Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AntiVirus Sytem Pro + something else?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Merlin07

Merlin07

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 November 2009 - 09:43 PM

Hello,

My computer was infected with AntiVirus System Pro. It would generate many pop-ups about scanning my computer. It would also block any .exe files from running, saying, "The file <file name>.exe is infected. Do you wish to activate your antivirus software now?" I ran MalwareBytes a few times, and most of the symptoms just described went away. However, this is the third time that I have gotten this virus, so I suspect that I have not really gotten rid of it yet.

An additional problem I am having is that I cannot access any websites with Internet Explorer. My Internet connection is working because I can load my e-mail just fine. I am not sure whether this problem is caused by the AntiVirus System Pro virus.

I posted the requested logs below. Thank you very much in advance for your help.

Sincerely,

Merlin07

DDS (Ver_09-10-26.01) - NTFSx86
Run by merlinwl at 20:05:18.93 on 11/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1487 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\merlinwl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {87802ae1-76a2-43f9-9303-7f1733c31f6c} - joduharu.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
uRun: [browseole32] rundll32.exe "c:\documents and settings\merlinwl\local settings\application data\browseole32\browseole32.dll", DllInit
uRun: [UnHackMe Monitor] e:\unhackme\hackmon.exe
uRun: [Power2GoExpress] NA
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SDFix] c:\docume~1\merlinwl\desktop\sdfix\RunThis.bat /second
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "f:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [framework] framework.exe
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
dRun: [TabletWizard] %windir%\help\wizard.hta
dRunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp"
dRunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg
dRunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://quickplace.udayton.edu/qp2.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://web-student-3.udayton.edu/iNotes6W.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189110439031
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189110421640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli nelesoye.dll jajulaze.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-11-16 03:52:22 2 --shatr- c:\windows\winstart.bat

============= FINISH: 20:06:47.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:34 PM

Posted 28 November 2009 - 07:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 28 November 2009 - 10:23 PM

I have posted a new DDS log below. I would like to add to my previous post that I can access the Internet with my computer if I run Firefox off of my external hard drive. Also, when I try to hibernate my computer, it crashes. I can put the computer in "stand by" mode, but it takes a long time (a few minutes, at least) to do so. I originally thought this might be a hardware problem, but after reading other posts on this forum, I realized it might be a virus problem.

Thank you for responding to my post.

DDS (Ver_09-10-26.01) - NTFSx86
Run by merlinwl at 22:14:04.78 on 11/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1212 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
F:\Mozilla Firefox\firefox.exe
C:\Documents and Settings\merlinwl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {87802ae1-76a2-43f9-9303-7f1733c31f6c} - joduharu.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
uRun: [browseole32] rundll32.exe "c:\documents and settings\merlinwl\local settings\application data\browseole32\browseole32.dll", DllInit
uRun: [UnHackMe Monitor] e:\unhackme\hackmon.exe
uRun: [Power2GoExpress] NA
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SDFix] c:\docume~1\merlinwl\desktop\sdfix\RunThis.bat /second
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "f:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [framework] framework.exe
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Update] service.exe
dRun: [TabletWizard] %windir%\help\wizard.hta
dRunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp"
dRunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg
dRunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://quickplace.udayton.edu/qp2.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://web-student-3.udayton.edu/iNotes6W.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189110439031
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189110421640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli nelesoye.dll jajulaze.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-11-16 03:52:22 2 --shatr- c:\windows\winstart.bat

============= FINISH: 22:15:43.79 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 29 November 2009 - 05:56 AM

Hello merlin07,

:( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.



COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 29 November 2009 - 03:52 PM

My computer is running much better after running ComboFix. Internet Explorer works like normal, and my computer can successfully hibernate. The ComboFix log is pasted below. Thank you for helping me with my virus problems so far.

ComboFix 09-11-29.02 - merlinwl 11/29/2009 15:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1533 [GMT -5:00]
Running from: c:\documents and settings\merlinwl\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\APTRRNTm.dll
c:\windows\system32\APTRRNTl.dll
c:\program files\Replay Music 2\TRUserDLL.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\merlinwl\LOCALS~1\Temp\0.EXE
c:\documents and settings\All Users\Application Data\jujo.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\merlinwl\Application Data\egebofiba.bat
c:\documents and settings\merlinwl\Application Data\myfydys.inf
c:\program files\Common Files\tycesodu.inf
c:\recycler\S-1-5-21-1078081533-113007714-839522115-500
c:\windows\dymi.reg
c:\windows\hujypaqo.reg
c:\windows\jogezuwun.scr
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\3077051.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\bobebeji.dll
c:\windows\system32\clrviddc.dll
c:\windows\system32\flags.ini
c:\windows\system32\gaduvoma.exe
c:\windows\system32\gijeluhe.dll
c:\windows\system32\Install.txt
c:\windows\system32\jamahesa.dll
c:\windows\system32\javohiwo.dll
c:\windows\system32\jobavito.dll
c:\windows\system32\lebesisu.dll
c:\windows\system32\muhoyawa.dll
c:\windows\system32\navavaze.dll
c:\windows\system32\numitopi.dll
c:\windows\system32\raniyiyi.dll
c:\windows\system32\ruyugapi.dll
c:\windows\system32\service.exe
c:\windows\system32\tebujugu.dll
c:\windows\system32\tijebevi.dll
c:\windows\system32\uses32.dat
c:\windows\system32\vejorafa.dll
c:\windows\system32\verazemi.dll
c:\windows\system32\wojifizi.exe
c:\windows\system32\zeladugu.dll
c:\windows\vexuz.vbs
F:\autorun.inf

----- BITS: Possible infected sites -----

hxxp://windowsupdate.udayton.edu
hxxp://82.98.231.102
Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - c:\windows\NLDRV\003\iastor.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{51091540-FF52-4BCA-B065-79468D90D7CD}\RP633\A0201410.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-29 20:24 . 2004-08-04 08:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-29 20:24 . 2004-08-04 08:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-24 00:15 . 2009-11-24 00:15 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\Mozilla
2009-11-20 01:46 . 2009-11-20 01:46 -------- d-----w- c:\windows\ZDLT08FNV5FPX7HR
2009-11-20 00:27 . 2009-11-20 18:43 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\uoxkjw
2009-11-12 16:08 . 2009-11-12 16:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-12 16:07 . 2009-11-12 16:07 152576 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 16:07 . 2009-11-12 16:07 79488 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-07 17:25 . 2009-11-07 18:01 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\wkvfdo
2009-11-04 17:39 . 2009-11-04 17:39 487 ----a-w- c:\documents and settings\merlinwl\Local Settings\Application Data\syssvc.exe
2009-11-04 01:04 . 2009-11-11 17:38 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\browseole32
2009-11-04 01:03 . 2009-11-04 20:11 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\ovvpoq
2009-10-31 18:35 . 2009-10-31 18:35 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\O&O

