Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Protection System and I can't get rid of it


  • This topic is locked This topic is locked
20 replies to this topic

#1 waxeddental

waxeddental

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 27 August 2009 - 08:38 PM

I have a many pop ups that say Security Center Alert Do you want to block suspicious software? Name: Virus.Win32.Hala.a, Net-Worm.Win32.Mytob.t; Protection System Network Security Alert, Network attack rejected!, and continuous pop ups asking me to activate Protection System antivirus software. The pop ups start whenever I turn my computer on. I do not even open a browser. Here is my DSS.txt log


DDS (Ver_09-07-30.01) - NTFSx86
Run by abc at 18:04:05.71 on Thu 08/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.225 [GMT -7:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Protection System\psystem.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\abc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Protection System] "c:\program files\protection system\psystem.exe" -noscan
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &aol toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {cafeefac-0016-0000-0015-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2004-3-26 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2004-3-26 5248]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-17 55656]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S2 evdoserver;evdoserver;c:\windows\system32\svchost.exe -k netsvcs [2002-9-10 14336]
S3 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]
S3 arvroyzi;arvroyzi;c:\windows\system32\drivers\arvroyzi.sys --> c:\windows\system32\drivers\arvroyzi.sys [?]
S3 batqmrjv;batqmrjv;c:\windows\system32\drivers\batqmrjv.sys --> c:\windows\system32\drivers\batqmrjv.sys [?]
S3 bbwlexjz;bbwlexjz;c:\windows\system32\drivers\bbwlexjz.sys --> c:\windows\system32\drivers\bbwlexjz.sys [?]
S3 blcgdvbn;blcgdvbn;c:\windows\system32\drivers\blcgdvbn.sys --> c:\windows\system32\drivers\blcgdvbn.sys [?]
S3 eusnlqko;eusnlqko;c:\windows\system32\drivers\eusnlqko.sys --> c:\windows\system32\drivers\eusnlqko.sys [?]
S3 fqnotkid;fqnotkid;c:\windows\system32\drivers\fqnotkid.sys --> c:\windows\system32\drivers\fqnotkid.sys [?]
S3 grlqcycu;grlqcycu;c:\windows\system32\drivers\grlqcycu.sys --> c:\windows\system32\drivers\grlqcycu.sys [?]
S3 hjiddecu;hjiddecu;c:\windows\system32\drivers\hjiddecu.sys --> c:\windows\system32\drivers\hjiddecu.sys [?]
S3 ieerghnd;ieerghnd;c:\windows\system32\drivers\ieerghnd.sys --> c:\windows\system32\drivers\ieerghnd.sys [?]
S3 iieluola;iieluola;c:\windows\system32\drivers\iieluola.sys --> c:\windows\system32\drivers\iieluola.sys [?]
S3 jyutevoa;jyutevoa;c:\windows\system32\drivers\jyutevoa.sys --> c:\windows\system32\drivers\jyutevoa.sys [?]
S3 kacuhjos;kacuhjos;c:\windows\system32\drivers\kacuhjos.sys --> c:\windows\system32\drivers\kacuhjos.sys [?]
S3 kghxelzl;kghxelzl;c:\windows\system32\drivers\kghxelzl.sys --> c:\windows\system32\drivers\kghxelzl.sys [?]
S3 kunpwdwl;kunpwdwl;c:\windows\system32\drivers\kunpwdwl.sys --> c:\windows\system32\drivers\kunpwdwl.sys [?]
S3 kwapbfwr;kwapbfwr;c:\windows\system32\drivers\kwapbfwr.sys --> c:\windows\system32\drivers\kwapbfwr.sys [?]
S3 mhvmdtna;mhvmdtna;c:\windows\system32\drivers\mhvmdtna.sys --> c:\windows\system32\drivers\mhvmdtna.sys [?]
S3 ndwuwbec;ndwuwbec;c:\windows\system32\drivers\ndwuwbec.sys --> c:\windows\system32\drivers\ndwuwbec.sys [?]
S3 nynqpcse;nynqpcse;c:\windows\system32\drivers\nynqpcse.sys --> c:\windows\system32\drivers\nynqpcse.sys [?]
S3 pflvkpon;pflvkpon;c:\windows\system32\drivers\pflvkpon.sys --> c:\windows\system32\drivers\pflvkpon.sys [?]
S3 rkrgrfid;rkrgrfid;c:\windows\system32\drivers\rkrgrfid.sys --> c:\windows\system32\drivers\rkrgrfid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 suojpnzx;suojpnzx;c:\windows\system32\drivers\suojpnzx.sys --> c:\windows\system32\drivers\suojpnzx.sys [?]
S3 vjloqktt;vjloqktt;c:\windows\system32\drivers\vjloqktt.sys --> c:\windows\system32\drivers\vjloqktt.sys [?]
S3 vszzejmm;vszzejmm;c:\windows\system32\drivers\vszzejmm.sys --> c:\windows\system32\drivers\vszzejmm.sys [?]
S3 xknjzivx;xknjzivx;c:\windows\system32\drivers\xknjzivx.sys --> c:\windows\system32\drivers\xknjzivx.sys [?]
S3 zlbplwky;zlbplwky;c:\windows\system32\drivers\zlbplwky.sys --> c:\windows\system32\drivers\zlbplwky.sys [?]
S3 zmzsijnt;zmzsijnt;c:\windows\system32\drivers\zmzsijnt.sys --> c:\windows\system32\drivers\zmzsijnt.sys [?]

=============== Created Last 30 ================

2009-08-25 17:24 31,232 a------- c:\windows\system32\wingenocx.dll
2009-08-25 17:23 <DIR> --d----- c:\program files\Protection System
2009-08-24 03:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-08-24 03:23 120 a------- c:\windows\Wwoqagidim.dat
2009-08-24 02:58 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-23 20:34 723,456 a------- c:\windows\system32\wscsvc32.exe
2009-08-23 20:34 257,536 a------- c:\windows\system32\resdll.dll
2009-08-23 20:24 62,464 a------- c:\windows\system32\OLD13.tmp
2009-08-23 20:23 102,988 a------- c:\windows\system32\drivers\97c9b68f.sys
2009-08-07 08:41 436,224 a------- c:\windows\isvchost.exe

==================== Find3M ====================

2009-08-05 19:11 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-06-26 09:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 09:18 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-08 08:10 155,136 a------- c:\windows\PEV.exe
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-05-08 21:00 20,408 a------- c:\docume~1\abc\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:05:14.68 ===============

Thank you for your help. Any guidance would be greatly appreciated.

Attached Files


Edited by waxeddental, 27 August 2009 - 08:39 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 27 August 2009 - 10:46 PM

Hi, waxeddental :(

Welcome.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 28 August 2009 - 03:54 AM

Hi JSntgRvr and thank you for your help. Here are my Malwarebytes' Anti-Malware report and my Combofix reports:

Malwarebytes' Anti-Malware 1.40
Database version: 2708
Windows 5.1.2600 Service Pack 2 (Safe Mode)

8/28/2009 12:49:07 AM
mbam-log-2009-08-28 (00-49-07).txt

Scan type: Quick Scan
Objects scanned: 97483
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACaebwudpbgr.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\97c9b68f (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\97c9b68f (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\97c9b68f (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACaebwudpbgr.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\97c9b68f.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


