Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo / Virtumonde (and possibly Windows Enterprise Suite and others) Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 mbressman

mbressman

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 30 November 2009 - 03:23 AM

My friend infected his computer (running Windows XP Professional) with some nasty infection - at first it appeared as if it was the Windows Enterprise Suite virus, but now it also looks to be the Vundo / Virtumonde trojan as well, and possibly more.

I've been working on this for him on and off for the past few weeks, and every time I think I've fixed the problem, it comes back.

The first step I took was to have him use Norton Ghost and boot from the CD to run an anti-virus scan (using the latest anti-virus defintions off of a USB flash drive). It only picked up one or two infections and supposedly cleaned them out. My next step was to try and get into Safe Mode to run some more scans (Norton, Spybot, HijackThis, etc.) but I could not boot his machine into safe mode. It would just reboot as it tried to load up Safe Mode. I couldn't tell if this was an issue relating to the infections on his computer, or some long-standing issue with hardware or something else that he had just never realized because he never tried to get into Safe Mode before. I thought I'd try replacing the registry with an older copy from System Restore, so I did that using the command prompt and file explorer windows that you can access when booting off of Norton Ghost. This still didn't let me get into Safe Mode, but now when booting up into regular Windows at least the infections weren't that prevalent (whereas before they hit you as soon as you loaded the OS). I took this to be a good sign and started trying to clean his computer.

I think I ran a bunch of cleaning utilities, including Spybot with the latest updates, Avira AntiVir (which I loaded onto his machine to be his new anti-virus protection), and HijackThis (when I ran it a few weeks ago, there didn't seem to be anything out of the ordinary that I recognized). I also checked his Task Manager when this was all done and there didn't seem to be any suspicious processes running there either. One thing that I did notice was that he had a bad hosts file and backup hosts file that I couldn't delete (they were hidden system files, and even when I unhid them I still couldn't get rid of them). I simply changed there names and created a new hosts file and checked to make sure that the new hosts file was the one that was working on his system. Eventually I was able to use CACLS to take back control of these two files and delete them.

In the interim, he's reported additional problems (although I can't tell if these have occurred since he was first infected and I first cleaned it out, or they are a result of the initial infection, or sometihng else). I think I've narrowed down the issue to now be the Vundo / Virtumonde trojan and possibly other infections.

I logged in remotely via LogMeIn and followed the instructions in this tutorial (http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde) to the letter, but I seem to be having some issues. First, I attempted removal with Malwarebytes' Anti-Malware (after first running rkill.com - I did this 3 times and each time it seems to have restarted the Explorer shell after it finished). The first time it rebooted, it gave some errors about DLL files (which I presume were infected) not being valid Windows images. After clicking OK to this, Windows booted up, and I re-ran Malwarebytes' Anti-Malware (after once again running rkill.com). It found more infections, and I rebooted again. Then I attempted to run Vundo Fix. It found nothing.

I thought I was done at this point, but my friend was still reporting issues. I logged back in remotely and re-ran Malwarebytes' Anti-Malware, and again it found infections. I let it delete/quarantine them, let it reboot my system, and had to re-run Malwarebytes' Anti-Malware a few more times (with reboots in between) before it finally reported no found infections. However, I'm still concerned that the system is still infected given all the false starts I've had before in effectively cleaning it out.

Also, it seems as though there is definitely some sort of infection or other issue with Firefox and Internet Explorer. My friend has Firefox set as his default browser, but iexplore.exe keeps popping up in the Task Manager and it seems to be causing additional unwanted tabs to be opened in Firefox (i.e. spam advertising tabs, etc.).

Therefore, I'm hoping someone can just examine the logs and let me know how to proceed. Any help is greatly appreciated. Thanks.

- Marc




DDS (Ver_09-11-29.01) - NTFSx86
Run by T Bizzle at 1:00:46.73 on Mon 11/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.327 [GMT -5:00]

