Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Heur, Adware Toolbar.GP, Trojan Horse, Worm


  • This topic is locked This topic is locked
13 replies to this topic

#1 manang

manang

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 01 October 2009 - 07:18 AM

I don't know how to remove them, our computer automatically shuts down sometimes.

DDS (Ver_09-09-29.01) - NTFSx86
Run by user at 20:03:13.70 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.192 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Application Data\Transcend\JFSW2\JFSW2Launch.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRun: [JFSW2Launch] c:\documents and settings\user\application data\transcend\jfsw2\JFSW2Launch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Domino] c:\windows\Domino.EXE
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab

============= SERVICES / DRIVERS ===============

R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2008-12-5 428160]
RUnknown vkquwexg;vkquwexg; [x]
S2 gdhktm;Driver Config;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\locals~1\temp\qtq6.tmp --> c:\docume~1\user\locals~1\temp\QTQ6.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-10-01 18:49 <DIR> a-dshr-- C:\cmdcons
2009-10-01 16:02 229,888 a------- c:\windows\PEV.exe
2009-10-01 16:02 161,792 a------- c:\windows\SWREG.exe
2009-10-01 16:02 98,816 a------- c:\windows\sed.exe
2009-09-23 11:09 <DIR> --d----- c:\docume~1\user\applic~1\kebketnp
2009-09-09 14:40 217 a------- c:\windows\system32\MRT.INI
2009-09-09 08:26 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-06 11:42 23,392 a------- c:\windows\system32\nscompat.tlb
2009-09-06 11:42 16,832 a------- c:\windows\system32\amcompat.tlb
2009-09-06 11:03 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-09-06 10:50 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-10-01 18:47 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-09-30 21:11 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-08-30 18:46 834,594 a------- c:\windows\system32\cftm.exe
2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 03:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 4,874,240 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-04 01:09 915,456 -------- c:\windows\system32\wininet.dll

============= FINISH: 20:03:27.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 01 October 2009 - 08:18 PM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 manang

manang
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 02 October 2009 - 05:29 AM

It's ok, I can wait for your reply. Thanks for entertaining my question. Hope that you can help me fix my problem. Thanks.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 02 October 2009 - 04:23 PM

Hello manang,

Sorry for the delay, forum have been really busy.


1. I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


2. You are using advanced registry optimizer. Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

*Registry tools can cause irreparable damage to your Operating System
*Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.

Registry Cleaners and System Tweaking Tools



3. I strongly suggest that you uninstall Ask Toolbar. Some of the bad practices of this toolbar are:
  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  • Promoting its toolbars through other companies' spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Plesae read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove AskBarDis.

Then go to C: > Program Files and delete AskBarDis folder.



4. Please download Malwarebytes' Anti-Malware from here:

MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



5. Lastly, please create a new DDS log for me and post it when you reply. Thanks.


~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 manang

manang
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 03 October 2009 - 07:48 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2899
Windows 5.1.2600 Service Pack 3

10/3/2009 8:46:51 PM
mbam-log-2009-10-03 (20-46-51).txt

Scan type: Quick Scan
Objects scanned: 93574
Time elapsed: 13 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_09-09-29.01) - NTFSx86
Run by user at 20:38:25.59 on Sat 10/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.146 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Application Data\Transcend\JFSW2\JFSW2Launch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [JFSW2Launch] c:\documents and settings\user\application data\transcend\jfsw2\JFSW2Launch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Domino] c:\windows\Domino.EXE
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-1 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-1 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-1 297752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-3 38224]
S2 gdhktm;Driver Config;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\locals~1\temp\qtq6.tmp --> c:\docume~1\user\locals~1\temp\QTQ6.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2008-12-5 428160]

=============== Created Last 30 ================


==================== Find3M ====================

2009-10-02 09:49 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-10-01 18:47 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-08-30 18:46 834,594 a------- c:\windows\system32\cftm.exe
2009-08-05 17:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 03:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 4,874,240 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\dllcache\wmpdxm.dll

============= FINISH: 20:40:24.84 ===============

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 03 October 2009 - 07:51 PM

Hello manang,

Please delete any copy of Combofix (If you have). Visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 manang

manang
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 04 October 2009 - 05:17 AM