ComboFix 09-08-27.06 - abc 08/28/2009 1:21.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.304 [GMT -7:00]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\dhcp
c:\windows\Install.txt
c:\windows\Installer\2467efaf.msi
c:\windows\Installer\27f984.msi
c:\windows\run.log
c:\windows\system32\drivers\UACkxvmtbowil.sys
c:\windows\system32\Install.txt
c:\windows\system32\nerocheck .exe
c:\windows\system32\resdll.dll
c:\windows\system32\UACaebwudpbgr.dll
c:\windows\system32\UACalcdsrqrdk.dll
c:\windows\system32\UACfoivxsmtsa.dll
c:\windows\system32\UACftlwhwwkrr.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqsbnrbfhqk.dat
c:\windows\system32\UACvbxhqqentp.dll
c:\windows\system32\wscsvc32.exe
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 07:26 . 2009-08-28 07:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareab
2009-08-25 02:55 . 2009-08-25 02:55 152576 ----a-w- c:\documents and settings\abc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-24 10:58 . 2009-08-24 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:23 . 2009-08-24 10:23 120 ----a-w- c:\windows\Wwoqagidim.dat
2009-08-24 09:58 . 2009-08-24 09:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 03:36 . 2009-08-24 03:36 -------- d-----w- c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}
2009-08-07 15:41 . 2009-08-07 15:41 436224 ----a-w- c:\windows\isvchost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 08:21 . 2002-08-29 02:09 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-08-28 07:24 . 2009-01-05 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 00:48 . 2004-01-24 18:53 -------- d-----w- c:\program files\nbpro
2009-08-25 02:55 . 2009-01-05 05:45 -------- d-----w- c:\program files\Java
2009-08-25 02:53 . 2005-04-23 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-25 02:52 . 2005-10-03 00:00 -------- d-----w- c:\program files\EPSON
2009-08-25 02:51 . 2005-07-17 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 02:49 . 2007-10-30 00:00 -------- d-----w- c:\program files\Common Files\Apple
2009-08-25 02:48 . 2007-01-26 14:41 -------- d-----w- c:\program files\Apple Software Update
2009-08-25 01:38 . 2005-03-26 21:38 -------- d-----w- c:\program files\iTunes
2009-08-24 11:26 . 2009-01-11 04:21 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-24 09:55 . 2003-10-12 18:08 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 09:55 . 2003-10-12 18:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 02:11 . 2009-06-17 13:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 20:36 . 2009-01-05 01:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-01-05 01:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 12:23 . 2009-01-05 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 16:18 . 2004-08-24 03:32 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-02 21:26 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-10 13:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2002-09-10 13:45 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2003-12-17 02:58 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-06-15_03.35.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-08-28 08:31 . 2009-08-28 08:31 16384 c:\windows\temp\Perflib_Perfdata_690.dat
+ 2003-09-26 13:19 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2003-09-26 13:19 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2002-08-29 03:41 . 2009-04-29 04:52 39424 c:\windows\system32\pngfilt.dll
+ 2002-08-29 03:41 . 2009-06-26 16:18 39424 c:\windows\system32\pngfilt.dll
+ 2002-08-29 03:40 . 2004-08-04 07:56 55808 c:\windows\system32\logevent.dll
+ 2002-09-10 13:45 . 2009-06-26 16:18 16384 c:\windows\system32\jsproxy.dll
- 2002-09-10 13:45 . 2009-04-29 04:52 16384 c:\windows\system32\jsproxy.dll
- 2004-08-26 17:53 . 2009-04-29 04:52 96256 c:\windows\system32\inseng.dll
+ 2004-08-26 17:53 . 2009-06-26 16:18 96256 c:\windows\system32\inseng.dll
+ 2004-09-02 21:26 . 2009-06-26 16:18 55808 c:\windows\system32\extmgr.dll
- 2004-09-02 21:26 . 2009-04-29 04:52 55808 c:\windows\system32\extmgr.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 16384 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 16384 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 96256 c:\windows\system32\dllcache\inseng.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 96256 c:\windows\system32\dllcache\inseng.dll
- 2009-02-20 08:30 . 2009-04-29 04:52 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 08:30 . 2009-06-26 16:18 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2006-05-09 11:00 . 2009-06-22 11:38 18432 c:\windows\system32\dllcache\iedw.exe
- 2006-05-09 11:00 . 2009-04-27 09:17 18432 c:\windows\system32\dllcache\iedw.exe
+ 2002-09-10 13:45 . 2009-06-16 14:55 82432 c:\windows\system32\dllcache\fontsub.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 55808 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2009-05-30 02:39 . 2009-08-07 16:05 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
- 2009-05-30 02:39 . 2009-06-03 14:04 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-08-24 09:44 . 2009-08-24 11:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082420090825\index.dat
+ 2009-08-24 09:43 . 2009-08-24 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009081720090824\index.dat
+ 2009-08-24 03:38 . 2009-08-24 03:38 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009080320090810\index.dat
+ 2003-08-23 06:56 . 2009-08-28 07:51 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-10-02 23:05 . 2005-10-02 23:05 20480 c:\windows\Installer\35252e0.msi
+ 2008-11-13 13:06 . 2008-11-13 13:06 20992 c:\windows\Installer\1e9d4967.msi
+ 2008-11-13 13:05 . 2008-11-13 13:05 24576 c:\windows\Installer\1e9d4962.msi
+ 2009-07-27 14:18 . 2005-10-17 21:14 80896 c:\windows\$NtUninstallKB961371$\fontsub.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB973346\update\spcustom.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB973346\spmsg.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB971633\update\spcustom.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB971633\spmsg.dll
+ 2009-07-27 14:18 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB961371\update\spcustom.dll
+ 2009-07-27 14:18 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB961371\spmsg.dll
+ 2009-06-16 14:43 . 2009-06-16 14:43 81920 c:\windows\$hf_mig$\KB961371\SP3QFE\fontsub.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\$hf_mig$\KB961371\SP3GDR\fontsub.dll
+ 2009-06-16 14:45 . 2009-06-16 14:45 81920 c:\windows\$hf_mig$\KB961371\SP2QFE\fontsub.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2005-05-17 00:25 . 2009-06-22 11:26 352768 c:\windows\system32\xpsp3res.dll
+ 2004-09-24 00:08 . 2009-06-26 16:18 616448 c:\windows\system32\urlmon.dll
- 2004-09-24 00:08 . 2009-04-29 04:52 616448 c:\windows\system32\urlmon.dll
+ 2004-08-20 22:01 . 2009-06-26 16:18 474112 c:\windows\system32\shlwapi.dll
- 2004-08-20 22:01 . 2009-04-29 04:52 474112 c:\windows\system32\shlwapi.dll
- 2002-08-29 03:41 . 2009-04-29 04:52 532480 c:\windows\system32\mstime.dll
+ 2002-08-29 03:41 . 2009-06-26 16:18 532480 c:\windows\system32\mstime.dll
- 2002-08-29 03:41 . 2009-04-29 04:52 449024 c:\windows\system32\mshtmled.dll
+ 2002-08-29 03:41 . 2009-06-26 16:18 449024 c:\windows\system32\mshtmled.dll
+ 2009-08-25 02:56 . 2009-07-25 12:23 149280 c:\windows\system32\javaws.exe
+ 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
+ 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
+ 2002-08-29 03:40 . 2009-06-26 16:18 251392 c:\windows\system32\iepeers.dll
- 2002-08-29 03:40 . 2009-04-29 04:52 251392 c:\windows\system32\iepeers.dll
+ 2002-08-29 03:40 . 2009-06-26 16:18 205312 c:\windows\system32\dxtrans.dll
- 2002-08-29 03:40 . 2009-04-29 04:52 205312 c:\windows\system32\dxtrans.dll
- 2002-08-29 03:40 . 2009-04-29 04:52 357888 c:\windows\system32\dxtmsft.dll
+ 2002-08-29 03:40 . 2009-06-26 16:18 357888 c:\windows\system32\dxtmsft.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 659456 c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 659456 c:\windows\system32\dllcache\wininet.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 616448 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 616448 c:\windows\system32\dllcache\urlmon.dll
+ 2009-06-16 14:55 . 2009-06-16 14:55 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-05-30 01:04 . 2009-08-28 08:21 182912 c:\windows\system32\dllcache\ndis.sys
- 2006-05-10 05:23 . 2009-04-29 04:52 532480 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 532480 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 146432 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 146432 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:23 . 2009-06-26 16:18 449024 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:23 . 2009-04-29 04:52 449024 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 357888 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 151040 c:\windows\system32\dllcache\cdfview.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 151040 c:\windows\system32\dllcache\cdfview.dll
- 2002-09-10 13:44 . 2009-04-29 04:52 151040 c:\windows\system32\cdfview.dll
+ 2002-09-10 13:44 . 2009-06-26 16:18 151040 c:\windows\system32\cdfview.dll
+ 2003-08-23 06:59 . 2003-08-23 06:59 264704 c:\windows\Installer\1dcc1.msi
+ 2004-03-27 04:45 . 2004-03-27 04:45 954368 c:\windows\Installer\1c01ea9f.msi
+ 2009-06-17 13:42 . 2009-06-17 13:42 228352 c:\windows\Installer\184352.msi
+ 2004-08-25 16:47 . 2004-08-25 16:47 134656 c:\windows\Installer\11081a.msp
+ 2004-03-10 17:01 . 2004-03-10 17:01 812544 c:\windows\Installer\1107b2.msp
+ 2009-07-27 14:21 . 2008-07-08 13:02 382840 c:\windows\$NtUninstallKB973346$\spuninst\updspapi.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB973346$\spuninst\spuninst.exe
+ 2009-07-27 14:21 . 2008-07-09 07:38 382840 c:\windows\$NtUninstallKB971633$\spuninst\updspapi.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB971633$\spuninst\spuninst.exe
+ 2009-07-27 14:18 . 2005-10-17 21:14 118272 c:\windows\$NtUninstallKB961371$\t2embed.dll
+ 2009-07-27 14:18 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB961371$\spuninst\updspapi.dll
+ 2009-07-27 14:18 . 2008-07-08 13:02 231288 c:\windows\$NtUninstallKB961371$\spuninst\spuninst.exe
+ 2009-07-27 14:21 . 2008-07-08 13:02 382840 c:\windows\$hf_mig$\KB973346\update\updspapi.dll
+ 2009-07-27 14:21 . 2008-07-08 13:02 755576 c:\windows\$hf_mig$\KB973346\update\update.exe
+ 2009-07-27 14:21 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB973346\spuninst.exe
+ 2009-07-27 14:21 . 2008-07-09 07:38 382840 c:\windows\$hf_mig$\KB971633\update\updspapi.dll
+ 2009-07-27 14:21 . 2008-07-09 07:38 755576 c:\windows\$hf_mig$\KB971633\update\update.exe
+ 2009-07-27 14:21 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB971633\spuninst.exe
+ 2009-07-27 14:18 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB961371\update\updspapi.dll
+ 2009-07-27 14:18 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB961371\update\update.exe
+ 2009-07-27 14:18 . 2008-07-08 13:02 231288 c:\windows\$hf_mig$\KB961371\spuninst.exe
+ 2009-06-16 14:43 . 2009-06-16 14:43 119808 c:\windows\$hf_mig$\KB961371\SP3QFE\t2embed.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\$hf_mig$\KB961371\SP3GDR\t2embed.dll
+ 2009-06-16 14:45 . 2009-06-16 14:45 119808 c:\windows\$hf_mig$\KB961371\SP2QFE\t2embed.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2002-07-01 21:38 . 2004-07-17 18:35 1326080 c:\windows\system32\webfldrs.msi
+ 2004-08-27 20:58 . 2009-07-18 16:20 1506304 c:\windows\system32\shdocvw.dll
+ 2004-09-29 07:57 . 2009-07-18 16:20 3062272 c:\windows\system32\mshtml.dll
+ 2006-05-29 15:30 . 2009-07-18 16:20 1506304 c:\windows\system32\dllcache\shdocvw.dll
+ 2007-10-29 22:43 . 2009-06-03 19:27 1290752 c:\windows\system32\dllcache\quartz.dll
+ 2006-05-19 15:08 . 2009-07-18 16:20 3062272 c:\windows\system32\dllcache\mshtml.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 1054208 c:\windows\system32\dllcache\danim.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 1054208 c:\windows\system32\dllcache\danim.dll
+ 2006-05-10 05:22 . 2009-06-26 16:18 1023488 c:\windows\system32\dllcache\browseui.dll
- 2006-05-10 05:22 . 2009-04-29 04:52 1023488 c:\windows\system32\dllcache\browseui.dll
- 2002-08-29 03:40 . 2009-04-29 04:52 1054208 c:\windows\system32\danim.dll
+ 2002-08-29 03:40 . 2009-06-26 16:18 1054208 c:\windows\system32\danim.dll
+ 2003-08-23 06:56 . 2009-08-28 07:51 7192576 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-23 02:34 . 2009-06-26 16:18 1023488 c:\windows\system32\browseui.dll
- 2004-08-23 02:34 . 2009-04-29 04:52 1023488 c:\windows\system32\browseui.dll
+ 2004-07-17 18:35 . 2004-07-17 18:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2007-05-25 19:08 . 2007-05-25 19:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2005-01-07 07:04 . 2005-01-07 07:04 3485184 c:\windows\Installer\a6018.msi
+ 2009-01-05 01:20 . 2009-01-05 01:20 1805824 c:\windows\Installer\7a4eab.msi
+ 2005-10-02 23:31 . 2005-10-02 23:31 5864960 c:\windows\Installer\5e126.msp
+ 2008-04-15 05:05 . 2008-04-15 05:05 9633792 c:\windows\Installer\4d9cdde1.msp
+ 2008-04-15 05:00 . 2008-04-15 05:00 3856384 c:\windows\Installer\4d9cd7e6.msi
+ 2009-04-12 17:44 . 2009-04-12 17:44 3851776 c:\windows\Installer\4b80bf.msi
+ 2005-10-02 23:12 . 2005-10-02 23:12 3443712 c:\windows\Installer\357af40.msi
+ 2008-11-13 13:04 . 2008-11-13 13:04 1780736 c:\windows\Installer\1e9d495d.msi
+ 2009-05-07 23:18 . 2009-05-07 23:18 3966976 c:\windows\Installer\1b884c81.msi
+ 2009-05-07 22:56 . 2009-05-07 22:56 1659392 c:\windows\Installer\1b884c4f.msi
+ 2009-05-07 22:52 . 2009-05-07 22:53 8992256 c:\windows\Installer\1b884c49.msi
+ 2009-06-17 13:17 . 2009-06-17 13:17 1563648 c:\windows\Installer\148a0.msi
+ 2005-03-26 21:36 . 2005-03-26 21:36 7846912 c:\windows\Installer\12676ff9.msi
+ 2004-09-22 03:46 . 2004-09-22 03:46 3865088 c:\windows\Installer\11082f.msp
+ 2004-09-13 08:35 . 2004-09-13 08:35 1452544 c:\windows\Installer\110805.msp
+ 2004-11-18 00:29 . 2004-11-18 00:29 6017024 c:\windows\Installer\105ab093.msi
+ 2004-11-18 00:29 . 2004-11-18 00:29 5892096 c:\windows\Installer\105ab089.msi
+ 2009-07-27 14:21 . 2008-12-20 22:43 1287680 c:\windows\$NtUninstallKB971633$\quartz.dll
+ 2004-10-29 13:20 . 2002-07-01 21:38 1325568 c:\windows\$NtServicePackUninstall$\webfldrs.msi
+ 2009-06-03 19:12 . 2009-06-03 19:12 1291264 c:\windows\$hf_mig$\KB971633\SP3QFE\quartz.dll
+ 2009-06-03 19:09 . 2009-06-03 19:09 1291264 c:\windows\$hf_mig$\KB971633\SP3GDR\quartz.dll
+ 2009-06-03 19:24 . 2009-06-03 19:24 1291264 c:\windows\$hf_mig$\KB971633\SP2QFE\quartz.dll
+ 2005-05-11 02:38 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
+ 2009-04-12 17:47 . 2009-04-12 17:47 29457920 c:\windows\Installer\4b86e1.msp
+ 2005-10-02 23:17 . 2005-10-02 23:17 19210240 c:\windows\Installer\323de.msp
+ 2007-08-15 23:55 . 2007-08-15 23:55 15256576 c:\windows\Installer\1e0d9e3f.msp
+ 2004-01-30 11:19 . 2004-01-30 11:19 56269996 c:\windows\Installer\11079f.msp
+ 2005-03-26 21:34 . 2005-03-26 21:34 27464704 c:\windows\Downloaded Installations\{F021361C-F1A6-4269-AF68-361A943D7D13}\iPod for Windows 2005-01-11.msi
+ 2004-11-18 00:29 . 2004-11-18 00:29 19069440 c:\windows\Downloaded Installations\{92C299DB-F4E8-46B3-BEC6-27D1117B177C}\iTunes.msi
+ 2004-11-18 00:37 . 2004-11-18 00:37 20807680 c:\windows\Downloaded Installations\{8A232810-B5F1-48DD-A63D-B439D7680D94}\iTunes.msi
+ 2005-03-26 21:37 . 2005-03-26 21:37 20877312 c:\windows\Downloaded Installations\{628E8630-7947-49EA-BE90-7F8BFF77A79C}\iTunes.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-23 156784]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-12 118784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^abc^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=c:\documents and settings\abc\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"8449:TCP"= 8449:TCP:BitComet 8449 TCP
"8449:UDP"= 8449:UDP:BitComet 8449 UDP