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {8CEADB7D-1C02-472C-A31A-8255AE59B788}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Windows Enterprise Suite *enabled* {69E96367-0A0A-46A3-B208-ED11CBD2822D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\T Bizzle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\7B4g4Gags.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [wefi] c:\program files\wefi\\WeFi.exe
dRun: [calc] rundll32.exe c:\docume~1\locals~1\ntuser.dll,_IWMPEvents@0
dRun: [Videohost] c:\windows\temp\b.exe
dRun: [jsh87r3huiehf89esiudgd] c:\windows\temp\m0te98jqg4.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\nvsvc32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171037548890
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: s\ yavafike.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = l saperiho.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tbizzl~1\applic~1\mozilla\firefox\profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-23 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-23 55656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-29 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
S2 hhkrkpy;hhkrkpy;c:\windows\system32\drivers\ktbwqfxaat.sys [2009-11-29 78720]
S2 iistdskolhwxir;iistdskolhwxir;\??\c:\windows\system32\drivers\aqzmnfbjsinj.sys --> c:\windows\system32\drivers\aqzmnfbjsinj.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-11-30 05:41:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 05:41:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 05:41:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 21:47:54 78720 ----a-w- c:\windows\system32\drivers\ktbwqfxaat.sys
2009-11-28 19:55:40 0 d-----w- C:\VundoFix Backups
2009-11-24 01:50:47 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 01:50:44 0 d-----w- c:\program files\Avira
2009-11-24 01:50:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-23 23:29:50 0 d-----w- C:\snapshot_temp_mb
2009-11-23 23:25:23 0 d-----w- c:\windows\tmp
2009-11-23 23:00:52 0 d-----w- c:\docume~1\tbizzl~1\applic~1\TeamViewer
2009-11-23 23:00:47 0 d-----w- c:\documents and settings\t bizzle\temp
2009-11-23 19:46:17 0 d-----w- c:\docume~1\tbizzl~1\applic~1\Malwarebytes
2009-11-23 19:46:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-23 19:29:36 489 ----a-w- c:\windows\wininit.ini
2009-11-23 18:55:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 13:58:10 9 ----a-w- c:\windows\system32\Class14
2009-11-20 13:58:10 5 ----a-w- c:\windows\system32\Band4
2009-11-18 16:52:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-18 16:52:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-08 15:32:16 1656 ----a-w- C:\Windows Enterprise Suite.lnk
2009-11-08 15:30:19 0 d-sh--w- c:\documents and settings\all users\bf6301d
2009-11-08 15:19:54 733184 ----a-w- c:\program files\softnew.exe
2009-11-08 15:19:54 64512 ----a-w- c:\program files\k3g3n.exe
2009-11-02 04:42:27 0 d-----w- c:\docume~1\tbizzl~1\applic~1\DVD Flick
2009-11-02 04:42:11 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-11-02 04:42:11 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2009-11-02 04:42:11 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2009-11-02 04:42:10 164144 ----a-w- c:\windows\system32\comct232.ocx
2009-11-02 04:42:10 0 d-----w- c:\program files\DVD Flick
2009-11-02 04:08:36 0 d-----w- c:\docume~1\tbizzl~1\applic~1\AVS4YOU
2009-11-02 04:08:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-11-02 04:05:40 0 d-----w- c:\program files\common files\AVSMedia
2009-11-02 04:05:24 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-11-02 04:05:24 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-11-02 04:05:24 0 d-----w- c:\program files\AVS4YOU

==================== Find3M ====================

2009-11-23 19:42:25 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42:25 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42:25 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42:25 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42:24 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 11:44:08 61440 --sha-w- c:\windows\system32\duzurosa.dll
2009-08-27 23:44:04 61952 --sha-w- c:\windows\system32\rohitelu.dll
2009-08-29 11:44:43 61952 --sha-w- c:\windows\system32\runudevu.dll
2009-08-27 23:37:25 61952 --sha-w- c:\windows\system32\sajekeye.dll

============= FINISH: 1:03:42.67 ===============

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 11 December 2009 - 10:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 11 December 2009 - 03:17 PM

Hi,

The problem hasn't been resolved yet and is still an issue.

There should be a relatively clear and straight-forward description of the problem and all the steps I've taken so far in the original post. It should be noted that I've since run Malwarebytes' Anti-Malware and Avira AntiVir several times since the original post, and in some of those runs it has once more found viruses/trojans which I've attempted to clean out using those programs. Therefore, it seems that I'm still experiencing this issue. I also was getting concerned that no one on this board was going to respond, so I started trying to solve the issue myself. One of the steps I took was to remove these two entries (from the dds.scr report):

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {8CEADB7D-1C02-472C-A31A-8255AE59B788}
FW: Windows Enterprise Suite *enabled* {69E96367-0A0A-46A3-B208-ED11CBD2822D}

I did that by following these steps:

1) Click on Start > Run > type in: wbemtest
2) click OK
3) Connect to root\SecurityCenter (If root\default is in the field you need to change it to root\securitycenter)
4) Click on Query
5) type in SELECT * FROM AntivirusProduct
6) click on Apply
7) Then highlight Enterprise Suite and delete.
8) Repeat step 5 but type in SELECT * FROM FirewallProduct
9) click on Apply
10) Repeat step 7


Here is the DDS.SCR results (I'm also attaching the attach.txt file that is generated by dds.scr in both text format and zipped format - due to differing instructions):


DDS (Ver_09-11-29.01) - NTFSx86
Run by T Bizzle at 15:12:20.07 on Fri 12/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.527 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\T Bizzle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171037548890
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = l saperiho.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tbizzl~1\applic~1\mozilla\firefox\profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-23 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-23 56816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-3 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-29 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
S2 hhkrkpy;hhkrkpy;c:\windows\system32\drivers\ktbwqfxaat.sys [2009-11-29 78720]
S2 iistdskolhwxir;iistdskolhwxir;\??\c:\windows\system32\drivers\aqzmnfbjsinj.sys --> c:\windows\system32\drivers\aqzmnfbjsinj.sys [?]
S2 munut;munut;c:\windows\system32\drivers\xlrgfnpewiv.sys [2009-12-4 78720]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-10 21:18:26 0 d-sh--w- c:\windows\system32\lowsec
2009-12-04 12:32:45 78720 ----a-w- c:\windows\system32\drivers\xlrgfnpewiv.sys
2009-11-30 05:41:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 05:41:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 05:41:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 21:47:54 78720 ----a-w- c:\windows\system32\drivers\ktbwqfxaat.sys
2009-11-28 19:55:40 0 d-----w- C:\VundoFix Backups
2009-11-24 01:50:47 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 01:50:44 0 d-----w- c:\program files\Avira
2009-11-24 01:50:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-23 23:29:50 0 d-----w- C:\snapshot_temp_mb
2009-11-23 23:25:23 0 d-----w- c:\windows\tmp
2009-11-23 23:00:52 0 d-----w- c:\docume~1\tbizzl~1\applic~1\TeamViewer
2009-11-23 23:00:47 0 d-----w- c:\documents and settings\t bizzle\temp
2009-11-23 19:46:17 0 d-----w- c:\docume~1\tbizzl~1\applic~1\Malwarebytes
2009-11-23 19:46:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-23 19:29:36 489 ----a-w- c:\windows\wininit.ini
2009-11-23 18:55:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 13:58:10 9 ----a-w- c:\windows\system32\Class14
2009-11-20 13:58:10 5 ----a-w- c:\windows\system32\Band4
2009-11-18 16:52:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-18 16:52:13 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-12-10 03:11:15 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-11-23 19:42:25 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42:25 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42:25 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42:25 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42:24 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 15:14:19.26 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 11 December 2009 - 03:52 PM

Hello mbressman ! :(

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.


I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.
And also do not make any other changes to your system.
This will not help any of us because fixes are based on strict information I find in your logs so changing it will only complicate the situation. :(

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 13 December 2009 - 07:51 AM

Hi,
Please take note of my previous post and do the following:



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 15 December 2009 - 05:08 PM

Are you still here?

Be aware that your topic will be close in 2 days if you don't reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 December 2009 - 09:38 PM

Elle,

Sorry about the late reply, and thank you for your help!

Per your instructions, I've made all files visible (in your 2nd post as you requested) and ran GMER (I've posted the results below). So you know, I'm an IT professional (although apparently not as good with cleaning out viruses and trojans as I previously had thought!) - so if you'd prefer, you don't have to type of full instructions as you did below but just give me the basic gist of what you'd like me to do (and any caveats or warnings) and I can go ahead and do them. Hopefully this will save you some time!

Also, here are a few other things I definitely want you to be aware of:

1) Currently, I'm doing this cleaning remotely (via LogMeIn) - so I'm unable to do certain things such as disconnecting from the Internet, since obviously that would prevent me from accessing the remote computer. Hopefully we should still be able to proceed, but if that is going to be a problem, please let me know. (Obviously, as a result of this, I wasn't able disconnect my computer from the Internet as you had requested when I ran GMER)

2) In the past, we've been unsuccessful in booting into safe mode. Since prior to this infection, my friend had never tried safe mode before (or at least not in a long time), we can't be sure whether it is the current infection that is preventing safe mode access, or something else that he did (possibly hardware-related) in the past that is now preventing us from getting into safe mode and is completely unrelated to the current infection).

