Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit, more?


  • This topic is locked This topic is locked
13 replies to this topic

#1 camax

camax

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 09 September 2009 - 01:29 PM

Hello BleepingComputer,

I have been reading the forum for few days now, preparing to get help from you guys. I am so impressed with how you are able to help others!

About a month ago I was hit with one of those faux-anti-virus programs that attempt to get you to download stuff and take over your computer. I was wise enough not to let it download anything, but obviously there was some infection anyway. I thought I was able to root it out for the most part since I no longer had ill search engine redirects or the fake anti-virus alerts on the desktop. However I did continue to have my computer reboot itself when I would be away from it. About a week ago, I woke up to one of those reboots looking like it had reinfected the system again or even more. I battled it again with my limited knowledge, and with the help of some tips I found on this site. I was able to get back control of my task manager, regedit, most programs that wouldn't open, and such so that was somewhat of a relief. I know from scans that there is still some deep down infection, and seems like a rootkit.

I've followed the excellent prep guide on the forums, and will now post the DDS and RootRepeal results as requested. Thank you so much for being available to help!

~Camax




DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 10:42:08.98 on Wed 09/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.353 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191199285484
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4pp6khz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\4pp6khz2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - forums.vgames.com mail.google.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-10 11608]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2004-9-29 120320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-3-28 372824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-10 108289]
R2 Av360cn;Av360cn;c:\windows\system32\drivers\av360cn.sys [2004-11-3 60448]
R2 Av363cn;Av363cn;c:\windows\system32\drivers\av363cn.sys [2004-11-3 74944]
R2 Av363cnb;Av363cnb;c:\windows\system32\drivers\av363cnb.sys [2004-11-3 74912]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-10 55656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-10 185089]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\ad-aware\aawservice.exe" --> c:\program files\ad-aware\AAWService.exe [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service" --> c:\program files\stopzilla!\szntsvc.exe [?]

=============== Created Last 30 ================

2009-09-09 10:04 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-09-06 03:34 <DIR> --d----- c:\program files\trend micro
2009-09-06 02:33 230,912 a------- c:\windows\PEV.exe
2009-09-06 02:33 161,792 a------- c:\windows\SWREG.exe
2009-09-06 02:33 98,816 a------- c:\windows\sed.exe
2009-09-06 02:32 <DIR> --d----- C:\kommboofeex
2009-09-06 02:11 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-06 02:07 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 02:07 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-06 02:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 02:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 01:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-21 09:11 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 03:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 03:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 03:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 03:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 03:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 03:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 03:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 03:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 03:05 <DIR> --d----- C:\44f8412d5ab77577e2dcc9eea3
2009-08-19 22:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-08-16 01:29 2,986,040 a------- c:\windows\GIJoe.bmp
2009-08-12 03:05 2,066,432 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-11 12:43 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 12:43 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-09 08:53 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-07 19:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 14:09 95,512 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 14:30 81,408 a------- c:\windows\system32\libspeex.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2007-06-12 09:04 476,752 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-01-29 23:59 6,482,944 a------- c:\documents and settings\owner\ffmpeg.exe
2007-06-12 09:06 88 ---shr-- c:\windows\system32\DAAAC7A595.sys
2007-06-12 09:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:44:17.73 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 10:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0C45000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF798D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PAGEDFRG.SYS
Image Path: C:\WINDOWS\system32\Drivers\PAGEDFRG.SYS
Address: 0xF7A92000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP6376
Image Path: \Driver\PCI_PNP6376
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFEC1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETgnmxrhba.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETgnmxrhba.sys
Address: 0xF133B000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: sppu.sys
Image Path: sppu.sys
Address: 0xF7366000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETacbgiauk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETiusjmujm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETpdoyefrq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETwfiubqqt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxlhqwwmt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcayfcuvynr.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcjggoakeyk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdqgnbxqpto.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETdrnswmbiwa.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETevxviqrjib.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfgnmpqxkga.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETgqdrictqev.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETjvjtglvpmm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkbmqsuceps.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkybpufgntv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETlefoesiuam.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToddoieqbvl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETooakcspfns.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvxviyqxoro.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxclkgpagfw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxykpmyoshx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETacwrxxbvoy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETarqsstuleq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETauonkvidjk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETaurgwbvrrp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETawpqtqbshs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbccpfvnlbd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbpsdeyfhei.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETgnmxrhba.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner\local settings\application data\gdipfontcachev1.dat
Status: Allocation size mismatch (API: 36864, Raw: 45056)