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [3/26/2004 9:45 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [3/26/2004 9:45 PM 5248]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 evdoserver;evdoserver;c:\windows\system32\svchost.exe -k netsvcs [9/10/2002 6:46 AM 14336]
S3 arvroyzi;arvroyzi;c:\windows\system32\drivers\arvroyzi.sys --> c:\windows\system32\drivers\arvroyzi.sys [?]
S3 batqmrjv;batqmrjv;c:\windows\system32\drivers\batqmrjv.sys --> c:\windows\system32\drivers\batqmrjv.sys [?]
S3 bbwlexjz;bbwlexjz;c:\windows\system32\drivers\bbwlexjz.sys --> c:\windows\system32\drivers\bbwlexjz.sys [?]
S3 blcgdvbn;blcgdvbn;c:\windows\system32\drivers\blcgdvbn.sys --> c:\windows\system32\drivers\blcgdvbn.sys [?]
S3 eusnlqko;eusnlqko;c:\windows\system32\drivers\eusnlqko.sys --> c:\windows\system32\drivers\eusnlqko.sys [?]
S3 fqnotkid;fqnotkid;c:\windows\system32\drivers\fqnotkid.sys --> c:\windows\system32\drivers\fqnotkid.sys [?]
S3 grlqcycu;grlqcycu;c:\windows\system32\drivers\grlqcycu.sys --> c:\windows\system32\drivers\grlqcycu.sys [?]
S3 hjiddecu;hjiddecu;c:\windows\system32\drivers\hjiddecu.sys --> c:\windows\system32\drivers\hjiddecu.sys [?]
S3 ieerghnd;ieerghnd;c:\windows\system32\drivers\ieerghnd.sys --> c:\windows\system32\drivers\ieerghnd.sys [?]
S3 iieluola;iieluola;c:\windows\system32\drivers\iieluola.sys --> c:\windows\system32\drivers\iieluola.sys [?]
S3 jyutevoa;jyutevoa;c:\windows\system32\drivers\jyutevoa.sys --> c:\windows\system32\drivers\jyutevoa.sys [?]
S3 kacuhjos;kacuhjos;c:\windows\system32\drivers\kacuhjos.sys --> c:\windows\system32\drivers\kacuhjos.sys [?]
S3 kghxelzl;kghxelzl;c:\windows\system32\drivers\kghxelzl.sys --> c:\windows\system32\drivers\kghxelzl.sys [?]
S3 kunpwdwl;kunpwdwl;c:\windows\system32\drivers\kunpwdwl.sys --> c:\windows\system32\drivers\kunpwdwl.sys [?]
S3 kwapbfwr;kwapbfwr;c:\windows\system32\drivers\kwapbfwr.sys --> c:\windows\system32\drivers\kwapbfwr.sys [?]
S3 mhvmdtna;mhvmdtna;c:\windows\system32\drivers\mhvmdtna.sys --> c:\windows\system32\drivers\mhvmdtna.sys [?]
S3 ndwuwbec;ndwuwbec;c:\windows\system32\drivers\ndwuwbec.sys --> c:\windows\system32\drivers\ndwuwbec.sys [?]
S3 nynqpcse;nynqpcse;c:\windows\system32\drivers\nynqpcse.sys --> c:\windows\system32\drivers\nynqpcse.sys [?]
S3 pflvkpon;pflvkpon;c:\windows\system32\drivers\pflvkpon.sys --> c:\windows\system32\drivers\pflvkpon.sys [?]
S3 rkrgrfid;rkrgrfid;c:\windows\system32\drivers\rkrgrfid.sys --> c:\windows\system32\drivers\rkrgrfid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 suojpnzx;suojpnzx;c:\windows\system32\drivers\suojpnzx.sys --> c:\windows\system32\drivers\suojpnzx.sys [?]
S3 vjloqktt;vjloqktt;c:\windows\system32\drivers\vjloqktt.sys --> c:\windows\system32\drivers\vjloqktt.sys [?]
S3 vszzejmm;vszzejmm;c:\windows\system32\drivers\vszzejmm.sys --> c:\windows\system32\drivers\vszzejmm.sys [?]
S3 xknjzivx;xknjzivx;c:\windows\system32\drivers\xknjzivx.sys --> c:\windows\system32\drivers\xknjzivx.sys [?]
S3 zlbplwky;zlbplwky;c:\windows\system32\drivers\zlbplwky.sys --> c:\windows\system32\drivers\zlbplwky.sys [?]
S3 zmzsijnt;zmzsijnt;c:\windows\system32\drivers\zmzsijnt.sys --> c:\windows\system32\drivers\zmzsijnt.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 01:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-28 1:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 08:37
ComboFix2.txt 2009-06-15 04:01
ComboFix3.txt 2009-06-15 03:38
ComboFix4.txt 2009-05-30 15:24
ComboFix5.txt 2009-08-28 07:58