3) I have noticed that iexplore.exe keeps running in the background (and if left idle for long periods of time, many instances of them will show up). My friend has been using Firefox for some time now, and it seems (at least from what I can tell) that iexplore.exe that runs is definitely causing problems (i.e. pop-ups/extra open tabs, redirects when clicking on search engine results, etc.). I've tried navigating to C:\program files\Internet Explorer\ and rename iexplore.exe, but it seems to keep recreating the iexplore.exe executable at some later time.

4) Another thing I've noticed - when I attempt to do a restart (granted, this is a restart done via LogMeIn), and use the start menu to initiate it, nothing seems to happen. However, if I do a restart via the task manager, it seems to work.

5) The other day, when I logged into his machine remotely, it reported that the Windows Firewall was disabled. It seems as if somehow the service (Windows Firewall/Internet Connecting Sharing (ICS)) had become disabled - I re-enabled it and the Windows Firewall seemed to turn back on, but I'm assuming whatever infection or infections are on his computer did this, and potentially will do it again.

6) I'm running Avira AntiVir, and here are some of the infections they have detected - I keep telling it to delete them, but it seems that some of them keep coming back:
- C:\windows\temp\syqb.tmp\svchost.exe - TR/Crypt.ZPACK.Gen Trojan
- C:\documents and settings\<username>\Local Settings\...\zip2[1].htm - HTML/Infected.WebPage.Gen HTML script virus (pops up several times)

7) In the past, I've tried running CCleaner to clean out all the temp directories to try and get rid of some of those infected files, but I'm assuming whatever infection exists is either preventing their deletion or is re-creating them.

Here is the GMER log:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 17:56:40
Windows 5.1.2600 Service Pack 3
Running: 59vqp619.exe; Driver: C:\DOCUME~1\TBIZZL~1\LOCALS~1\Temp\kwtdipog.sys


---- System - GMER 1.0.15 ----

SSDT F7C14AB6 ZwCreateKey
SSDT F7C14AAC ZwCreateThread
SSDT F7C14ABB ZwDeleteKey
SSDT F7C14AC5 ZwDeleteValueKey
SSDT F7C14ACA ZwLoadKey
SSDT F7C14A98 ZwOpenProcess
SSDT F7C14A9D ZwOpenThread
SSDT F7C14AD4 ZwReplaceKey
SSDT F7C14ACF ZwRestoreKey
SSDT F7C14AC0 ZwSetValueKey
SSDT F7C14AA7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73B77AC]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[908] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A2000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A8B73D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000929 -> \Driver\atapi \Device\Harddisk0\DR0 86D3250C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Thanks!

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 16 December 2009 - 07:14 AM

Hi again,


NOTE:Please do not make any other changes to the system excepting the ones I tell you to make.This doesn't help any of us because I give instructions using CERTAIN information on your computer and any other modification that I don't know about can compromise our work.



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

----------------


If you decide to continue the cleaning process then do the following:


1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on KittyFix.exe that you just saved to your Desktop
Note:You will get a warning regarding Combofix is a beta version now, ignore it please.
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 18 December 2009 - 09:39 AM

Elle,

Running ComboFix seems to cause LogMeIn (and other remote access solutions) to disconnect. I tried it yesterday and couldn't get back on for several hours, and when I finally got back on, all that was on the screen was this message: "ComboFix has detected the presence of rootkit activity and needs to reboot the machine" (and I was forced to click OK to reboot)

When it rebooted, I once again couldn't get back on (I'm assuming ComboFix ran again after reboot) and by the time I got back on this morning it seemed as if it had been freshly rebooted again. I re-ran ComboFix again this morning, and once more got disconnected - I will try to log in remotely in a few hours again and hopefully I can get back in and see the log file.

Thanks.