Path: C:\Documents and Settings\Owner\Local Settings\Temp\skynet000
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETwfiubqqt.dll]
Process: svchost.exe (PID: 992) Address: 0x10000000 Size: 53248

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x836e01f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x833b11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x834fa500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x835271f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x83514500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x836751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x830c31f8 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_CREATE]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_CLOSE]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_POWER]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: a8k2hvh6Ѕ浍瑓Ёం䵃䥖诱Ђఇ浍浓, IRP_MJ_PNP]
Process: System Address: 0x8347a500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82f651f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_CREATE]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_CLOSE]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_READ]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_CLEANUP]
Process: System Address: 0x834531f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ఍敋ꁹ, IRP_MJ_PNP]
Process: System Address: 0x834531f8 Size: 121

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf122f270

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf122f310

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf122f4c0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf122c100

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 AM

Posted 23 September 2009 - 09:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 24 September 2009 - 12:36 AM

Thank you for the response thcbytes,

My original post on 9/9 contains the problems I have been having, and it is about the same still today. I haven't been using this computer as much in hopes to not make it worse, but it still does okay. I run some programs to try to keep it clean, but most detect some deep down errors that persist. Luckily I still have control of the computer as far as I know, unlike the two times where that was almost taken away from me.

I have followed the instructions about the DDS.scr and have pasted or attached the results. Thank you very much for your time, and for the next person that will help me!

~camax


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 22:23:37.51 on Wed 09/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.307 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\lxcjcoms.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191199285484
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4pp6khz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\4pp6khz2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - forums.vgames.com mail.google.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-10 11608]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2004-9-29 120320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-3-28 372824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-10 108289]
R2 Av360cn;Av360cn;c:\windows\system32\drivers\av360cn.sys [2004-11-3 60448]
R2 Av363cn;Av363cn;c:\windows\system32\drivers\av363cn.sys [2004-11-3 74944]
R2 Av363cnb;Av363cnb;c:\windows\system32\drivers\av363cnb.sys [2004-11-3 74912]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-10 55656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-10 185089]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\ad-aware\aawservice.exe" --> c:\program files\ad-aware\AAWService.exe [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service" --> c:\program files\stopzilla!\szntsvc.exe [?]

=============== Created Last 30 ================

2009-09-11 08:56 118 a------- c:\windows\system32\MRT.INI
2009-09-09 21:38 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 10:04 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-09-06 03:34 <DIR> --d----- c:\program files\trend micro
2009-09-06 02:33 230,912 a------- c:\windows\PEV.exe
2009-09-06 02:33 161,792 a------- c:\windows\SWREG.exe
2009-09-06 02:33 98,816 a------- c:\windows\sed.exe
2009-09-06 02:32 <DIR> --d----- C:\kommboofeex
2009-09-06 02:11 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-06 02:07 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 02:07 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-06 02:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 02:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 01:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

==================== Find3M ====================

2009-09-09 08:53 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-07 19:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 14:09 95,512 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 14:30 81,408 a------- c:\windows\system32\libspeex.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2007-06-12 09:04 476,752 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-01-29 23:59 6,482,944 a------- c:\documents and settings\owner\ffmpeg.exe
2007-06-12 09:06 88 ---shr-- c:\windows\system32\DAAAC7A595.sys
2007-06-12 09:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:24:31.62 ===============

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 28 September 2009 - 11:58 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.

I see that you have recently been running combofix.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back here with the following logs:
  • Combofix.txt
  • MBAM log
Thanks

unite.jpg


#5 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 28 September 2009 - 02:51 PM

Thank you for offering your generous help Syler!

Thank you for the warning about ComboFix. I had tried to follow another thread that seemed to have a similar infection, and I guess I am lucky enough that it seemed to help my computer rather than destroy it. Still, I won't run it again unless under direction. I think you are asking me to post the C:\ComboFix.txt from previously using it, so that is what I am doing, not running it a new time.

I updated and ran Malwarebytes' Anti-Malware. It actually didn't find any infections, though the log is still pasted below. My first time running Anti-Malware on 9/6 I had 8 infections. After the restart, the second run just had 1 infection. Three days later, a scan showed the same infection persisting. [It was C:\WINDOWS\system32\uacinit.dll (Trojan.Agent)]. Apparently that infection is gone now, but I thought I'd mention it in case it was helpful at all.