Pre-Run: 3,620,794,368 bytes free
Post-Run: 3,651,952,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

372 --- E O F --- 2009-07-31 07:27

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 28 August 2009 - 10:13 AM

Hi, waxeddental :(
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::c:\windows\isvchost.exec:\windows\system32\drivers\arvroyzi.sysc:\windows\system32\drivers\batqmrjv.sysc:\windows\system32\drivers\bbwlexjz.sysc:\windows\system32\drivers\blcgdvbn.sysc:\windows\system32\drivers\eusnlqko.sysc:\windows\system32\drivers\fqnotkid.sysc:\windows\system32\drivers\grlqcycu.sysc:\windows\system32\drivers\hjiddecu.sysc:\windows\system32\drivers\ieerghnd.sysc:\windows\system32\drivers\iieluola.sysc:\windows\system32\drivers\jyutevoa.sysc:\windows\system32\drivers\kacuhjos.sysc:\windows\system32\drivers\kghxelzl.sysc:\windows\system32\drivers\kunpwdwl.sysc:\windows\system32\drivers\kwapbfwr.sysc:\windows\system32\drivers\mhvmdtna.sysc:\windows\system32\drivers\ndwuwbec.sysc:\windows\system32\drivers\nynqpcse.sysc:\windows\system32\drivers\pflvkpon.sysc:\windows\system32\drivers\rkrgrfid.sysd:\ntglm7x.sysc:\windows\system32\drivers\suojpnzx.sysc:\windows\system32\drivers\vjloqktt.sysc:\windows\system32\drivers\vszzejmm.sysc:\windows\system32\drivers\xknjzivx.sysc:\windows\system32\drivers\zlbplwky.sysc:\windows\system32\drivers\zmzsijnt.sysDriver::evdoserverarvroyzibatqmrjvbbwlexjzblcgdvbneusnlqkofqnotkidgrlqcycuhjiddecuieerghndiieluolajyutevoakacuhjoskghxelzlkunpwdwlkwapbfwrmhvmdtnandwuwbecnynqpcsepflvkponrkrgrfidSetupNTGLM7Xsuojpnzxvjloqkttvszzejmmxknjzivxzlbplwkyzmzsijnt

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 30 August 2009 - 02:41 PM

Hi JSntgRvr
Sorry it's taken me awhile to post these reports. I had a very hard time with the Kaspersky scanner. It kept hanging on me after scanning for over 2 hours. I finally got it to work. Here are the two reports you instructed me to post:

ComboFix 09-08-28.01 - abc 08/28/2009 18:16.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.273 [GMT -7:00]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-28 07:26 . 2009-08-28 07:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareab
2009-08-25 02:55 . 2009-08-25 02:55 152576 ----a-w- c:\documents and settings\abc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-24 10:58 . 2009-08-24 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:23 . 2009-08-24 10:23 120 ----a-w- c:\windows\Wwoqagidim.dat
2009-08-24 09:58 . 2009-08-24 09:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 03:36 . 2009-08-24 03:36 -------- d-----w- c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}
2009-08-07 15:41 . 2009-08-07 15:41 436224 ----a-w- c:\windows\isvchost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 08:21 . 2002-08-29 02:09 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-08-28 07:24 . 2009-01-05 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 00:48 . 2004-01-24 18:53 -------- d-----w- c:\program files\nbpro
2009-08-25 02:55 . 2009-01-05 05:45 -------- d-----w- c:\program files\Java
2009-08-25 02:53 . 2005-04-23 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-25 02:52 . 2005-10-03 00:00 -------- d-----w- c:\program files\EPSON
2009-08-25 02:51 . 2005-07-17 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 02:49 . 2007-10-30 00:00 -------- d-----w- c:\program files\Common Files\Apple
2009-08-25 02:48 . 2007-01-26 14:41 -------- d-----w- c:\program files\Apple Software Update
2009-08-25 01:38 . 2005-03-26 21:38 -------- d-----w- c:\program files\iTunes
2009-08-24 11:26 . 2009-01-11 04:21 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-24 09:55 . 2003-10-12 18:08 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 09:55 . 2003-10-12 18:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 02:11 . 2009-06-17 13:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 20:36 . 2009-01-05 01:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-01-05 01:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 12:23 . 2009-01-05 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 16:18 . 2004-08-24 03:32 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-02 21:26 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-10 13:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2002-09-10 13:45 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2003-12-17 02:58 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-28_08.31.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-23 156784]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-12 118784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^abc^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=c:\documents and settings\abc\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"8449:TCP"= 8449:TCP:BitComet 8449 TCP
"8449:UDP"= 8449:UDP:BitComet 8449 UDP