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 20:12 . 2009-03-07 18:58 -------- d-----w- c:\program files\Replay Music 2
2009-11-29 20:05 . 2008-10-24 23:16 -------- d-----w- c:\documents and settings\merlinwl\Application Data\uTorrent
2009-11-29 02:47 . 2009-03-10 22:30 -------- d-----w- c:\documents and settings\merlinwl\Application Data\Free Audio Editor
2009-11-19 00:41 . 2009-10-29 00:55 -------- d-----w- c:\program files\vdmrqt
2009-11-17 18:07 . 2007-06-29 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-12 16:08 . 2007-06-29 12:46 -------- d-----w- c:\program files\Java
2009-11-08 05:38 . 2009-11-08 05:38 5 ----a-w- c:\windows\system32\YoItzVlad.tmp
2009-11-04 01:03 . 2009-09-07 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 19:49 . 2008-02-08 23:40 -------- d-----w- c:\program files\Oddworld Abe's Exoddus
2009-10-31 18:27 . 2008-08-20 01:40 -------- d-----w- c:\program files\O&O Defrag
2009-10-30 20:53 . 2009-10-30 08:53 -------- d-----w- c:\program files\rhdnvj
2009-10-09 21:43 . 2009-10-09 19:52 -------- d-----w- c:\program files\NoteWorthy Composer
2009-10-08 01:07 . 2009-10-08 01:07 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-18 16:49 . 2009-08-04 00:24 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-18 16:49 . 2009-08-04 00:24 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-18 16:44 . 2009-09-18 16:48 71016 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{D689B418-235A-4290-A0A5-A75E490E0351}\Redist\ccSetEvt.dll
2009-09-12 04:33 . 2009-09-12 04:33 199936 ----a-w- c:\windows\system32\oodbs.exe
2009-09-12 04:29 . 2009-09-12 04:29 9984 ----a-w- c:\windows\system32\oodbsrs.dll
2009-09-11 14:03 . 2006-06-19 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-07 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-07 19:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 18:59 . 2009-09-09 18:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-07 19:13 . 2009-09-07 19:13 14894 ----a-w- c:\documents and settings\All Users\Application Data\tabekamobi.dll
2009-09-07 19:13 . 2009-09-07 19:13 14894 ----a-w- c:\documents and settings\All Users\Application Data\tabekamobi.dll
2009-09-07 19:13 . 2009-09-07 19:13 19683 ----a-w- c:\windows\system32\ihalu.sys
2009-09-07 19:13 . 2009-09-07 19:13 18679 ----a-w- c:\documents and settings\All Users\Application Data\tocosagisi.sys
2009-09-07 19:13 . 2009-09-07 19:13 18679 ----a-w- c:\documents and settings\All Users\Application Data\tocosagisi.sys
2009-09-07 19:13 . 2009-09-07 19:13 14427 ----a-w- c:\windows\uzybagu.bin
2009-09-07 19:13 . 2009-09-07 19:13 11761 ----a-w- c:\windows\bizykadoq.sys
2009-09-07 19:13 . 2009-09-07 19:13 15161 ----a-w- c:\documents and settings\merlinwl\Local Settings\Application Data\qawa.dll
2009-09-04 20:45 . 2006-06-19 16:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 23:43 . 2009-03-10 20:09 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2008-11-16 03:52 . 2008-11-16 03:52 2 --shatr- c:\windows\winstart.bat
.