ComboFix 09-10-01.05 - user 10/04/2009 17:59.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.341 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-03 12:28 . 2009-10-03 12:28 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-03 12:27 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 12:27 . 2009-10-03 12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:27 . 2009-10-03 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 12:27 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 14:25 . 2009-10-01 14:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 14:25 . 2009-10-01 14:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-01 14:25 . 2009-10-01 14:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-01 14:25 . 2009-10-01 14:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-01 14:24 . 2009-10-04 00:53 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-01 14:24 . 2009-10-01 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-23 03:09 . 2009-09-23 03:09 -------- d-----w- c:\documents and settings\user\Application Data\kebketnp
2009-09-23 03:09 . 2009-09-23 03:09 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\kebketnp
2009-09-20 16:33 . 2009-09-20 16:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\kebketnp
2009-09-19 13:48 . 2009-09-19 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp
2009-09-19 13:48 . 2009-09-19 13:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\kebketnp
2009-09-09 00:26 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 03:03 . 2009-09-06 03:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-06 02:50 . 2009-09-06 03:49 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-09-06 02:50 . 2009-09-06 02:50 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 01:49 . 2009-08-02 02:48 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 14:25 . 2008-12-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 10:47 . 2004-08-03 20:14 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 06:13 . 2008-12-06 11:51 -------- d-----w- c:\program files\Garena
2009-09-19 00:30 . 2009-02-28 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-30 10:46 . 2009-08-30 10:45 834594 ----a-w- c:\windows\system32\cftm.exe
2009-08-29 14:15 . 2008-12-14 05:47 10 ----a-w- c:\windows\popcinfo.dat
2009-08-29 01:02 . 2009-08-29 01:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-05 09:01 . 2004-08-03 21:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-03 21:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 04:21 . 2004-08-03 21:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 03:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-17 68856]
"JFSW2Launch"="c:\documents and settings\user\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2009-06-05 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-05-02 4640768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-01 2023704]
"BigDog303"="c:\windows\VM303_STI.EXE" [BU]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-07-12 1581056]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-02 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-01 14:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/1/2009 10:25 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/1/2009 10:25 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/1/2009 10:24 PM 297752]
S2 gdhktm;Driver Config;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:56 AM 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp --> c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [12/5/2008 5:13 PM 428160]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gdhktm

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 18:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gdhktm]
"ServiceDll"="c:\windows\system32\ecmqm.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,27,30,19,71,82,ea,46,b9,8a,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,27,30,19,71,82,ea,46,b9,8a,3b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2056)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-04 18:11
ComboFix-quarantined-files.txt 2009-10-04 10:10
ComboFix2.txt 2009-10-02 09:36
ComboFix3.txt 2009-10-01 11:14

Pre-Run: 10,354,851,840 bytes free
Post-Run: 10,663,100,416 bytes free

166 --- E O F --- 2009-09-17 08:22

Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 05 October 2009 - 06:41 AM

Hello manang,

1. We need to execute a combofix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
mURLSearchHooks: H - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

DirLook::
c:\documents and settings\user\Application Data\kebketnp
c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp

File::
c:\windows\system32\cftm.exe
c:\windows\popcinfo.dat
c:\windows\system32\ecmqm.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gdhktm]

Driver::
gdhktm

NetSvc::
gdhktm

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2. Please create another Rootrepeal log and post it when you reply.


How's your computer now?


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 manang

manang
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 October 2009 - 07:44 PM

ComboFix 09-10-06.03 - user 10/07/2009 8:16.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.220 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\windows\popcinfo.dat"
"c:\windows\system32\cftm.exe"
"c:\windows\system32\ecmqm.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfo.dat
c:\windows\system32\cftm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GDHKTM
-------\Service_gdhktm


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-03 12:28 . 2009-10-03 12:28 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-03 12:27 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 12:27 . 2009-10-03 12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:27 . 2009-10-03 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 12:27 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 14:25 . 2009-10-01 14:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 14:25 . 2009-10-01 14:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-01 14:25 . 2009-10-01 14:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-01 14:25 . 2009-10-01 14:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-01 14:24 . 2009-10-06 00:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-01 14:24 . 2009-10-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-23 03:09 . 2009-09-23 03:09 -------- d-----w- c:\documents and settings\user\Application Data\kebketnp
2009-09-23 03:09 . 2009-09-23 03:09 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\kebketnp
2009-09-20 16:33 . 2009-09-20 16:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\kebketnp
2009-09-19 13:48 . 2009-09-19 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp
2009-09-19 13:48 . 2009-09-19 13:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\kebketnp
2009-09-09 00:26 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 01:49 . 2009-08-02 02:48 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 14:25 . 2008-12-09 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 10:47 . 2004-08-03 20:14 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 06:13 . 2008-12-06 11:51 -------- d-----w- c:\program files\Garena
2009-09-19 00:30 . 2009-02-28 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 03:03 . 2009-09-06 03:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-29 01:02 . 2009-08-29 01:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-05 09:01 . 2004-08-03 21:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-03 21:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 04:21 . 2004-08-03 21:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp ----