R?2 evdoserver;evdoserver;c:\windows\system32\svchost.exe -k netsvcs [9/10/2002 6:46 AM 14336]
R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [3/26/2004 9:45 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [3/26/2004 9:45 PM 5248]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S3 arvroyzi;arvroyzi;c:\windows\system32\drivers\arvroyzi.sys --> c:\windows\system32\drivers\arvroyzi.sys [?]
S3 batqmrjv;batqmrjv;c:\windows\system32\drivers\batqmrjv.sys --> c:\windows\system32\drivers\batqmrjv.sys [?]
S3 bbwlexjz;bbwlexjz;c:\windows\system32\drivers\bbwlexjz.sys --> c:\windows\system32\drivers\bbwlexjz.sys [?]
S3 blcgdvbn;blcgdvbn;c:\windows\system32\drivers\blcgdvbn.sys --> c:\windows\system32\drivers\blcgdvbn.sys [?]
S3 eusnlqko;eusnlqko;c:\windows\system32\drivers\eusnlqko.sys --> c:\windows\system32\drivers\eusnlqko.sys [?]
S3 fqnotkid;fqnotkid;c:\windows\system32\drivers\fqnotkid.sys --> c:\windows\system32\drivers\fqnotkid.sys [?]
S3 grlqcycu;grlqcycu;c:\windows\system32\drivers\grlqcycu.sys --> c:\windows\system32\drivers\grlqcycu.sys [?]
S3 hjiddecu;hjiddecu;c:\windows\system32\drivers\hjiddecu.sys --> c:\windows\system32\drivers\hjiddecu.sys [?]
S3 ieerghnd;ieerghnd;c:\windows\system32\drivers\ieerghnd.sys --> c:\windows\system32\drivers\ieerghnd.sys [?]
S3 iieluola;iieluola;c:\windows\system32\drivers\iieluola.sys --> c:\windows\system32\drivers\iieluola.sys [?]
S3 jyutevoa;jyutevoa;c:\windows\system32\drivers\jyutevoa.sys --> c:\windows\system32\drivers\jyutevoa.sys [?]
S3 kacuhjos;kacuhjos;c:\windows\system32\drivers\kacuhjos.sys --> c:\windows\system32\drivers\kacuhjos.sys [?]
S3 kghxelzl;kghxelzl;c:\windows\system32\drivers\kghxelzl.sys --> c:\windows\system32\drivers\kghxelzl.sys [?]
S3 kunpwdwl;kunpwdwl;c:\windows\system32\drivers\kunpwdwl.sys --> c:\windows\system32\drivers\kunpwdwl.sys [?]
S3 kwapbfwr;kwapbfwr;c:\windows\system32\drivers\kwapbfwr.sys --> c:\windows\system32\drivers\kwapbfwr.sys [?]
S3 mhvmdtna;mhvmdtna;c:\windows\system32\drivers\mhvmdtna.sys --> c:\windows\system32\drivers\mhvmdtna.sys [?]
S3 ndwuwbec;ndwuwbec;c:\windows\system32\drivers\ndwuwbec.sys --> c:\windows\system32\drivers\ndwuwbec.sys [?]
S3 nynqpcse;nynqpcse;c:\windows\system32\drivers\nynqpcse.sys --> c:\windows\system32\drivers\nynqpcse.sys [?]
S3 pflvkpon;pflvkpon;c:\windows\system32\drivers\pflvkpon.sys --> c:\windows\system32\drivers\pflvkpon.sys [?]
S3 rkrgrfid;rkrgrfid;c:\windows\system32\drivers\rkrgrfid.sys --> c:\windows\system32\drivers\rkrgrfid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 suojpnzx;suojpnzx;c:\windows\system32\drivers\suojpnzx.sys --> c:\windows\system32\drivers\suojpnzx.sys [?]
S3 vjloqktt;vjloqktt;c:\windows\system32\drivers\vjloqktt.sys --> c:\windows\system32\drivers\vjloqktt.sys [?]
S3 vszzejmm;vszzejmm;c:\windows\system32\drivers\vszzejmm.sys --> c:\windows\system32\drivers\vszzejmm.sys [?]
S3 xknjzivx;xknjzivx;c:\windows\system32\drivers\xknjzivx.sys --> c:\windows\system32\drivers\xknjzivx.sys [?]
S3 zlbplwky;zlbplwky;c:\windows\system32\drivers\zlbplwky.sys --> c:\windows\system32\drivers\zlbplwky.sys [?]
S3 zmzsijnt;zmzsijnt;c:\windows\system32\drivers\zmzsijnt.sys --> c:\windows\system32\drivers\zmzsijnt.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 18:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-29 18:27
ComboFix-quarantined-files.txt 2009-08-29 01:27
ComboFix2.txt 2009-08-28 08:37
ComboFix3.txt 2009-06-15 04:01
ComboFix4.txt 2009-06-15 03:38
ComboFix5.txt 2009-08-29 01:15

Pre-Run: 3,623,960,576 bytes free
Post-Run: 3,573,026,816 bytes free

151 --- E O F --- 2009-07-31 07:27



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 30, 2009 16:51:09
Records in database: 2729445
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 100886
Threats found: 19
Infected objects found: 86
Suspicious objects found: 0
Scan duration: 02:32:59


File name / Threat / Threats count
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.h 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.b 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.a 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan.Win32.Scapur.g 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.Connector 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.vdb 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.a 2
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 2
C:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.SideSearch.l 1
C:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.h 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.b 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.a 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan.Win32.Scapur.g 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.Connector 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.vdb 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.a 2
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 2
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.SideSearch.l 1
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.h 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.b 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.a 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan.Win32.Scapur.g 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.Connector 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.vdb 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.a 2
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 2
C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.SideSearch.l 1
C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b 3
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.h 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.b 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Turown.a 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan.Win32.Scapur.g 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.Connector 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: Trojan-Downloader.Win32.Agent.vdb 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.a 2
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 2
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.SideSearch.l 1
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir Infected: Virus.Win32.Protector.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACaebwudpbgr.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACalcdsrqrdk.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfoivxsmtsa.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvbxhqqentp.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: not-a-virus:FraudTool.Win32.Agent.vz 1

Selected area has been scanned.


Once again, thank you for all your help.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 30 August 2009 - 05:24 PM

Hi, waxeddental :(
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::c:\windows\isvchost.exec:\windows\system32\drivers\arvroyzi.sysc:\windows\system32\drivers\batqmrjv.sysc:\windows\system32\drivers\bbwlexjz.sysc:\windows\system32\drivers\blcgdvbn.sysc:\windows\system32\drivers\eusnlqko.sysc:\windows\system32\drivers\fqnotkid.sysc:\windows\system32\drivers\grlqcycu.sysc:\windows\system32\drivers\hjiddecu.sysc:\windows\system32\drivers\ieerghnd.sysc:\windows\system32\drivers\iieluola.sysc:\windows\system32\drivers\jyutevoa.sysc:\windows\system32\drivers\kacuhjos.sysc:\windows\system32\drivers\kghxelzl.sysc:\windows\system32\drivers\kunpwdwl.sysc:\windows\system32\drivers\kwapbfwr.sysc:\windows\system32\drivers\mhvmdtna.sysc:\windows\system32\drivers\ndwuwbec.sysc:\windows\system32\drivers\nynqpcse.sysc:\windows\system32\drivers\pflvkpon.sysc:\windows\system32\drivers\rkrgrfid.sysd:\ntglm7x.sysc:\windows\system32\drivers\suojpnzx.sysc:\windows\system32\drivers\vjloqktt.sysc:\windows\system32\drivers\vszzejmm.sysc:\windows\system32\drivers\xknjzivx.sysc:\windows\system32\drivers\zlbplwky.sysc:\windows\system32\drivers\zmzsijnt.sysC:\Documents and Settings\Administrator\My Documents\Data\all_files4.exeC:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exeC:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exeC:\Documents and Settings\Default User\My Documents\Data\all_files4b.exeC:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exeDriver::evdoserverarvroyzibatqmrjvbbwlexjzblcgdvbneusnlqkofqnotkidgrlqcycuhjiddecuieerghndiieluolajyutevoakacuhjoskghxelzlkunpwdwlkwapbfwrmhvmdtnandwuwbecnynqpcsepflvkponrkrgrfidSetupNTGLM7Xsuojpnzxvjloqkttvszzejmmxknjzivxzlbplwkyzmzsijnt

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 30 August 2009 - 08:35 PM

Hi JSntgRvr,

Here is the latest Combofix log:


ComboFix 09-08-30.01 - abc 08/30/2009 18:12.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.328 [GMT -7:00]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
.
/wow section - STAGE 10
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}
c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}\chrome.manifest
c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}\chrome\content\_cfg.js
c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}\chrome\content\overlay.xul
c:\documents and settings\abc\Local Settings\Application Data\{7832857B-BD46-4296-B7F0-0C8D7A73265D}\install.rdf
c:\windows\grep.exe
c:\windows\NIRCMD.exe
c:\windows\PEV.exe
c:\windows\sed.exe
c:\windows\SWREG.exe
c:\windows\SWSC.exe
c:\windows\SWXCACLS.exe
c:\windows\zip.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-29 01:38 . 2009-08-29 01:38 -------- d-----w- c:\windows\LastGood
2009-08-28 07:26 . 2009-08-28 07:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareab
2009-08-25 02:55 . 2009-08-25 02:55 152576 ----a-w- c:\documents and settings\abc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-24 10:58 . 2009-08-24 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:23 . 2009-08-24 10:23 120 ----a-w- c:\windows\Wwoqagidim.dat
2009-08-24 09:58 . 2009-08-24 09:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-07 15:41 . 2009-08-07 15:41 436224 ----a-w- c:\windows\isvchost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 01:35 . 2009-01-05 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-28 08:21 . 2002-08-29 02:09 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-08-28 07:24 . 2009-01-05 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 00:48 . 2004-01-24 18:53 -------- d-----w- c:\program files\nbpro
2009-08-25 02:55 . 2009-01-05 05:45 -------- d-----w- c:\program files\Java
2009-08-25 02:53 . 2005-04-23 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-25 02:52 . 2005-10-03 00:00 -------- d-----w- c:\program files\EPSON
2009-08-25 02:51 . 2005-07-17 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 02:49 . 2007-10-30 00:00 -------- d-----w- c:\program files\Common Files\Apple
2009-08-25 02:48 . 2007-01-26 14:41 -------- d-----w- c:\program files\Apple Software Update
2009-08-25 01:38 . 2005-03-26 21:38 -------- d-----w- c:\program files\iTunes
2009-08-24 11:26 . 2009-01-11 04:21 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-24 09:55 . 2003-10-12 18:08 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 09:55 . 2003-10-12 18:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 02:11 . 2009-06-17 13:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 20:36 . 2009-01-05 01:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-01-05 01:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 16:18 . 2004-08-24 03:32 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-02 21:26 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-10 13:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2002-09-10 13:45 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2003-12-17 02:58 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-28_08.31.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-29 01:35 . 2009-08-29 01:35 149280 c:\windows\system32\javaws.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 149280 c:\windows\system32\javaws.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 145184 c:\windows\system32\javaw.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 145184 c:\windows\system32\java.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 1757696 c:\windows\Installer\63f395.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-23 156784]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-12 118784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^abc^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=c:\documents and settings\abc\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"8449:TCP"= 8449:TCP:BitComet 8449 TCP
"8449:UDP"= 8449:UDP:BitComet 8449 UDP

R?2 evdoserver;evdoserver;c:\windows\system32\svchost.exe -k netsvcs [9/10/2002 6:46 AM 14336]
R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [3/26/2004 9:45 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [3/26/2004 9:45 PM 5248]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S3 arvroyzi;arvroyzi;c:\windows\system32\drivers\arvroyzi.sys --> c:\windows\system32\drivers\arvroyzi.sys [?]
S3 batqmrjv;batqmrjv;c:\windows\system32\drivers\batqmrjv.sys --> c:\windows\system32\drivers\batqmrjv.sys [?]
S3 bbwlexjz;bbwlexjz;c:\windows\system32\drivers\bbwlexjz.sys --> c:\windows\system32\drivers\bbwlexjz.sys [?]
S3 blcgdvbn;blcgdvbn;c:\windows\system32\drivers\blcgdvbn.sys --> c:\windows\system32\drivers\blcgdvbn.sys [?]
S3 eusnlqko;eusnlqko;c:\windows\system32\drivers\eusnlqko.sys --> c:\windows\system32\drivers\eusnlqko.sys [?]
S3 fqnotkid;fqnotkid;c:\windows\system32\drivers\fqnotkid.sys --> c:\windows\system32\drivers\fqnotkid.sys [?]
S3 grlqcycu;grlqcycu;c:\windows\system32\drivers\grlqcycu.sys --> c:\windows\system32\drivers\grlqcycu.sys [?]
S3 hjiddecu;hjiddecu;c:\windows\system32\drivers\hjiddecu.sys --> c:\windows\system32\drivers\hjiddecu.sys [?]
S3 ieerghnd;ieerghnd;c:\windows\system32\drivers\ieerghnd.sys --> c:\windows\system32\drivers\ieerghnd.sys [?]
S3 iieluola;iieluola;c:\windows\system32\drivers\iieluola.sys --> c:\windows\system32\drivers\iieluola.sys [?]
S3 jyutevoa;jyutevoa;c:\windows\system32\drivers\jyutevoa.sys --> c:\windows\system32\drivers\jyutevoa.sys [?]
S3 kacuhjos;kacuhjos;c:\windows\system32\drivers\kacuhjos.sys --> c:\windows\system32\drivers\kacuhjos.sys [?]
S3 kghxelzl;kghxelzl;c:\windows\system32\drivers\kghxelzl.sys --> c:\windows\system32\drivers\kghxelzl.sys [?]
S3 kunpwdwl;kunpwdwl;c:\windows\system32\drivers\kunpwdwl.sys --> c:\windows\system32\drivers\kunpwdwl.sys [?]
S3 kwapbfwr;kwapbfwr;c:\windows\system32\drivers\kwapbfwr.sys --> c:\windows\system32\drivers\kwapbfwr.sys [?]
S3 mhvmdtna;mhvmdtna;c:\windows\system32\drivers\mhvmdtna.sys --> c:\windows\system32\drivers\mhvmdtna.sys [?]
S3 ndwuwbec;ndwuwbec;c:\windows\system32\drivers\ndwuwbec.sys --> c:\windows\system32\drivers\ndwuwbec.sys [?]
S3 nynqpcse;nynqpcse;c:\windows\system32\drivers\nynqpcse.sys --> c:\windows\system32\drivers\nynqpcse.sys [?]
S3 pflvkpon;pflvkpon;c:\windows\system32\drivers\pflvkpon.sys --> c:\windows\system32\drivers\pflvkpon.sys [?]
S3 rkrgrfid;rkrgrfid;c:\windows\system32\drivers\rkrgrfid.sys --> c:\windows\system32\drivers\rkrgrfid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 suojpnzx;suojpnzx;c:\windows\system32\drivers\suojpnzx.sys --> c:\windows\system32\drivers\suojpnzx.sys [?]
S3 vjloqktt;vjloqktt;c:\windows\system32\drivers\vjloqktt.sys --> c:\windows\system32\drivers\vjloqktt.sys [?]
S3 vszzejmm;vszzejmm;c:\windows\system32\drivers\vszzejmm.sys --> c:\windows\system32\drivers\vszzejmm.sys [?]
S3 xknjzivx;xknjzivx;c:\windows\system32\drivers\xknjzivx.sys --> c:\windows\system32\drivers\xknjzivx.sys [?]
S3 zlbplwky;zlbplwky;c:\windows\system32\drivers\zlbplwky.sys --> c:\windows\system32\drivers\zlbplwky.sys [?]
S3 zmzsijnt;zmzsijnt;c:\windows\system32\drivers\zmzsijnt.sys --> c:\windows\system32\drivers\zmzsijnt.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 18:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-31 18:20
ComboFix-quarantined-files.txt 2009-08-31 01:20
ComboFix2.txt 2009-08-29 01:27
ComboFix3.txt 2009-08-28 08:37
ComboFix4.txt 2009-06-15 04:01
ComboFix5.txt 2009-08-31 00:31

Pre-Run: 3,383,029,760 bytes free
Post-Run: 3,410,010,112 bytes free

178 --- E O F --- 2009-07-31 07:27

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 30 August 2009 - 09:24 PM

Something is not allowing Combofix to remove the files and drivers in the script.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, click on the RunMe.bat and post the resulting report.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Edited by JSntgRvr, 30 August 2009 - 09:27 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 30 August 2009 - 10:59 PM

Hi JSntgRvr,

I followed your instructions and these are the reports:

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
Folder: C:\Windows

No Permissions set

No Auditing set

Owner: abc (ABC123\abc)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
Folder: C:\Windows\System32

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
ABC123\Users
Allowed Read and Execute This Folder/File Only
ABC123\Users
Allowed Special (Unknown) Subfolders and Files only
ABC123\Power Users
Allowed Modify This Folder/File Only
ABC123\Power Users
Allowed Special (A) Subfolders and Files only
ABC123\Administrators
Allowed Full Control This Folder/File Only
ABC123\Administrators
Allowed Special (Unknown) Subfolders and Files only
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subfolders and Files only
ABC123\Administrators
Allowed Full Control This Folder/File Only
\CREATOR OWNER
Allowed Special (Unknown) Subfolders and Files only

No Auditing set

Owner: Administrators (ABC123\Administrators)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
Folder: C:\Windows\System32\Drivers

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
ABC123\Users
Allowed Read and Execute This Folder/File Only
ABC123\Users
Allowed Special (Unknown) Subfolders and Files only
ABC123\Power Users
Allowed Read and Execute This Folder/File Only
ABC123\Power Users
Allowed Special (Unknown) Subfolders and Files only
ABC123\Administrators
Allowed Full Control This Folder/File Only
ABC123\Administrators
Allowed Special (Unknown) Subfolders and Files only
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subfolders and Files only
ABC123\Administrators
Allowed Full Control This Folder/File Only
\CREATOR OWNER
Allowed Special (Unknown) Subfolders and Files only

No Auditing set

Owner: Administrators (ABC123\Administrators)




Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.No reparse points found.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 30 August 2009 - 11:51 PM

Permissions in the C:\Windows folder have been affected.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, move the FixPerms.bat file to the CheckPerms, where the swxcacls application is stored. Once done, click on the FixPerms.bat and post the resulting report.