------- Sigcheck -------

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

[-] 2006-06-14 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-06-18 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-18 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-18 115560]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2009-06-22 446088]
"Malwarebytes Anti-Malware (reboot)"="f:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md" [X]
"nlpo_02"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]
"nlpo_03"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 08:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 07:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Half-Life 2\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Half-Life\\hlds.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Battlezone II\\bzone.exe"=
"c:\\Program Files\\Battlezone II 1.3 FleshStorm\\bzone.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tcserver.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"f:\\uTorrent.exe"=
"c:\\Program Files\\Battlezone II 1.3pb3 X-Mod 3.31\\bzone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1761:TCP"= 1761:TCP:ZENworks Remote Management port
"1761:UDP"= 1761:UDP:ZENworks Remote Management port
"2967:TCP"= 2967:TCP:Symantec Antivirus v10 Client
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"37813:TCP"= 37813:TCP:37813
"53:UDP"= 53:UDP:Promo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/26/2009 5:07 PM 38144]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [06/22/2009 9:24 AM 715400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/17/2009 7:07 PM 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [06/19/2006 11:46 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [06/19/2006 11:46 AM 9600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [03/10/2009 3:09 PM 23888]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/15/2008 10:52 PM 30946]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{87802ae1-76a2-43f9-9303-7f1733c31f6c} - joduharu.dll
Toolbar-SITEguard - (no file)
HKCU-Run-browseole32 - c:\documents and settings\merlinwl\Local Settings\Application Data\browseole32\browseole32.dll
HKCU-Run-UnHackMe Monitor - e:\unhackme\hackmon.exe
HKLM-Run-SDFix - c:\docume~1\merlinwl\Desktop\SDFix\RunThis.bat
HKLM-Run-ZENRC Tray Icon - c:\windows\system32\zentray.exe
HKLM-Run-OODefragTray - c:\windows\system32\oodtray.exe
HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
HKLM-Run-framework - framework.exe
HKU-Default-Run-TabletWizard - c:\windows\help\wizard.hta
SafeBoot-Symantec Antvirus
SafeBoot-WebrootSpySweeperService
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CCleaner - e:\tools\CCleaner\uninst.exe
AddRemove-Easy-PhotoPrint - c:\program files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
AddRemove-Mozilla Firefox (2.0.0.13) - e:\other programs\Firefox\App\firefox\uninstall\helper.exe
AddRemove-Mozilla Thunderbird (2.0.0.12) - e:\other programs\Thunderbird\uninstall\helper.exe
AddRemove-RealPlayer Enterprise 6.0 - c:\program files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealOneEnt|6.0
AddRemove-VLC media player - e:\vlc\uninstall.exe
AddRemove-WinAce Archiver - E:\SXUNINST.EXE
AddRemove-WinGimp-2.0_is1 - e:\games\setup\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 15:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3562731411-2676875970-3999816624-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="FEB3D3B033B5D5E6EB49EB1D3628855F1613B1DC322D92CEC1EC9B8ECCC526BA4F73215ED77F89623BF5F1D4DCD2A3393B32C6F83BBE0BAB5FE138BE5B42ACBE4B91AAC9E6A07B707D53C67C9B70B076223C8659A98B23C47D29CC311D35286361E195A6E4AB851AB183277ED87470E87C3EE53C6081284EA1DDA999972B906285ACA83E176EE8BD5D1A7357BB848E32FE3A00760947CBD1CE90BF3F95E5BFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B5558EDD5E5BE2F6E667EFC1EC49874AEDC97C84F7791504CA6A7419A39640D1872E817F7CDEA8AEFD168DC2779E5EA86E34CEE0C4C50945361B1CC2EA187106D3C596BDAC63C874BD20A22ED1CB52420095332025A7CAF6B9B7DD7C5F65B1ADDA6D42DB478C54E43BB4C953B6C32DD980792ADDE1681A7ECF75BED6F7C3576DD1A0B1F90CB9D3038B38F3FED399CD7400CD09BD3478497F246A99E31B9948ABA24161BC2FE9E3987574E30A4C8927D9C36477E34B6ABFE499121D39A5730293ED14A54A5BC137B1731832C835713E17C1F3727B4B74F8DCC44BC7F1678094148440A4CE2C0C929D3732C89B1851AC00A9184CB14AF08459705B722D2496A4616D52597934344FF0A2B8696174D123A6DACCA737536006121968460E93AA6971623B117F77CBDA84CD0727FDBBBAE1E6E8F67EC265E4337E71FDBF3A635BAFFED34FF1166E87357383D7E9DBD2FAC05A1DDA1D0DF4C5595EDD8BB1DC3167D88AE2C66F7B8640761D44CE6D679423A86675A424D4676D5634F765422593B2D7D6E6BD55EDA172C4A743EFC08FCF6A972D1FE0895A98EB9D468DC06A441045B46AE835C33114BF5FFA68A5484BC52B2298818494E45772379DA03A78F0A4CA0D91A8122B8DA7ED96C14E3BBC912DE1ECD5B3E3E2BCE5583E08E5D18D674093105B991B544D9863CF6D45E4A8DF2F31B157833A6530FB986019C6EAA0E548130219607DD84197AE8531D0B66CB6E9DEBF507026DF91C5D3E2A6E14BF92E12613C6358CA28BC4A01430627A9BA9A6FD5F83BAE29ECB5604A1D4A08A038876D3AAA158FF40517C9AD2BA7361C9D934622D3D3272AF6765F64F862BEF74CBB96FE4D4E4857852DA2AFF2969B4E6E2FE7765A1D7773C0B04A2CF511BF47FD1B4431B770FA2C955D56226217ABE75E7E42A9AA5BEE335E471C5228BC78E3E4771DF993A45114F20BD847D8B06D6FEF94B8B37897137DB81F4328360F8A8AEF273D261CD32894B0201583C5309C537C0C9FB4881E1A468B22A3A3DBF6CB58E005B523212F1415B505E75FAF2529652F80C1EBB481F269E8BE1362E7A6C3D34D6F898788285A623DAC20882FE336DB08125D42EC173EA536E45EA13E13B3E29F"
"OODEFRAG12.00.00.01PROFESSIONAL"="4C2CEC165F50026311B6044D67D6261E903BCB68F02136381CE6C6B67DD72F5AD40FD30F4B7D51F649CADBA9C2ACDD90AD57204EE8ACE1CB9A550E5173519AD6DC4D25E0DCA85F1DDC0CEC1D10FD24C992C87C09A4AA029E7F9D93C5A7345C16CA50BA1F783E0ADB5CEB80E7AF4C190E95A53B259BCF97CF8D9DE28CCC0AF53469DA73D12BBC736D3A2F67BE262AA0D2F2DA3D24EC65E634E8048D953773AB026601AFF2233981BE4DF073C89B4260C24CA465FA58C9F6521B5527BF62208884D42CD4F032D85FF0D2207A22DA4E45BB26979A91416C14E593E74A646AD758F2AB18CD31D058F95AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34525D575E7D6A3B9808A2D97226D213B555B70A96D0FD29FA0A9731079DC7100141A69D3AB29B03E9830FEAA1872E86520F58A421C5F8DA6BEFFC12BDCE176DADEC0AD14B1B2E9C97D3D5BD3BE66845F5873BA3EBAE83224CE87451927BE37E3A077768B37F4639FD29EA8D2480738E849EA8D8269893BD83E44FA189BFFCF72C9DE51CE5A62BA0E84E0FB9E06AAF60A5FB48E50685417FBA0ABE0DA6A8D51E4F703279D8CE4A2FDE41E5F3792C234BC57BA64343EC4D4F5E30D770F33C85CE31F69962072634D5B3357944F745747494ABB7BD9AB519259FE217FB006EC478A2DA400EEFD29A97F68F3484ECA472168651CE734C412911F2E3D935DBAC741EBB77AE84156A560E016BE7E3EC308DFD546226D99EE0A7B41327E2F31C5418D6D4604E24FDF963E4EC98C7650E41D98B798C5B375959E2C67BD558E55C3954CE8CDAF09EB481615B1B176DDFEB241235B52DEEA84865CC106ECA450BB8A276C4C65F487A48759548AC9FD47C271A90838D59481D3D32FB7170189638D34BEB0BA79C6B90CB3D65918A9BDCBB63D8D81549D72ED80CE3A8DACB0320165261C68B99F3570FD4B45F345E2ACC7047098E1AF524CE738D8EB2530D821723DE0940BECB796AF7FE2DB041189DCAC000467AD7E16E3DD79E3C997484C297AD275932B5307868A0E769305C6A7B64A7BB23892823996C4720EC06EEC8A51EDBDB5C1B917BEDF7B332A1D23DCD808974AE25CBF7113D3854F6904082313F0F26B2131E0D298BA5AD868237327C988E4890C3784847255BE70B0E3507DCD7AE5A676E0271F735DFE08DAA9B98F4E72C1B9D6DE7AEA5D0793D48BE79E52BEB2918B4D5321DE787FAF276B064E67BC57EB7158215D551739663A1F1419DC22C8C535EA43D05C14D2DDEF39999A3163B063DB9D722F8B2759DBE89E8E6BF8C7D495629AAD52F8D8914F0BDE3E6ED9186281ED436D3E8F471DA877A5A6774B4F8B8BD5EA9D2371A712CCA8CFD1CF2FA1BAB2030DB938D09377F49EF6FE5F3ADE8"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\tabbtnu.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2009-11-29 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 20:43

Pre-Run: 64,125,878,272 bytes free
Post-Run: 64,719,876,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 76BB6E3F9CDD901726A3775C4AEA66C5

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 29 November 2009 - 04:22 PM

Hello merlin07,

Wow, that was one bunch of nasty infections there! Please consider the following information first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


P2P WARNING
-------------------
Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\ZDLT08FNV5FPX7HR
c:\documents and settings\merlinwl\Local Settings\Application Data\uoxkjw
c:\documents and settings\merlinwl\Local Settings\Application Data\ovvpoq
c:\documents and settings\All Users\Application Data\tabekamobi.dll
c:\windows\system32\ihalu.sys
c:\documents and settings\All Users\Application Data\tocosagisi.sys
c:\windows\uzybagu.bin
c:\windows\bizykadoq.sys
c:\documents and settings\merlinwl\Local Settings\Application Data\qawa.dll

FCopy::
c:\windows\system32\dllcache\eventlog.dll | c:\windows\system32\eventlog.dll

SRPeek::
c:\windows\system32\sfcfiles.dll
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Finally, start Malwarebytes Antimalware, update it first and run a full scan.