2009-09-19 13:49 . 2009-09-19 13:55 32768 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp\Profiles\y0k3rbs6.default\urlclassifier3.sqlite
2009-09-19 13:49 . 2009-09-19 13:49 438116 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\kebketnp\Profiles\y0k3rbs6.default\XPC.mfl

---- Directory of c:\documents and settings\user\Application Data\kebketnp ----

2009-09-23 03:11 . 2009-09-23 03:11 2280 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\pluginreg.dat
2009-09-23 03:10 . 2009-09-23 03:10 2048 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\webappsstore.sqlite
2009-09-23 03:10 . 2009-09-23 03:10 510 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\localstore.rdf
2009-09-23 03:10 . 2009-09-23 03:10 4096 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\formhistory.sqlite
2009-09-23 03:10 . 2009-09-23 03:10 0 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\places.sqlite-journal
2009-09-23 03:10 . 2009-09-23 03:10 131072 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\places.sqlite
2009-09-23 03:10 . 2009-09-23 03:10 16384 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\key3.db
2009-09-23 03:10 . 2009-09-23 03:14 65536 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\cert8.db
2009-09-23 03:09 . 2009-09-23 03:09 16384 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\secmod.db
2009-09-23 03:09 . 2009-09-23 03:14 2048 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\cookies.sqlite
2009-09-23 03:09 . 2009-09-23 03:09 2048 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\permissions.sqlite
2009-09-23 03:09 . 2009-09-23 03:09 367 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\prefs.js
2009-09-23 03:09 . 2009-09-23 03:09 127820 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\compreg.dat
2009-09-23 03:09 . 2009-09-23 03:09 96173 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\xpti.dat
2009-09-23 03:09 . 2009-09-23 03:09 207 ----a-w- c:\documents and settings\user\Application Data\kebketnp\Profiles\i36i8pmx.default\compatibility.ini
2009-09-23 03:09 . 2009-09-23 03:09 111 ----a-w- c:\documents and settings\user\Application Data\kebketnp\profiles.ini


((((((((((((((((((((((((((((( SnapShot@2009-10-01_11.08.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-07 00:28 . 2009-10-07 00:28 16384 c:\windows\temp\Perflib_Perfdata_170.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 03:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-17 68856]
"JFSW2Launch"="c:\documents and settings\user\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2009-06-05 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-05-02 4640768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-01 2023704]
"BigDog303"="c:\windows\VM303_STI.EXE" [BU]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-07-12 1581056]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-02 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-01 14:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/1/2009 10:25 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/1/2009 10:25 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/1/2009 10:24 PM 297752]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [12/5/2008 5:13 PM 428160]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp --> c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 08:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\user\LOCALS~1\Temp\QTQ6.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,27,30,19,71,82,ea,46,b9,8a,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,27,30,19,71,82,ea,46,b9,8a,3b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-10-07 8:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 00:32
ComboFix2.txt 2009-10-04 10:11
ComboFix3.txt 2009-10-02 09:36
ComboFix4.txt 2009-10-01 11:14

Pre-Run: 10,510,106,624 bytes free
Post-Run: 10,567,376,896 bytes free

212 --- E O F --- 2009-09-17 08:22

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 07 October 2009 - 06:36 AM

Hello manang,


Looks like a clean log but let's make sure. How's your computer running now?


1. Download and install the latest version of java.
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

2. Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply .

~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 09 October 2009 - 01:05 PM

Hi,

Are you still with us?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 manang

manang
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 10 October 2009 - 07:26 AM

Yes, sorry.. got busy at school.. :(

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:55 PM

Posted 10 October 2009 - 07:47 AM

No problema :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:55 AM

Posted 15 October 2009 - 07:38 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users