Please also repeat the instructions on Post #6 and also post the report

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 31 August 2009 - 08:45 AM

Hi JSntgRvr,

Here are the Fixperms log and the new combofix log:

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
*******************************************************************************
Folder: C:\Windows

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
ABC123\Administrators
Allowed Full Control This Folder, Subfolders and Files
ABC123\Users
Allowed Full Control This Folder, Subfolders and Files
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder, Subfolders and Files

No Auditing set

Owner: abc (ABC123\abc)



ComboFix 09-08-30.04 - abc 08/31/2009 6:36.8.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.230 [GMT -7:00]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 03:37 . 2007-07-24 22:58 95616 ----a-w- c:\windows\junction.exe
2009-08-28 07:26 . 2009-08-28 07:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareab
2009-08-25 02:55 . 2009-08-25 02:55 152576 ----a-w- c:\documents and settings\abc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-24 10:58 . 2009-08-24 10:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-24 10:23 . 2009-08-24 10:23 120 ----a-w- c:\windows\Wwoqagidim.dat
2009-08-24 09:58 . 2009-08-24 09:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-07 15:41 . 2009-08-07 15:41 436224 ----a-w- c:\windows\isvchost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 01:35 . 2009-01-05 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-28 08:21 . 2002-08-29 02:09 182912 ------w- c:\windows\system32\drivers\ndis.sys
2009-08-28 07:24 . 2009-01-05 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 00:48 . 2004-01-24 18:53 -------- d-----w- c:\program files\nbpro
2009-08-25 02:55 . 2009-01-05 05:45 -------- d-----w- c:\program files\Java
2009-08-25 02:53 . 2005-04-23 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-25 02:52 . 2005-10-03 00:00 -------- d-----w- c:\program files\EPSON
2009-08-25 02:51 . 2005-07-17 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 02:49 . 2007-10-30 00:00 -------- d-----w- c:\program files\Common Files\Apple
2009-08-25 02:48 . 2007-01-26 14:41 -------- d-----w- c:\program files\Apple Software Update
2009-08-25 01:38 . 2005-03-26 21:38 -------- d-----w- c:\program files\iTunes
2009-08-24 11:26 . 2009-01-11 04:21 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-24 09:55 . 2003-10-12 18:08 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 09:55 . 2003-10-12 18:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 02:11 . 2009-06-17 13:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 20:36 . 2009-01-05 01:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-01-05 01:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 16:18 . 2004-08-24 03:32 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-09-02 21:26 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-10 13:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2002-09-10 13:45 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2003-12-17 02:58 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-28_08.31.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-29 01:35 . 2009-08-29 01:35 149280 c:\windows\system32\javaws.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 149280 c:\windows\system32\javaws.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 145184 c:\windows\system32\javaw.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\javaw.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 145184 c:\windows\system32\java.exe
- 2009-08-25 02:56 . 2009-07-25 12:23 145184 c:\windows\system32\java.exe
+ 2009-08-29 01:35 . 2009-08-29 01:35 1757696 c:\windows\Installer\63f395.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-4-23 156784]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-12 118784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^abc^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=c:\documents and settings\abc\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"8449:TCP"= 8449:TCP:BitComet 8449 TCP
"8449:UDP"= 8449:UDP:BitComet 8449 UDP

R?2 evdoserver;evdoserver;c:\windows\system32\svchost.exe -k netsvcs [9/10/2002 6:46 AM 14336]
R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [3/26/2004 9:45 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [3/26/2004 9:45 PM 5248]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S3 arvroyzi;arvroyzi;c:\windows\system32\drivers\arvroyzi.sys --> c:\windows\system32\drivers\arvroyzi.sys [?]
S3 batqmrjv;batqmrjv;c:\windows\system32\drivers\batqmrjv.sys --> c:\windows\system32\drivers\batqmrjv.sys [?]
S3 bbwlexjz;bbwlexjz;c:\windows\system32\drivers\bbwlexjz.sys --> c:\windows\system32\drivers\bbwlexjz.sys [?]
S3 blcgdvbn;blcgdvbn;c:\windows\system32\drivers\blcgdvbn.sys --> c:\windows\system32\drivers\blcgdvbn.sys [?]
S3 eusnlqko;eusnlqko;c:\windows\system32\drivers\eusnlqko.sys --> c:\windows\system32\drivers\eusnlqko.sys [?]
S3 fqnotkid;fqnotkid;c:\windows\system32\drivers\fqnotkid.sys --> c:\windows\system32\drivers\fqnotkid.sys [?]
S3 grlqcycu;grlqcycu;c:\windows\system32\drivers\grlqcycu.sys --> c:\windows\system32\drivers\grlqcycu.sys [?]
S3 hjiddecu;hjiddecu;c:\windows\system32\drivers\hjiddecu.sys --> c:\windows\system32\drivers\hjiddecu.sys [?]
S3 ieerghnd;ieerghnd;c:\windows\system32\drivers\ieerghnd.sys --> c:\windows\system32\drivers\ieerghnd.sys [?]
S3 iieluola;iieluola;c:\windows\system32\drivers\iieluola.sys --> c:\windows\system32\drivers\iieluola.sys [?]
S3 jyutevoa;jyutevoa;c:\windows\system32\drivers\jyutevoa.sys --> c:\windows\system32\drivers\jyutevoa.sys [?]
S3 kacuhjos;kacuhjos;c:\windows\system32\drivers\kacuhjos.sys --> c:\windows\system32\drivers\kacuhjos.sys [?]
S3 kghxelzl;kghxelzl;c:\windows\system32\drivers\kghxelzl.sys --> c:\windows\system32\drivers\kghxelzl.sys [?]
S3 kunpwdwl;kunpwdwl;c:\windows\system32\drivers\kunpwdwl.sys --> c:\windows\system32\drivers\kunpwdwl.sys [?]
S3 kwapbfwr;kwapbfwr;c:\windows\system32\drivers\kwapbfwr.sys --> c:\windows\system32\drivers\kwapbfwr.sys [?]
S3 mhvmdtna;mhvmdtna;c:\windows\system32\drivers\mhvmdtna.sys --> c:\windows\system32\drivers\mhvmdtna.sys [?]
S3 ndwuwbec;ndwuwbec;c:\windows\system32\drivers\ndwuwbec.sys --> c:\windows\system32\drivers\ndwuwbec.sys [?]
S3 nynqpcse;nynqpcse;c:\windows\system32\drivers\nynqpcse.sys --> c:\windows\system32\drivers\nynqpcse.sys [?]
S3 pflvkpon;pflvkpon;c:\windows\system32\drivers\pflvkpon.sys --> c:\windows\system32\drivers\pflvkpon.sys [?]
S3 rkrgrfid;rkrgrfid;c:\windows\system32\drivers\rkrgrfid.sys --> c:\windows\system32\drivers\rkrgrfid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 suojpnzx;suojpnzx;c:\windows\system32\drivers\suojpnzx.sys --> c:\windows\system32\drivers\suojpnzx.sys [?]
S3 vjloqktt;vjloqktt;c:\windows\system32\drivers\vjloqktt.sys --> c:\windows\system32\drivers\vjloqktt.sys [?]
S3 vszzejmm;vszzejmm;c:\windows\system32\drivers\vszzejmm.sys --> c:\windows\system32\drivers\vszzejmm.sys [?]
S3 xknjzivx;xknjzivx;c:\windows\system32\drivers\xknjzivx.sys --> c:\windows\system32\drivers\xknjzivx.sys [?]
S3 zlbplwky;zlbplwky;c:\windows\system32\drivers\zlbplwky.sys --> c:\windows\system32\drivers\zlbplwky.sys [?]
S3 zmzsijnt;zmzsijnt;c:\windows\system32\drivers\zmzsijnt.sys --> c:\windows\system32\drivers\zmzsijnt.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 06:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1088)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-08-31 6:46
ComboFix-quarantined-files.txt 2009-08-31 13:46
ComboFix2.txt 2009-08-31 01:27
ComboFix3.txt 2009-08-29 01:27
ComboFix4.txt 2009-08-28 08:37
ComboFix5.txt 2009-08-31 13:31

Pre-Run: 3,423,649,792 bytes free
Post-Run: 3,372,994,560 bytes free

160 --- E O F --- 2009-07-31 07:27

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 31 August 2009 - 09:46 AM

We still having some problems as Combofix is not removing the contents of the script. Tha could be a sign of problems.

Open a Command prompt. (Start->Run-> Type CMD and click OK)

At the prompt type (Copy and Paste) the following and press Enter. Post the resulting report.