In your next reply, please include the following:
  • Combofix.txt
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 30 November 2009 - 12:00 PM

I successfully ran the CF-Script, and the log of that is posted below. I am having problems doing a full scan with MBAM, though. I tried to do a full scan twice and both times, the MBAM window suddenly closed without warning. The first time this occurred, I observed that the scan had been going for about 3.5 hours. No log was produced for either of the terminated scans. I do not know why this is occurring. Thank you for your continued help.

ComboFix 09-11-29.02 - merlinwl 11/29/2009 17:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1458 [GMT -5:00]
Running from: c:\documents and settings\merlinwl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\merlinwl\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\documents and settings\All Users\Application Data\tabekamobi.dll"
"c:\documents and settings\All Users\Application Data\tocosagisi.sys"
"c:\documents and settings\merlinwl\Local Settings\Application Data\ovvpoq"
"c:\documents and settings\merlinwl\Local Settings\Application Data\qawa.dll"
"c:\documents and settings\merlinwl\Local Settings\Application Data\uoxkjw"
"c:\windows\bizykadoq.sys"
"c:\windows\system32\ihalu.sys"
"c:\windows\uzybagu.bin"
"c:\windows\ZDLT08FNV5FPX7HR"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\tabekamobi.dll
c:\documents and settings\All Users\Application Data\tocosagisi.sys
c:\documents and settings\merlinwl\Local Settings\Application Data\qawa.dll
c:\windows\bizykadoq.sys
c:\windows\system32\ihalu.sys
c:\windows\uzybagu.bin

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-29 22:18 . 2004-08-04 08:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-29 22:18 . 2004-08-04 08:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-11-29 20:24 . 2004-08-04 08:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-29 20:24 . 2004-08-04 08:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-24 00:15 . 2009-11-24 00:15 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\Mozilla
2009-11-20 01:46 . 2009-11-20 01:46 -------- d-----w- c:\windows\ZDLT08FNV5FPX7HR
2009-11-20 00:27 . 2009-11-20 18:43 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\uoxkjw
2009-11-12 16:08 . 2009-11-12 16:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-12 16:07 . 2009-11-12 16:07 152576 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 16:07 . 2009-11-12 16:07 79488 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-07 17:25 . 2009-11-07 18:01 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\wkvfdo
2009-11-04 17:39 . 2009-11-04 17:39 487 ----a-w- c:\documents and settings\merlinwl\Local Settings\Application Data\syssvc.exe
2009-11-04 01:04 . 2009-11-11 17:38 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\browseole32
2009-11-04 01:03 . 2009-11-04 20:11 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\ovvpoq
2009-10-31 18:35 . 2009-10-31 18:35 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\O&O