#10 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 18 December 2009 - 08:19 PM

ComboFix 09-12-16.05 - T Bizzle 12/18/2009 9:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.406 [GMT -5:00]
Running from: c:\documents and settings\T Bizzle\Desktop\KittyFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\TestBrowser.html

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-12 03:48 . 2009-12-12 03:48 -------- d-----w- c:\program files\CCleaner
2009-12-04 12:32 . 2009-12-04 12:32 78720 ----a-w- c:\windows\system32\drivers\xlrgfnpewiv.sys
2009-11-30 05:41 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 05:41 . 2009-12-09 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 05:41 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 21:47 . 2009-11-29 21:47 78720 ----a-w- c:\windows\system32\drivers\ktbwqfxaat.sys
2009-11-28 19:55 . 2009-11-28 19:55 -------- d-----w- C:\VundoFix Backups
2009-11-24 13:37 . 2009-11-24 13:37 -------- d-----w- c:\documents and settings\E Rizzle\Application Data\Malwarebytes
2009-11-24 01:50 . 2009-12-09 21:12 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 01:50 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-24 01:50 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-24 01:50 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\program files\Avira
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 23:29 . 2009-11-23 23:31 -------- d-----w- C:\snapshot_temp_mb
2009-11-23 23:25 . 2009-11-23 23:26 -------- d-----w- c:\windows\tmp
2009-11-23 23:00 . 2009-11-23 23:00 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\TeamViewer
2009-11-23 23:00 . 2009-11-23 23:00 -------- d-----w- c:\documents and settings\T Bizzle\temp
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\Malwarebytes
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 18:55 . 2009-11-23 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 14:30 . 2009-03-11 01:28 -------- d-----w- c:\program files\LogMeIn
2009-12-10 17:22 . 2009-12-10 17:22 57856 ----a-w- c:\documents and settings\All Users\Application Data\acccore\sp.DLL
2009-12-10 17:22 . 2009-04-29 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-12-10 03:11 . 2009-12-10 03:11 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-11-24 03:24 . 2007-02-09 15:52 -------- d-----w- c:\program files\Symantec
2009-11-24 01:49 . 2007-02-09 15:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 01:40 . 2007-02-09 16:17 -------- d-----w- c:\program files\Windows Defender
2009-11-24 01:39 . 2007-02-09 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-24 01:38 . 2007-02-09 15:52 -------- d-----w- c:\program files\Norton SystemWorks
2009-11-23 19:42 . 2009-03-11 01:28 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42 . 2009-03-11 01:28 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42 . 2008-10-17 00:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42 . 2008-10-17 00:35 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42 . 2009-03-11 01:28 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-23 18:58 . 2007-02-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 16:52 . 2009-11-18 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Java
2009-11-18 16:51 . 2009-11-18 16:51 152576 ----a-w- c:\documents and settings\E Rizzle\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-08 15:26 . 2007-07-08 22:53 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\uTorrent
2009-11-08 15:05 . 2009-11-02 04:42 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\DVD Flick
2009-11-08 14:56 . 2009-11-02 04:33 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\ImgBurn
2009-11-03 01:42 . 2009-10-02 17:11 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 04:42 . 2009-11-02 04:42 -------- d-----w- c:\program files\DVD Flick
2009-11-02 04:41 . 2009-11-02 04:05 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-11-02 04:41 . 2009-11-02 04:05 -------- d-----w- c:\program files\AVS4YOU
2009-11-02 04:31 . 2009-11-02 04:31 -------- d-----w- c:\program files\ImgBurn
2009-11-02 04:08 . 2009-11-02 04:08 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\AVS4YOU
2009-11-02 04:08 . 2009-11-02 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 17:22 57856 ----a-w- c:\documents and settings\All Users\Application Data\acccore\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-11-23 19:42 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9458:TCP"= 9458:TCP:spport
"27623:TCP"= 27623:TCP:spport
"21897:TCP"= 21897:TCP:spport
"20491:TCP"= 20491:TCP:spport
"29466:TCP"= 29466:TCP:spport
"20432:TCP"= 20432:TCP:spport
"20926:TCP"= 20926:TCP:spport

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 8:50 PM 108289]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/10/2009 8:28 PM 47640]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [8/3/2004 11:56 PM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/29/2009 6:45 PM 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 5:45 PM 12192]
S2 hhkrkpy;hhkrkpy;c:\windows\system32\drivers\ktbwqfxaat.sys [11/29/2009 4:47 PM 78720]
S2 iistdskolhwxir;iistdskolhwxir;\??\c:\windows\system32\drivers\aqzmnfbjsinj.sys --> c:\windows\system32\drivers\aqzmnfbjsinj.sys [?]
S2 munut;munut;c:\windows\system32\drivers\xlrgfnpewiv.sys [12/4/2009 7:32 AM 78720]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\T Bizzle\Application Data\Mozilla\Firefox\Profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-aawservice
SafeBoot-WinDefend
AddRemove-HijackThis - c:\documents and settings\T Bizzle\Desktop\HijackThis.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 19:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ES.DLL

- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\WININET.dll
c:\docume~1\TBIZZL~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\all users\application data\acccore\sp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-12-18 20:03:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 01:03

Pre-Run: 52,732,313,600 bytes free
Post-Run: 52,936,171,520 bytes free

- - End Of File - - FD7AB84E279F2CE7B24D566D840B6BDA

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 20 December 2009 - 12:47 PM

Hi,



I need you to post the content of the file C:\Qoobox\ ComboFix-quarantined-files.txt in your next reply along with the new Combofix log.