Net Start >Log.txt & Notepad Log.txt

Type Exit and press Enter to return to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 31 August 2009 - 06:45 PM

Hi JSntgRvr,

Here's the log:

These Windows services are started:

Application Layer Gateway Service
Ati HotKey Poller
Automatic Updates
Bonjour Service
COM+ Event System
Computer Browser
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
evdoserver
Event Log
Fast User Switching Compatibility
Help and Support
IPSEC Services
Logical Disk Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,960 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:28 PM

Posted 31 August 2009 - 09:14 PM

Hi, waxeddental :(

Nothing wrong there. Lets try this:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
c:\windows\isvchost.exe
c:\windows\system32\drivers\arvroyzi.sys
c:\windows\system32\drivers\batqmrjv.sys
c:\windows\system32\drivers\bbwlexjz.sys
c:\windows\system32\drivers\blcgdvbn.sys
c:\windows\system32\drivers\eusnlqko.sys
c:\windows\system32\drivers\fqnotkid.sys
c:\windows\system32\drivers\grlqcycu.sys
c:\windows\system32\drivers\hjiddecu.sys
c:\windows\system32\drivers\ieerghnd.sys
c:\windows\system32\drivers\iieluola.sys
c:\windows\system32\drivers\jyutevoa.sys
c:\windows\system32\drivers\kacuhjos.sys
c:\windows\system32\drivers\kghxelzl.sys
c:\windows\system32\drivers\kunpwdwl.sys
c:\windows\system32\drivers\kwapbfwr.sys
c:\windows\system32\drivers\mhvmdtna.sys
c:\windows\system32\drivers\ndwuwbec.sys
c:\windows\system32\drivers\nynqpcse.sys
c:\windows\system32\drivers\pflvkpon.sys
c:\windows\system32\drivers\rkrgrfid.sys
d:\ntglm7x.sys
c:\windows\system32\drivers\suojpnzx.sys
c:\windows\system32\drivers\vjloqktt.sys
c:\windows\system32\drivers\vszzejmm.sys
c:\windows\system32\drivers\xknjzivx.sys
c:\windows\system32\drivers\zlbplwky.sys
c:\windows\system32\drivers\zmzsijnt.sys
C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe
C:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exe
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe

Drivers to delete:
evdoserver
arvroyzi
batqmrjv
bbwlexjz
blcgdvbn
eusnlqko
fqnotkid
grlqcycu
hjiddecu
ieerghnd
iieluola
jyutevoa
kacuhjos
kghxelzl
kunpwdwl
kwapbfwr
mhvmdtna
ndwuwbec
nynqpcse
pflvkpon
rkrgrfid
SetupNTGLM7X
suojpnzx
vjloqktt
vszzejmm
xknjzivx
zlbplwky
zmzsijnt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DDS log .

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 waxeddental

waxeddental
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 01 September 2009 - 12:53 AM

Hi JSntgRvr,

Here are the avenger results and the new DSS logs:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\isvchost.exe" deleted successfully.

Error: file "c:\windows\system32\drivers\arvroyzi.sys" not found!
Deletion of file "c:\windows\system32\drivers\arvroyzi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\batqmrjv.sys" not found!
Deletion of file "c:\windows\system32\drivers\batqmrjv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\bbwlexjz.sys" not found!
Deletion of file "c:\windows\system32\drivers\bbwlexjz.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\blcgdvbn.sys" not found!
Deletion of file "c:\windows\system32\drivers\blcgdvbn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\eusnlqko.sys" not found!
Deletion of file "c:\windows\system32\drivers\eusnlqko.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\fqnotkid.sys" not found!
Deletion of file "c:\windows\system32\drivers\fqnotkid.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\grlqcycu.sys" not found!
Deletion of file "c:\windows\system32\drivers\grlqcycu.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\hjiddecu.sys" not found!
Deletion of file "c:\windows\system32\drivers\hjiddecu.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\ieerghnd.sys" not found!
Deletion of file "c:\windows\system32\drivers\ieerghnd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\iieluola.sys" not found!
Deletion of file "c:\windows\system32\drivers\iieluola.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\jyutevoa.sys" not found!
Deletion of file "c:\windows\system32\drivers\jyutevoa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\kacuhjos.sys" not found!
Deletion of file "c:\windows\system32\drivers\kacuhjos.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\kghxelzl.sys" not found!
Deletion of file "c:\windows\system32\drivers\kghxelzl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\kunpwdwl.sys" not found!
Deletion of file "c:\windows\system32\drivers\kunpwdwl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\kwapbfwr.sys" not found!
Deletion of file "c:\windows\system32\drivers\kwapbfwr.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\mhvmdtna.sys" not found!
Deletion of file "c:\windows\system32\drivers\mhvmdtna.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\ndwuwbec.sys" not found!
Deletion of file "c:\windows\system32\drivers\ndwuwbec.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\nynqpcse.sys" not found!
Deletion of file "c:\windows\system32\drivers\nynqpcse.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\pflvkpon.sys" not found!
Deletion of file "c:\windows\system32\drivers\pflvkpon.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\rkrgrfid.sys" not found!
Deletion of file "c:\windows\system32\drivers\rkrgrfid.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "d:\ntglm7x.sys" not found!
Deletion of file "d:\ntglm7x.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\suojpnzx.sys" not found!
Deletion of file "c:\windows\system32\drivers\suojpnzx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\vjloqktt.sys" not found!
Deletion of file "c:\windows\system32\drivers\vjloqktt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\vszzejmm.sys" not found!
Deletion of file "c:\windows\system32\drivers\vszzejmm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\xknjzivx.sys" not found!
Deletion of file "c:\windows\system32\drivers\xknjzivx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\zlbplwky.sys" not found!
Deletion of file "c:\windows\system32\drivers\zlbplwky.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\zmzsijnt.sys" not found!
Deletion of file "c:\windows\system32\drivers\zmzsijnt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\Administrator\My Documents\Data\all_files4.exe" deleted successfully.
File "C:\Documents and Settings\Administrator\My Documents\Data\all_files4b.exe" deleted successfully.
File "C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files4b.exe" deleted successfully.
File "C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe" deleted successfully.
File "C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe" deleted successfully.
Driver "evdoserver" deleted successfully.
Driver "arvroyzi" deleted successfully.
Driver "batqmrjv" deleted successfully.
Driver "bbwlexjz" deleted successfully.
Driver "blcgdvbn" deleted successfully.
Driver "eusnlqko" deleted successfully.
Driver "fqnotkid" deleted successfully.
Driver "grlqcycu" deleted successfully.
Driver "hjiddecu" deleted successfully.
Driver "ieerghnd" deleted successfully.
Driver "iieluola" deleted successfully.
Driver "jyutevoa" deleted successfully.
Driver "kacuhjos" deleted successfully.
Driver "kghxelzl" deleted successfully.
Driver "kunpwdwl" deleted successfully.
Driver "kwapbfwr" deleted successfully.
Driver "mhvmdtna" deleted successfully.
Driver "ndwuwbec" deleted successfully.
Driver "nynqpcse" deleted successfully.
Driver "pflvkpon" deleted successfully.
Driver "rkrgrfid" deleted successfully.
Driver "SetupNTGLM7X" deleted successfully.
Driver "suojpnzx" deleted successfully.
Driver "vjloqktt" deleted successfully.
Driver "vszzejmm" deleted successfully.
Driver "xknjzivx" deleted successfully.
Driver "zlbplwky" deleted successfully.
Driver "zmzsijnt" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




DDS (Ver_09-07-30.01) - NTFSx86
Run by abc at 22:44:00.03 on Mon 08/31/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.251 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\abc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2004-3-26 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2004-3-26 5248]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-17 55656]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S3 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]

=============== Created Last 30 ================

2009-08-31 22:37 44,330 a------- C:\backup.reg
2009-08-31 22:37 135,168 a------- C:\zip.exe
2009-08-31 22:37 19,286 a------- C:\cleanup.exe
2009-08-31 22:37 574 a------- C:\cleanup.bat
2009-08-31 06:31 229,376 a------- c:\windows\PEV.exe
2009-08-31 06:31 161,792 a------- c:\windows\SWREG.exe
2009-08-31 06:31 98,816 a------- c:\windows\sed.exe
2009-08-30 20:37 95,616 a------- c:\windows\junction.exe
2009-08-28 18:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-28 01:36 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-28 01:00 <DIR> a-dshr-- C:\cmdcons
2009-08-28 00:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malwareab
2009-08-24 03:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-08-24 03:23 120 a------- c:\windows\Wwoqagidim.dat
2009-08-24 02:58 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-23 20:24 62,464 a------- c:\windows\system32\OLD13.tmp

==================== Find3M ====================

2009-08-28 18:35 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 01:21 182,912 -------- c:\windows\system32\drivers\ndis.sys
2009-08-05 19:11 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 09:18 659,456 -------- c:\windows\system32\wininet.dll
2009-06-26 09:18 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-05-08 21:00 20,408 a------- c:\docume~1\abc\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:44:47.10 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users