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 22:07 . 2008-10-24 23:16 -------- d-----w- c:\documents and settings\merlinwl\Application Data\uTorrent
2009-11-29 20:12 . 2009-03-07 18:58 -------- d-----w- c:\program files\Replay Music 2
2009-11-29 02:47 . 2009-03-10 22:30 -------- d-----w- c:\documents and settings\merlinwl\Application Data\Free Audio Editor
2009-11-19 00:41 . 2009-10-29 00:55 -------- d-----w- c:\program files\vdmrqt
2009-11-17 18:07 . 2007-06-29 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-12 16:08 . 2007-06-29 12:46 -------- d-----w- c:\program files\Java
2009-11-08 05:38 . 2009-11-08 05:38 5 ----a-w- c:\windows\system32\YoItzVlad.tmp
2009-11-04 01:03 . 2009-09-07 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 19:49 . 2008-02-08 23:40 -------- d-----w- c:\program files\Oddworld Abe's Exoddus
2009-10-31 18:27 . 2008-08-20 01:40 -------- d-----w- c:\program files\O&O Defrag
2009-10-30 20:53 . 2009-10-30 08:53 -------- d-----w- c:\program files\rhdnvj
2009-10-09 21:43 . 2009-10-09 19:52 -------- d-----w- c:\program files\NoteWorthy Composer
2009-10-08 01:07 . 2009-10-08 01:07 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-18 16:49 . 2009-08-04 00:24 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-18 16:49 . 2009-08-04 00:24 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-18 16:44 . 2009-09-18 16:48 71016 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{D689B418-235A-4290-A0A5-A75E490E0351}\Redist\ccSetEvt.dll
2009-09-12 04:33 . 2009-09-12 04:33 199936 ----a-w- c:\windows\system32\oodbs.exe
2009-09-12 04:29 . 2009-09-12 04:29 9984 ----a-w- c:\windows\system32\oodbsrs.dll
2009-09-11 14:03 . 2006-06-19 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-07 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-07 19:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 18:59 . 2009-09-09 18:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-04 20:45 . 2006-06-19 16:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 23:43 . 2009-03-10 20:09 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2008-11-16 03:52 . 2008-11-16 03:52 2 --shatr- c:\windows\winstart.bat
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2006-06-14 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-06-18 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-18 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-18 115560]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2009-06-22 446088]
"Malwarebytes Anti-Malware (reboot)"="f:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md" [X]
"nlpo_02"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]
"nlpo_03"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 08:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 07:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Half-Life 2\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Half-Life\\hlds.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Battlezone II\\bzone.exe"=
"c:\\Program Files\\Battlezone II 1.3 FleshStorm\\bzone.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tcserver.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"f:\\uTorrent.exe"=
"c:\\Program Files\\Battlezone II 1.3pb3 X-Mod 3.31\\bzone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1761:TCP"= 1761:TCP:ZENworks Remote Management port
"1761:UDP"= 1761:UDP:ZENworks Remote Management port
"2967:TCP"= 2967:TCP:Symantec Antivirus v10 Client
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"37813:TCP"= 37813:TCP:37813
"53:UDP"= 53:UDP:Promo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/26/2009 5:07 PM 38144]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [06/22/2009 9:24 AM 715400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/17/2009 7:07 PM 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [06/19/2006 11:46 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [06/19/2006 11:46 AM 9600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [03/10/2009 3:09 PM 23888]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/15/2008 10:52 PM 30946]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 17:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3562731411-2676875970-3999816624-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="FEB3D3B033B5D5E6EB49EB1D3628855F1613B1DC322D92CEC1EC9B8ECCC526BA4F73215ED77F89623BF5F1D4DCD2A3393B32C6F83BBE0BAB5FE138BE5B42ACBE4B91AAC9E6A07B707D53C67C9B70B076223C8659A98B23C47D29CC311D35286361E195A6E4AB851AB183277ED87470E87C3EE53C6081284EA1DDA999972B906285ACA83E176EE8BD5D1A7357BB848E32FE3A00760947CBD1CE90BF3F95E5BFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B5558EDD5E5BE2F6E667EFC1EC49874AEDC97C84F7791504CA6A7419A39640D1872E817F7CDEA8AEFD168DC2779E5EA86E34CEE0C4C50945361B1CC2EA187106D3C596BDAC63C874BD20A22ED1CB52420095332025A7CAF6B9B7DD7C5F65B1ADDA6D42DB478C54E43BB4C953B6C32DD980792ADDE1681A7ECF75BED6F7C3576DD1A0B1F90CB9D3038B38F3FED399CD7400CD09BD3478497F246A99E31B9948ABA24161BC2FE9E3987574E30A4C8927D9C36477E34B6ABFE499121D39A5730293ED14A54A5BC137B1731832C835713E17C1F3727B4B74F8DCC44BC7F1678094148440A4CE2C0C929D3732C89B1851AC00A9184CB14AF08459705B722D2496A4616D52597934344FF0A2B8696174D123A6DACCA737536006121968460E93AA6971623B117F77CBDA84CD0727FDBBBAE1E6E8F67EC265E4337E71FDBF3A635BAFFED34FF1166E87357383D7E9DBD2FAC05A1DDA1D0DF4C5595EDD8BB1DC3167D88AE2C66F7B8640761D44CE6D679423A86675A424D4676D5634F765422593B2D7D6E6BD55EDA172C4A743EFC08FCF6A972D1FE0895A98EB9D468DC06A441045B46AE835C33114BF5FFA68A5484BC52B2298818494E45772379DA03A78F0A4CA0D91A8122B8DA7ED96C14E3BBC912DE1ECD5B3E3E2BCE5583E08E5D18D674093105B991B544D9863CF6D45E4A8DF2F31B157833A6530FB986019C6EAA0E548130219607DD84197AE8531D0B66CB6E9DEBF507026DF91C5D3E2A6E14BF92E12613C6358CA28BC4A01430627A9BA9A6FD5F83BAE29ECB5604A1D4A08A038876D3AAA158FF40517C9AD2BA7361C9D934622D3D3272AF6765F64F862BEF74CBB96FE4D4E4857852DA2AFF2969B4E6E2FE7765A1D7773C0B04A2CF511BF47FD1B4431B770FA2C955D56226217ABE75E7E42A9AA5BEE335E471C5228BC78E3E4771DF993A45114F20BD847D8B06D6FEF94B8B37897137DB81F4328360F8A8AEF273D261CD32894B0201583C5309C537C0C9FB4881E1A468B22A3A3DBF6CB58E005B523212F1415B505E75FAF2529652F80C1EBB481F269E8BE1362E7A6C3D34D6F898788285A623DAC20882FE336DB08125D42EC173EA536E45EA13E13B3E29F"
"OODEFRAG12.00.00.01PROFESSIONAL"="4C2CEC165F50026311B6044D67D6261E903BCB68F02136381CE6C6B67DD72F5AD40FD30F4B7D51F649CADBA9C2ACDD90AD57204EE8ACE1CB9A550E5173519AD6DC4D25E0DCA85F1DDC0CEC1D10FD24C992C87C09A4AA029E7F9D93C5A7345C16CA50BA1F783E0ADB5CEB80E7AF4C190E95A53B259BCF97CF8D9DE28CCC0AF53469DA73D12BBC736D3A2F67BE262AA0D2F2DA3D24EC65E634E8048D953773AB026601AFF2233981BE4DF073C89B4260C24CA465FA58C9F6521B5527BF62208884D42CD4F032D85FF0D2207A22DA4E45BB26979A91416C14E593E74A646AD758F2AB18CD31D058F95AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34525D575E7D6A3B9808A2D97226D213B555B70A96D0FD29FA0A9731079DC7100141A69D3AB29B03E9830FEAA1872E86520F58A421C5F8DA6BEFFC12BDCE176DADEC0AD14B1B2E9C97D3D5BD3BE66845F5873BA3EBAE83224CE87451927BE37E3A077768B37F4639FD29EA8D2480738E849EA8D8269893BD83E44FA189BFFCF72C9DE51CE5A62BA0E84E0FB9E06AAF60A5FB48E50685417FBA0ABE0DA6A8D51E4F703279D8CE4A2FDE41E5F3792C234BC57BA64343EC4D4F5E30D770F33C85CE31F69962072634D5B3357944F745747494ABB7BD9AB519259FE217FB006EC478A2DA400EEFD29A97F68F3484ECA472168651CE734C412911F2E3D935DBAC741EBB77AE84156A560E016BE7E3EC308DFD546226D99EE0A7B41327E2F31C5418D6D4604E24FDF963E4EC98C7650E41D98B798C5B375959E2C67BD558E55C3954CE8CDAF09EB481615B1B176DDFEB241235B52DEEA84865CC106ECA450BB8A276C4C65F487A48759548AC9FD47C271A90838D59481D3D32FB7170189638D34BEB0BA79C6B90CB3D65918A9BDCBB63D8D81549D72ED80CE3A8DACB0320165261C68B99F3570FD4B45F345E2ACC7047098E1AF524CE738D8EB2530D821723DE0940BECB796AF7FE2DB041189DCAC000467AD7E16E3DD79E3C997484C297AD275932B5307868A0E769305C6A7B64A7BB23892823996C4720EC06EEC8A51EDBDB5C1B917BEDF7B332A1D23DCD808974AE25CBF7113D3854F6904082313F0F26B2131E0D298BA5AD868237327C988E4890C3784847255BE70B0E3507DCD7AE5A676E0271F735DFE08DAA9B98F4E72C1B9D6DE7AEA5D0793D48BE79E52BEB2918B4D5321DE787FAF276B064E67BC57EB7158215D551739663A1F1419DC22C8C535EA43D05C14D2DDEF39999A3163B063DB9D722F8B2759DBE89E8E6BF8C7D495629AAD52F8D8914F0BDE3E6ED9186281ED436D3E8F471DA877A5A6774B4F8B8BD5EA9D2371A712CCA8CFD1CF2FA1BAB2030DB938D09377F49EF6FE5F3ADE8"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-29 17:26
ComboFix-quarantined-files.txt 2009-11-29 22:26
ComboFix2.txt 2009-11-29 20:43

Pre-Run: 63,837,925,376 bytes free
Post-Run: 64,163,893,248 bytes free

- - End Of File - - 89EFD585E3659236E08D9D37FA8B35A9

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 30 November 2009 - 12:23 PM

Please try to run an MBAM quick scan, instead of a full scan.

