2009-06-05 20:08 0 ----a-w- c:\windows\PowerReg.dat
2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-29_21.34.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-30 20:59 . 2009-08-30 20:59 16384 c:\windows\temp\Perflib_Perfdata_88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"GoodSync"="c:\program files\Siber Systems\GoodSync\GoodSync.exe" [2008-07-11 2145976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-27 148888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-29 3429904]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-02 1529856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1997-9-4 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\FlightGear\\bin\\win32\\fgfs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II The Conquerors Expansion Trial\\age2_x1t.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Firaxis Games\\Civilization III Complete\\Conquests\\Civ3Conquests.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Majesty - Gold Edition\\MajX\\MajX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Global Star Software\\Airport Tycoon 3\\at3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/29/2006 1:53 AM 480784]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [12/29/2006 1:53 AM 943696]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2008 9:29 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [12/29/2006 1:53 AM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/30/2008 9:29 AM 288848]
S3 dump_wmimmc;dump_wmimmc;\??\c:\gamescampus\MLBDugoutHeroes\GameGuard\dump_wmimmc.sys --> c:\gamescampus\MLBDugoutHeroes\GameGuard\dump_wmimmc.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/14/2008 1:39 PM 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-29 c:\windows\Tasks\Backup Time Baby!!.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

2009-08-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-13 21:47]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleedcubbieblue.com/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=17650705&tool_id=61057&qkw=
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\t2ils920.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 16:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3448)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Microsoft ActiveSync\rapimgr.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\Trend Micro\Internet Security 2007\PcScnSrv.exe
.
**************************************************************************
.
Completion time: 2009-08-30 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 21:10
ComboFix2.txt 2009-08-29 21:39

Pre-Run: 28,655,419,392 bytes free
Post-Run: 28,594,290,688 bytes free

235 --- E O F --- 2009-08-27 08:00

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 31 August 2009 - 11:30 AM

Everything looks pretty good to me. How are things on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ercubbies

ercubbies
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 31 August 2009 - 04:33 PM

a lot better. My internet speed has picked backup, I'm not being redirected and the vimax ads are gone too

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 01 September 2009 - 12:00 PM

Great to hear! :thumbup2:


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 ercubbies

ercubbies
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 September 2009 - 10:35 PM

I did all that! Thanks a lot Sam!

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:13 PM

Posted 03 September 2009 - 11:24 AM

I'm glad I could help you out! :thumbup2:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users