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\documents and settings\All Users\Application Data\acccore\sp.DLL

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
hhkrkpy
iistdskolhwxir
munut

File::
c:\windows\system32\drivers\ktbwqfxaat.sys
c:\windows\system32\drivers\aqzmnfbjsinj.sys
c:\windows\system32\drivers\xlrgfnpewiv.sys

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please include in your next reply a new DDS log as well.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 22 December 2009 - 09:32 PM

ComboFix-quarantined-files.txt Log:

2009-12-19 01:02:45 . 2009-12-19 01:02:45 1,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-ShockwaveFlash.reg.dat
2009-12-19 01:02:45 . 2009-12-19 01:02:45 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2009-12-19 01:02:22 . 2009-12-19 01:02:22 550 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WinDefend.reg.dat
2009-12-19 01:02:22 . 2009-12-19 01:02:22 554 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-aawservice.reg.dat
2009-12-19 01:02:01 . 2009-12-19 01:02:01 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2009-12-18 14:39:31 . 2009-12-18 14:39:31 4,028 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2009-12-18 14:39:30 . 2009-12-18 14:39:30 790 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SSHNAS.reg.dat
2009-12-18 14:39:30 . 2009-12-18 14:39:30 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2009-12-18 14:39:21 . 2009-12-18 14:39:21 4,975 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-12-17 14:41:14 . 2009-12-18 14:33:35 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-11-24 17:47:51 . 2009-11-24 17:47:57 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\TestBrowser.html.vir
2009-11-08 15:32:31 . 2009-11-23 20:08:24 1,210 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\search.xml.vir
2007-07-01 13:54:18 . 2007-07-01 13:54:18 736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir


---------------------


There was no c:\documents and settings\All Users\Application Data\acccore\sp.DLL file. There was a c:\documents and settings\All Users\Application Data\acccore\sp.dll_ file - so I ran that through Jotti - here are the results:

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

Filename: sp.DLL
Status:
Scan finished. 4 out of 21 scanners reported malware.
Scan taken on: Fri 11 Dec 2009 20:18:30 (CET) Permalink

Additional info
File size: 57856 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 122cb71be361f0b09bfbec3b07aa464c
SHA1: e95953c06ca6a699bd81e9db62149f37d9faf7b4

A-Squared: 2009-12-11 Trojan-Proxy.Win32.Agent!IK
F-Secure Anti-Virus: 2009-12-11 Trojan-Proxy.Win32.Agent.byn
Ikarus: 2009-12-11 Trojan-Proxy.Win32.Agent
Kaspersky Anti-Virus: 2009-12-11 Trojan-Proxy.Win32.Agent.byn


-------------------------


I tried to run the CFScript.txt using the KittyFix.exe that we had downloaded earlier, which I assume was a copy of ComboFix, and received the following pop-up:

Version_09-12-16.05

Current date is 2009-12-22. ComboFix has expired
Click 'Yes' to run in REDUCED FUNCTIONALITY mode
Click 'No' to exit

I clicked No to exit, and then downloaded ComboFix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe and used that version to run CFScript.txt (I had to click yes to bypass a pop-up dialog box disclaimer for ComboFix)

ComboFix.txt Log:

ComboFix 09-12-21.08 - T Bizzle 12/22/2009 20:55:51.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.471 [GMT -5:00]
Running from: c:\documents and settings\T Bizzle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\T Bizzle\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\aqzmnfbjsinj.sys"
"c:\windows\system32\drivers\ktbwqfxaat.sys"
"c:\windows\system32\drivers\xlrgfnpewiv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ktbwqfxaat.sys
c:\windows\system32\drivers\xlrgfnpewiv.sys

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\System32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hhkrkpy
-------\Service_iistdskolhwxir
-------\Service_munut