~Camax





ComboFix 09-09-12.01 - Owner 09/12/2009 14:42.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.528 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETgnmxrhba.sys
c:\windows\system32\SKYNETacbgiauk.dat
c:\windows\system32\SKYNETiusjmujm.dll
c:\windows\system32\SKYNETpdoyefrq.dll
c:\windows\system32\SKYNETwfiubqqt.dll
c:\windows\system32\SKYNETxlhqwwmt.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETfcaaroof
-------\Legacy_SKYNETfcaaroof


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-10 04:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 17:04 . 2009-09-09 17:04 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-09-06 10:34 . 2009-09-06 10:34 -------- d-----w- C:\rsit
2009-09-06 10:34 . 2009-09-06 10:34 -------- d-----w- c:\program files\trend micro
2009-09-06 09:32 . 2009-09-06 09:39 -------- d-----w- C:\kommboofeex
2009-09-06 09:11 . 2009-09-06 09:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-06 09:07 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 09:07 . 2009-09-06 09:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 09:07 . 2009-09-06 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 09:07 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 08:42 . 2009-09-06 08:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-04 11:11 . 2009-09-04 11:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-04 10:42 . 2009-09-04 10:42 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Logitech
2009-08-21 10:07 . 2009-08-21 10:07 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-21 10:06 . 2009-08-21 10:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 10:06 . 2009-08-21 10:06 -------- d-----w- c:\program files\MSBuild
2009-08-21 10:06 . 2009-08-21 10:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 10:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 10:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 10:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 10:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 10:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 10:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 10:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 10:05 . 2009-08-21 10:06 -------- d-----w- C:\44f8412d5ab77577e2dcc9eea3
2009-08-20 05:57 . 2009-08-20 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 09:25 . 2007-06-12 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-09 19:13 . 2004-05-20 22:49 -------- d-----w- c:\program files\WorkingTimeTracker
2009-09-09 17:20 . 2004-04-02 03:00 95512 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 16:33 . 2007-03-30 07:30 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks
2009-09-09 15:53 . 2004-04-06 19:23 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-09-06 10:42 . 2007-06-18 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-06 10:41 . 2003-10-11 12:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-06 10:39 . 2007-06-05 15:09 -------- d-----w- c:\program files\CCleaner
2009-08-10 05:14 . 2009-08-10 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-08-10 05:12 . 2009-06-02 08:53 -------- d-----w- c:\program files\Ad-Aware
2009-08-10 04:57 . 2009-06-03 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-10 04:57 . 2009-06-03 00:18 -------- d-----w- c:\program files\NOS
2009-08-10 04:21 . 2006-08-18 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-08 02:47 . 2009-05-11 04:51 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 02:20 . 2009-08-02 02:20 -------- d-----w- c:\documents and settings\Owner\Application Data\teamspeak2
2009-08-02 02:20 . 2009-08-02 02:20 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-07-17 19:01 . 2003-11-17 11:45 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-11 08:45 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 21:30 . 2009-07-04 21:30 81408 ----a-w- c:\windows\system32\libspeex.dll
2009-07-03 17:09 . 2006-06-23 18:33 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-11-17 11:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-11-17 11:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-11-17 11:23 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-11-17 11:21 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-11-17 11:21 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-24 11:18 . 2003-10-11 10:06 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-11-17 11:45 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-11-17 11:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-06-12 16:06 . 2007-06-12 16:03 88 --sh--r- c:\windows\system32\DAAAC7A595.sys
2007-06-12 16:18 . 2007-06-12 16:03 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_16.00.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 21:37 . 2009-09-12 21:37 16384 c:\windows\Temp\Perflib_Perfdata_7e4.dat
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
- 2003-10-11 10:17 . 2009-09-09 15:50 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-10-11 10:17 . 2009-09-12 07:10 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-09 09:10 . 2009-09-09 15:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-09 09:10 . 2009-09-12 07:10 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2003-10-11 10:17 . 2009-09-12 07:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-10-11 10:17 . 2009-09-09 15:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-01-13 22:57 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2003-01-13 22:57 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-14 18:35 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2003-10-11 10:17 . 2009-09-09 15:50 131072 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-10-11 10:17 . 2009-09-12 07:10 131072 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-11 15:53 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-11 15:53 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-11 15:53 . 2009-03-08 11:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2004-08-11 08:45 . 2009-05-20 19:44 2355200 c:\windows\system32\WMVCore.dll
+ 2003-10-11 10:50 . 2009-05-20 19:44 2355200 c:\windows\system32\dllcache\WMVCore.dll
+ 2005-05-16 14:58 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-31 805392]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" /R
"SsAAD.exe"=c:\progra~1\Sony\SONICS~1\SsAAD.exe
"PS2"=c:\windows\system32\ps2.exe
"LTMSG"=LTMSG.exe 7
"VTTimer"=VTTimer.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe"
"nwiz"=nwiz.exe /install
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"LXCJCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:@xpsp2res.dll,-22011
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [9/29/2004 4:11 PM 120320]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/10/2009 9:51 PM 108289]
R2 Av360cn;Av360cn;c:\windows\system32\drivers\av360cn.sys [11/3/2004 3:14 PM 60448]
R2 Av363cn;Av363cn;c:\windows\system32\drivers\av363cn.sys [11/3/2004 3:14 PM 74944]
R2 Av363cnb;Av363cnb;c:\windows\system32\drivers\av363cnb.sys [11/3/2004 3:14 PM 74912]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Ad-Aware\AAWService.exe" --> c:\program files\Ad-Aware\AAWService.exe [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\STOPzilla!\szntsvc.exe /service "STOPzilla Local Service" --> c:\program files\STOPzilla!\szntsvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4pp6khz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4pp6khz2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - forums.vgames.com mail.google.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-09-12 15:31
ComboFix-quarantined-files.txt 2009-09-12 22:31
ComboFix2.txt 2009-09-09 16:07