Also, can you please tell me if you have your XP installation CD at hand (or if you can borrow one from a friend/family member). We need to replace a file on your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 30 November 2009 - 02:30 PM

I successfully ran a Quick Scan with MBAM and its log is below. I am fairly sure that my family has an XP Installation CD at home. Unfortunately, I am working tonight and I don't expect to get home until about 11:00 pm. I can try to find the CD then. If you post the instructions for using the CD, then I can follow them when I get home. Thank you for your time and effort.

Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 2

11/30/2009 2:07:49 PM
mbam-log-2009-11-30 (14-07-49).txt

Scan type: Quick Scan
Objects scanned: 116149
Time elapsed: 14 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 30 November 2009 - 03:12 PM

Hello merlin07,

Its very important you do the following steps in the order given!!

Make sure the XP installation disk is in the CD drive (d:\).


Please click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below into Notepad and save it as copy.bat to your desktop.
@echo off
expand d:\i386\sfcfiles.dl_ c:\sfcfiles.dll 
del %0
Exit Notepad and doubleclick on copy.bat to run it. A file will now be copied from your CD to your harddrive.

Next, we need to replace a bad file with the file we just copied.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FMove::
c:\sfcfiles.dll | c:\windows\system32\sfcfiles.dll
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • A description of any remaining problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 30 November 2009 - 11:06 PM

I believe that I completed the steps you outlined. When I dragged CFScript.txt over top of ComboFix, it started up, then asked if I wanted to update it. I said "Yes" and it did so. Then it started running, but I noticed that CFScript.txt was still on the desktop, so I exited out of ComboFix and dragged the script over it again. That time the script disappeared from the desktop, so I assume it ran correctly. The log is posted below.

I am not noticing any other problems. The obvious signs of any virus (pop-ups, etc.) have long been gone. Internet Explorer is working normally, and my computer can stand by and hibernate just fine. The computer also starts up faster than it did before. Thanks for all the work you have been doing.

ComboFix 09-11-30.02 - merlinwl 11/30/2009 22:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1418 [GMT -5:00]
Running from: c:\documents and settings\merlinwl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\merlinwl\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FMove ---------------

c:\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-11-29 22:18 . 2004-08-04 08:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-29 22:18 . 2004-08-04 08:00 55808 ------w- c:\windows\system32\eventlog.dll
2009-11-29 20:24 . 2004-08-04 08:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-29 20:24 . 2004-08-04 08:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-24 00:15 . 2009-11-24 00:15 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\Mozilla
2009-11-20 01:46 . 2009-11-20 01:46 -------- d-----w- c:\windows\ZDLT08FNV5FPX7HR
2009-11-20 00:27 . 2009-11-20 18:43 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\uoxkjw
2009-11-12 16:08 . 2009-11-12 16:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-12 16:07 . 2009-11-12 16:07 152576 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 16:07 . 2009-11-12 16:07 79488 ----a-w- c:\documents and settings\merlinwl\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-07 17:25 . 2009-11-07 18:01 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\wkvfdo
2009-11-04 17:39 . 2009-11-04 17:39 487 ----a-w- c:\documents and settings\merlinwl\Local Settings\Application Data\syssvc.exe
2009-11-04 01:04 . 2009-11-11 17:38 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\browseole32
2009-11-04 01:03 . 2009-11-04 20:11 -------- d-----w- c:\documents and settings\merlinwl\Local Settings\Application Data\ovvpoq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 00:56 . 2009-03-10 20:09 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-11-29 22:07 . 2008-10-24 23:16 -------- d-----w- c:\documents and settings\merlinwl\Application Data\uTorrent
2009-11-29 20:12 . 2009-03-07 18:58 -------- d-----w- c:\program files\Replay Music 2
2009-11-29 02:47 . 2009-03-10 22:30 -------- d-----w- c:\documents and settings\merlinwl\Application Data\Free Audio Editor
2009-11-19 00:41 . 2009-10-29 00:55 -------- d-----w- c:\program files\vdmrqt
2009-11-17 18:07 . 2007-06-29 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-12 16:08 . 2007-06-29 12:46 -------- d-----w- c:\program files\Java
2009-11-08 05:38 . 2009-11-08 05:38 5 ----a-w- c:\windows\system32\YoItzVlad.tmp
2009-11-04 01:03 . 2009-09-07 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 19:49 . 2008-02-08 23:40 -------- d-----w- c:\program files\Oddworld Abe's Exoddus
2009-10-31 18:27 . 2008-08-20 01:40 -------- d-----w- c:\program files\O&O Defrag
2009-10-30 20:53 . 2009-10-30 08:53 -------- d-----w- c:\program files\rhdnvj
2009-10-09 21:43 . 2009-10-09 19:52 -------- d-----w- c:\program files\NoteWorthy Composer
2009-10-08 01:07 . 2009-10-08 01:07 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-18 16:49 . 2009-08-04 00:24 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-18 16:49 . 2009-08-04 00:24 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-18 16:44 . 2009-09-18 16:48 71016 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{D689B418-235A-4290-A0A5-A75E490E0351}\Redist\ccSetEvt.dll
2009-09-12 04:33 . 2009-09-12 04:33 199936 ----a-w- c:\windows\system32\oodbs.exe
2009-09-12 04:29 . 2009-09-12 04:29 9984 ----a-w- c:\windows\system32\oodbsrs.dll
2009-09-11 14:03 . 2006-06-19 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-07 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-07 19:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 18:59 . 2009-09-09 18:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-04 20:45 . 2006-06-19 16:46 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-11-16 03:52 . 2008-11-16 03:52 2 --shatr- c:\windows\winstart.bat
.

------- Sigcheck -------

[-] 2002-08-29 . 2564949DBE5F643F50913BBE45D346E2 . 1157632 . . [5.1.2600.1106] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-29_20.28.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 03:38 . 2009-12-01 03:38 16384 c:\windows\Temp\Perflib_Perfdata_f7c.dat
+ 2009-12-01 03:35 . 2009-12-01 03:35 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-06-18 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-18 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-18 115560]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2009-06-22 446088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md" [X]
"nlpo_02"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]
"nlpo_03"="advpack.dll" - c:\windows\system32\advpack.dll [2009-08-29 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 08:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 07:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Half-Life 2\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Half-Life\\hlds.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Battlezone II\\bzone.exe"=
"c:\\Program Files\\Battlezone II 1.3 FleshStorm\\bzone.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tcserver.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Battlezone II 1.3pb3 X-Mod 3.31\\bzone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1761:TCP"= 1761:TCP:ZENworks Remote Management port
"1761:UDP"= 1761:UDP:ZENworks Remote Management port
"2967:TCP"= 2967:TCP:Symantec Antivirus v10 Client
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"37813:TCP"= 37813:TCP:37813
"53:UDP"= 53:UDP:Promo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/26/2009 5:07 PM 38144]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [06/22/2009 9:24 AM 715400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/17/2009 7:07 PM 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [06/19/2006 11:46 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [06/19/2006 11:46 AM 9600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [03/10/2009 3:09 PM 23888]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/15/2008 10:52 PM 30946]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - f:\malwarebytes' anti-malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3562731411-2676875970-3999816624-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="FEB3D3B033B5D5E6EB49EB1D3628855F1613B1DC322D92CEC1EC9B8ECCC526BA4F73215ED77F89623BF5F1D4DCD2A3393B32C6F83BBE0BAB5FE138BE5B42ACBE4B91AAC9E6A07B707D53C67C9B70B076223C8659A98B23C47D29CC311D35286361E195A6E4AB851AB183277ED87470E87C3EE53C6081284EA1DDA999972B906285ACA83E176EE8BD5D1A7357BB848E32FE3A00760947CBD1CE90BF3F95E5BFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B5558EDD5E5BE2F6E667EFC1EC49874AEDC97C84F7791504CA6A7419A39640D1872E817F7CDEA8AEFD168DC2779E5EA86E34CEE0C4C50945361B1CC2EA187106D3C596BDAC63C874BD20A22ED1CB52420095332025A7CAF6B9B7DD7C5F65B1ADDA6D42DB478C54E43BB4C953B6C32DD980792ADDE1681A7ECF75BED6F7C3576DD1A0B1F90CB9D3038B38F3FED399CD7400CD09BD3478497F246A99E31B9948ABA24161BC2FE9E3987574E30A4C8927D9C36477E34B6ABFE499121D39A5730293ED14A54A5BC137B1731832C835713E17C1F3727B4B74F8DCC44BC7F1678094148440A4CE2C0C929D3732C89B1851AC00A9184CB14AF08459705B722D2496A4616D52597934344FF0A2B8696174D123A6DACCA737536006121968460E93AA6971623B117F77CBDA84CD0727FDBBBAE1E6E8F67EC265E4337E71FDBF3A635BAFFED34FF1166E87357383D7E9DBD2FAC05A1DDA1D0DF4C5595EDD8BB1DC3167D88AE2C66F7B8640761D44CE6D679423A86675A424D4676D5634F765422593B2D7D6E6BD55EDA172C4A743EFC08FCF6A972D1FE0895A98EB9D468DC06A441045B46AE835C33114BF5FFA68A5484BC52B2298818494E45772379DA03A78F0A4CA0D91A8122B8DA7ED96C14E3BBC912DE1ECD5B3E3E2BCE5583E08E5D18D674093105B991B544D9863CF6D45E4A8DF2F31B157833A6530FB986019C6EAA0E548130219607DD84197AE8531D0B66CB6E9DEBF507026DF91C5D3E2A6E14BF92E12613C6358CA28BC4A01430627A9BA9A6FD5F83BAE29ECB5604A1D4A08A038876D3AAA158FF40517C9AD2BA7361C9D934622D3D3272AF6765F64F862BEF74CBB96FE4D4E4857852DA2AFF2969B4E6E2FE7765A1D7773C0B04A2CF511BF47FD1B4431B770FA2C955D56226217ABE75E7E42A9AA5BEE335E471C5228BC78E3E4771DF993A45114F20BD847D8B06D6FEF94B8B37897137DB81F4328360F8A8AEF273D261CD32894B0201583C5309C537C0C9FB4881E1A468B22A3A3DBF6CB58E005B523212F1415B505E75FAF2529652F80C1EBB481F269E8BE1362E7A6C3D34D6F898788285A623DAC20882FE336DB08125D42EC173EA536E45EA13E13B3E29F"
"OODEFRAG12.00.00.01PROFESSIONAL"="4C2CEC165F50026311B6044D67D6261E903BCB68F02136381CE6C6B67DD72F5AD40FD30F4B7D51F649CADBA9C2ACDD90AD57204EE8ACE1CB9A550E5173519AD6DC4D25E0DCA85F1DDC0CEC1D10FD24C992C87C09A4AA029E7F9D93C5A7345C16CA50BA1F783E0ADB5CEB80E7AF4C190E95A53B259BCF97CF8D9DE28CCC0AF53469DA73D12BBC736D3A2F67BE262AA0D2F2DA3D24EC65E634E8048D953773AB026601AFF2233981BE4DF073C89B4260C24CA465FA58C9F6521B5527BF62208884D42CD4F032D85FF0D2207A22DA4E45BB26979A91416C14E593E74A646AD758F2AB18CD31D058F95AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34525D575E7D6A3B9808A2D97226D213B555B70A96D0FD29FA0A9731079DC7100141A69D3AB29B03E9830FEAA1872E86520F58A421C5F8DA6BEFFC12BDCE176DADEC0AD14B1B2E9C97D3D5BD3BE66845F5873BA3EBAE83224CE87451927BE37E3A077768B37F4639FD29EA8D2480738E849EA8D8269893BD83E44FA189BFFCF72C9DE51CE5A62BA0E84E0FB9E06AAF60A5FB48E50685417FBA0ABE0DA6A8D51E4F703279D8CE4A2FDE41E5F3792C234BC57BA64343EC4D4F5E30D770F33C85CE31F69962072634D5B3357944F745747494ABB7BD9AB519259FE217FB006EC478A2DA400EEFD29A97F68F3484ECA472168651CE734C412911F2E3D935DBAC741EBB77AE84156A560E016BE7E3EC308DFD546226D99EE0A7B41327E2F31C5418D6D4604E24FDF963E4EC98C7650E41D98B798C5B375959E2C67BD558E55C3954CE8CDAF09EB481615B1B176DDFEB241235B52DEEA84865CC106ECA450BB8A276C4C65F487A48759548AC9FD47C271A90838D59481D3D32FB7170189638D34BEB0BA79C6B90CB3D65918A9BDCBB63D8D81549D72ED80CE3A8DACB0320165261C68B99F3570FD4B45F345E2ACC7047098E1AF524CE738D8EB2530D821723DE0940BECB796AF7FE2DB041189DCAC000467AD7E16E3DD79E3C997484C297AD275932B5307868A0E769305C6A7B64A7BB23892823996C4720EC06EEC8A51EDBDB5C1B917BEDF7B332A1D23DCD808974AE25CBF7113D3854F6904082313F0F26B2131E0D298BA5AD868237327C988E4890C3784847255BE70B0E3507DCD7AE5A676E0271F735DFE08DAA9B98F4E72C1B9D6DE7AEA5D0793D48BE79E52BEB2918B4D5321DE787FAF276B064E67BC57EB7158215D551739663A1F1419DC22C8C535EA43D05C14D2DDEF39999A3163B063DB9D722F8B2759DBE89E8E6BF8C7D495629AAD52F8D8914F0BDE3E6ED9186281ED436D3E8F471DA877A5A6774B4F8B8BD5EA9D2371A712CCA8CFD1CF2FA1BAB2030DB938D09377F49EF6FE5F3ADE8"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-30 22:56
ComboFix-quarantined-files.txt 2009-12-01 03:56
ComboFix2.txt 2009-11-29 22:26
ComboFix3.txt 2009-11-29 20:43