Pre-Run: 8,674,779,136 bytes free
Post-Run: 8,640,438,272 bytes free

229 --- E O F --- 2009-09-11 15:57




Malwarebytes' Anti-Malware 1.41
Database version: 2868
Windows 5.1.2600 Service Pack 3

9/28/2009 12:40:16 PM
mbam-log-2009-09-28 (12-40-16).txt

Scan type: Quick Scan
Objects scanned: 98416
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 28 September 2009 - 07:22 PM

Hi Camax,

I had tried to follow another thread that seemed to have a similar infection,


Doing that is a bad idea, no thread is the same their are lots of variables in the situation, and what works for one person my crash someone else's machine.

I think you are asking me to post the C:\ComboFix.txt from previously using it, so that is what I am doing, not running it a new time.


That's rite :(


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

NJext

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyOverride"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000000
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • OTM results
  • Kaspersky results
  • New DDS log
Thanks

unite.jpg


#7 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 28 September 2009 - 10:37 PM

Syler,

Some good news and bad news this time out.

ERUNT installed fine. The computer start up is noticeably slower now, so I hope that is ERUNT doing its job.

OTM does not seem to be functioning correctly on my system. After pasting the instructions and clicking the MoveIt! button, it seems to "hang". I'm not sure if it is working or it is stuck. In the right panel it mentions that it is killing all processes (and everything but OTM goes down), and there is some text about the HKEYs under that, but then it seems hang there. I left it like that for over twenty minutes the first time just in case that was normal behavior, then I restarted the machine myself. I tried it two other times, but same thing. I checked to see if there were any log files in the C:\_OTM\MovedFiles area, but there were only (3) folders with no files inside.

I removed all the old Java Runtime Environment programs. After rebooting, I installed the "jre-6u16-windows-i586-p.exe". Now I can see the various icon/images you've added to your posts! Since the OTM did not work, I was going to stop there, but I figured the JRE updating was a safe issue to go ahead with.

I haven't done the Kaspersky or DDS steps, but will on your say so.

~Camax

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 28 September 2009 - 10:45 PM

Sorry I made a slight error in the script please run this script, then go on with the other instructions.

Thanks

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyOverride"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000000
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

unite.jpg


#9 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 29 September 2009 - 02:13 AM

Syler,

OTM ran great this time. I see a lot of not found/failed notes, so perhaps that first OTM execution took them out, just didn't get to the log?

Kaspersky downloaded and scanned fine. You were right about it taking quite a while.

Three logs below:



All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\\{32683183-48a0-441b-a342-7c2a440a9478} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ not found.
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFDE60.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 2016834 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 9516885 bytes
->Java cache emptied: 25493442 bytes
->FireFox cache emptied: 59584415 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 156696 bytes
%systemroot%\System32 .tmp files removed: 5552657 bytes
File delete failed. C:\WINDOWS\temp\ZLT060a2.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied: 1024 bytes
RecycleBin emptied: 1172159123 bytes

Total Files Cleaned = 1215.58 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09282009_205423

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DFDE60.tmp moved successfully.
File C:\WINDOWS\temp\ZLT060a2.TMP not found!

Registry entries deleted on Reboot...





DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 0:08:05.90 on Tue 09/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.386 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191199285484
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4pp6khz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\4pp6khz2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - forums.vgames.com mail.google.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-10 11608]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2004-9-29 120320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-3-28 372824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-10 108289]
R2 Av360cn;Av360cn;c:\windows\system32\drivers\av360cn.sys [2004-11-3 60448]
R2 Av363cn;Av363cn;c:\windows\system32\drivers\av363cn.sys [2004-11-3 74944]
R2 Av363cnb;Av363cnb;c:\windows\system32\drivers\av363cnb.sys [2004-11-3 74912]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-10 55656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-10 185089]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\ad-aware\aawservice.exe" --> c:\program

files\ad-aware\AAWService.exe [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service" --> c:\program

files\stopzilla!\szntsvc.exe [?]