Pre-Run: 65,653,268,480 bytes free
Post-Run: 66,157,953,024 bytes free

- - End Of File - - CEB840540C9A8559B77FAF4524C06DFD

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 01 December 2009 - 05:46 AM

Hello merlin07,

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]


After doing this, please post me a new DDS log. Post also attach.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 01 December 2009 - 05:53 PM

I'm sorry for the delay; I had many updates to install, and it took a few hours to finish all of them! I believe I did install all the Windows updates. The DDS log is posted below and Attach.txt is attached. Thank you for your time.


DDS (Ver_09-10-26.01) - NTFSx86
Run by merlinwl at 17:47:27.89 on 12/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1338 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\merlinwl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp"
dRunOnce: [nlpo_02] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg
dRunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://quickplace.udayton.edu/qp2.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://web-student-3.udayton.edu/iNotes6W.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac-cas3-red.net.udayton.edu/auth/taweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259694377000
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259694257859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

============= SERVICES / DRIVERS ===============

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-5-26 38144]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2009-6-22 715400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-17 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2006-6-19 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2006-6-19 9600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-10 23888]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-11-15 30946]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys --> c:\windows\system32\drivers\RTL8187.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]

=============== Created Last 30 ================

2009-12-01 22:36:42 0 d-----w- c:\windows\system32\winrm
2009-12-01 22:36:42 0 d-----w- c:\windows\system32\GroupPolicy
2009-12-01 22:36:36 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-12-01 22:00:51 0 d-sh--w- c:\documents and settings\merlinwl\PrivacIE
2009-12-01 21:59:12 0 d-sh--w- c:\documents and settings\merlinwl\IETldCache
2009-12-01 21:43:12 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-01 21:42:52 0 d-----w- c:\windows\ie8updates
2009-12-01 21:42:36 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-01 21:42:36 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-01 21:41:45 0 dc-h--w- c:\windows\ie8
2009-12-01 21:26:38 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-01 20:17:54 0 d-----w- C:\a30124bd930ca260c007e9e7
2009-12-01 19:47:44 0 d-----w- c:\windows\system32\scripting
2009-12-01 19:47:42 0 d-----w- c:\windows\system32\bits
2009-12-01 19:31:58 61440 ------w- c:\windows\system32\kmsvc.dll
2009-12-01 19:10:07 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-01 16:03:07 0 d-----w- c:\program files\inkball
2009-12-01 03:45:08 0 d-----w- C:\ComboFix
2009-11-30 16:39:24 4152 ----a-w- c:\documents and settings\merlinwl\untitled110_MAS.bak
2009-11-29 22:18:02 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-29 20:24:25 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-29 20:08:31 0 d-sha-r- C:\cmdcons
2009-11-29 20:05:24 77312 ----a-w- c:\windows\MBR.exe
2009-11-29 20:05:24 260608 ----a-w- c:\windows\PEV.exe
2009-11-29 20:05:24 161792 ----a-w- c:\windows\SWREG.exe
2009-11-29 20:05:23 98816 ----a-w- c:\windows\sed.exe
2009-11-20 01:46:45 0 d-----w- c:\windows\ZDLT08FNV5FPX7HR
2009-11-12 16:08:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 05:38:32 5 ----a-w- c:\windows\system32\YoItzVlad.tmp
2009-11-04 01:03:17 0 --sha-w- C:\1355349583

==================== Find3M ====================

2009-12-01 00:56:54 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-10-09 21:23:10 1107456 ------w- c:\windows\system32\WsmSvc.dll
2009-10-09 21:23:08 178176 ------w- c:\windows\system32\wevtfwd.dll
2009-10-09 21:22:58 368640 ------w- c:\windows\system32\WsmRes.dll
2009-10-09 21:22:56 69632 ------w- c:\windows\system32\winrs.exe
2009-10-09 21:22:52 42496 ------w- c:\windows\system32\pwrshplugin.dll
2009-10-09 19:56:20 209408 ------w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 19:56:18 14848 ------w- c:\windows\system32\wsmprovhost.exe
2009-10-09 19:56:16 22528 ------w- c:\windows\system32\winrshost.exe
2009-10-09 19:56:14 25088 ------w- c:\windows\system32\winrmprov.dll
2009-10-09 19:56:10 12288 ------w- c:\windows\system32\wsmplpxy.dll
2009-10-09 19:56:08 2048 ------w- c:\windows\system32\winrsmgr.dll
2009-10-09 19:56:06 233984 ------w- c:\windows\system32\winrscmd.dll
2009-10-09 19:56:04 225280 ------w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 19:56:04 12288 ------w- c:\windows\system32\winrssrv.dll
2009-10-09 19:56:02 139776 ------w- c:\windows\system32\WsmAuto.dll
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-18 16:49:24 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-18 16:45:04 49480 ----a-w- c:\windows\system32\FwsVpn.dll
2009-09-18 16:45:04 107848 ----a-w- c:\windows\system32\SymVPN.dll
2009-09-12 04:33:44 199936 ----a-w- c:\windows\system32\oodbs.exe
2009-09-12 04:29:18 9984 ----a-w- c:\windows\system32\oodbsrs.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 01:03:46 14384 ----a-w- c:\windows\fonts\nwcv15.ttf
2008-11-16 03:52:22 2 --shatr- c:\windows\winstart.bat

============= FINISH: 17:48:27.23 ===============

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:34 AM

Posted 02 December 2009 - 05:18 AM

Hello merlin07, that looks great!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
  • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Merlin07

Merlin07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 02 December 2009 - 08:26 PM

I successfully removed all the virus cleaning tools. I appreciate the extra information. I downloaded Spyware Blaster and I'll be sure to check for Windows updates in case my computer doesn't install them again.

Thank you very much for all your help. You were quick to respond to my posts and your directions were thorough yet easy to follow. Getting rid of viruses turned from a frustrating chore into a simple and even (dare I say it) fun experience. Thanks again!

Sincerely,

Merlin07




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users