=============== Created Last 30 ================

2009-09-28 19:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-28 19:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-28 18:46 <DIR> --d----- C:\_OTM
2009-09-11 08:56 118 a------- c:\windows\system32\MRT.INI
2009-09-09 21:38 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 10:04 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-09-06 03:34 <DIR> --d----- c:\program files\trend micro
2009-09-06 02:33 230,912 a------- c:\windows\PEV.exe
2009-09-06 02:33 161,792 a------- c:\windows\SWREG.exe
2009-09-06 02:33 98,816 a------- c:\windows\sed.exe
2009-09-06 02:32 <DIR> --d----- C:\kommboofeex
2009-09-06 02:11 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-06 02:07 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 02:07 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-06 02:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 02:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 01:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

==================== Find3M ====================

2009-09-09 08:53 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-07 19:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 14:09 95,512 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 14:30 81,408 a------- c:\windows\system32\libspeex.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2007-06-12 09:04 476,752 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-01-29 23:59 6,482,944 a------- c:\documents and settings\owner\ffmpeg.exe
2007-06-12 09:06 88 ---shr-- c:\windows\system32\DAAAC7A595.sys
2007-06-12 09:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 0:09:12.18 ===============

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 29 September 2009 - 08:33 AM

camax,

Your logs look fine to me now, please uninstall combofix then post back with a new DDS log, and let me know if you are having any more problems.

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

unite.jpg


#11 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 29 September 2009 - 12:42 PM

Hi sylar,

Thanks for all the help on this cleanup. Earlier in the month I had a lot of files that had to do with "SKYNET" verbage left on my system, but it looks like all the various programs have gotten rid of the maliciousness. Combofix is uninstalled.

Do you know what C:\Program Files\Bonjour\mDNSResponder.exe is, and if I need that to be running?

~Camax



DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 10:35:01.04 on Tue 09/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.326 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\PROGRA~1\MI1933~1\Office10\OUTLOOK.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191199285484
DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - hxxp://www.bitdefender.com/scan/Msie/bitdefender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\4pp6khz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\4pp6khz2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - forums.vgames.com mail.google.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-10 11608]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2004-9-29 120320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-3-28 372824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-10 108289]
R2 Av360cn;Av360cn;c:\windows\system32\drivers\av360cn.sys [2004-11-3 60448]
R2 Av363cn;Av363cn;c:\windows\system32\drivers\av363cn.sys [2004-11-3 74944]
R2 Av363cnb;Av363cnb;c:\windows\system32\drivers\av363cnb.sys [2004-11-3 74912]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-10 55656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-10 185089]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\ad-aware\aawservice.exe" --> c:\program files\ad-aware\AAWService.exe [?]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service" --> c:\program files\stopzilla!\szntsvc.exe [?]

=============== Created Last 30 ================

2009-09-28 19:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-28 19:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-28 18:46 <DIR> --d----- C:\_OTM
2009-09-11 08:56 118 a------- c:\windows\system32\MRT.INI
2009-09-09 21:38 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 10:04 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-09-06 02:11 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-06 02:07 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 02:07 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-06 02:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 02:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 01:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

==================== Find3M ====================

2009-09-09 08:53 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-07 19:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 14:09 95,512 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 14:30 81,408 a------- c:\windows\system32\libspeex.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2007-06-12 09:04 476,752 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-01-29 23:59 6,482,944 a------- c:\documents and settings\owner\ffmpeg.exe
2007-06-12 09:06 88 ---shr-- c:\windows\system32\DAAAC7A595.sys
2007-06-12 09:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:35:48.96 ===============

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 29 September 2009 - 03:55 PM

Do you know what C:\Program Files\Bonjour\mDNSResponder.exe is, and if I need that to be running?


This is from the Bonjour Service, related to iTunes, it is not needed to run on startup so you can disable it if you want. See here.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :(
Syler

unite.jpg


#13 camax

camax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 29 September 2009 - 05:17 PM

Thanks for all the help cleaning my computer sylar!

After the reboot which was part of the clean up of OTC, I got a half dozen errors from ERUNT. Should I uninstall that one now?

I'm reading about all the other applications you mentioned now :(

~Camax

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:44 PM

Posted 29 September 2009 - 05:24 PM

Your welcome Camax :(

You can uninstall erunt if you wish.

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users