((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-23 01:55 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-23 01:55 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-12-12 03:48 . 2009-12-12 03:48 -------- d-----w- c:\program files\CCleaner
2009-11-30 05:41 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 05:41 . 2009-12-09 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 05:41 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 19:55 . 2009-11-28 19:55 -------- d-----w- C:\VundoFix Backups
2009-11-24 13:37 . 2009-11-24 13:37 -------- d-----w- c:\documents and settings\E Rizzle\Application Data\Malwarebytes
2009-11-24 01:50 . 2009-12-09 21:12 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 01:50 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-24 01:50 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-24 01:50 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\program files\Avira
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 23:29 . 2009-12-19 01:02 -------- d-----w- C:\snapshot_temp_mb
2009-11-23 23:25 . 2009-12-23 00:26 -------- d-----w- c:\windows\tmp
2009-11-23 23:00 . 2009-11-23 23:00 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\TeamViewer
2009-11-23 23:00 . 2009-11-23 23:00 -------- d-----w- c:\documents and settings\T Bizzle\temp
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\Malwarebytes
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 18:55 . 2009-11-23 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 00:27 . 2009-03-11 01:28 -------- d-----w- c:\program files\LogMeIn
2009-12-19 12:44 . 2009-04-29 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-12-10 03:11 . 2009-12-10 03:11 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-11-24 03:24 . 2007-02-09 15:52 -------- d-----w- c:\program files\Symantec
2009-11-24 01:49 . 2007-02-09 15:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 01:40 . 2007-02-09 16:17 -------- d-----w- c:\program files\Windows Defender
2009-11-24 01:39 . 2007-02-09 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-24 01:38 . 2007-02-09 15:52 -------- d-----w- c:\program files\Norton SystemWorks
2009-11-23 19:42 . 2009-03-11 01:28 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42 . 2009-03-11 01:28 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42 . 2008-10-17 00:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42 . 2008-10-17 00:35 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42 . 2009-03-11 01:28 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-23 18:58 . 2007-02-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 16:52 . 2009-11-18 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Java
2009-11-18 16:51 . 2009-11-18 16:51 152576 ----a-w- c:\documents and settings\E Rizzle\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-08 15:26 . 2007-07-08 22:53 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\uTorrent
2009-11-08 15:05 . 2009-11-02 04:42 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\DVD Flick
2009-11-08 14:56 . 2009-11-02 04:33 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\ImgBurn
2009-11-03 01:42 . 2009-10-02 17:11 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 04:42 . 2009-11-02 04:42 -------- d-----w- c:\program files\DVD Flick
2009-11-02 04:41 . 2009-11-02 04:05 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-11-02 04:41 . 2009-11-02 04:05 -------- d-----w- c:\program files\AVS4YOU
2009-11-02 04:31 . 2009-11-02 04:31 -------- d-----w- c:\program files\ImgBurn
2009-11-02 04:08 . 2009-11-02 04:08 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\AVS4YOU
2009-11-02 04:08 . 2009-11-02 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-11-23 19:42 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9458:TCP"= 9458:TCP:spport
"27623:TCP"= 27623:TCP:spport
"21897:TCP"= 21897:TCP:spport
"20491:TCP"= 20491:TCP:spport
"29466:TCP"= 29466:TCP:spport
"20432:TCP"= 20432:TCP:spport
"20926:TCP"= 20926:TCP:spport

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 8:50 PM 108289]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/10/2009 8:28 PM 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/29/2009 6:45 PM 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 5:45 PM 12192]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [8/3/2004 11:56 PM 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\T Bizzle\Application Data\Mozilla\Firefox\Profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - c:\documents and settings\all users\application data\acccore\sp.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\docume~1\TBIZZL~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-22 21:13:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 02:13
ComboFix2.txt 2009-12-19 01:03

Pre-Run: 52,891,967,488 bytes free
Post-Run: 52,864,499,712 bytes free

- - End Of File - - 951B82698BE618874B1D180EFDD3D4C1


-----------------------


New DDS.txt log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by T Bizzle at 21:23:22.23 on Tue 12/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.513 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\T Bizzle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171037548890
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tbizzl~1\applic~1\mozilla\firefox\profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-23 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-23 56816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-29 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-3 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-23 01:55:50 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-23 01:55:50 56320 ------w- c:\windows\system32\eventlog.dll
2009-12-23 01:55:03 98816 ----a-w- c:\windows\sed.exe
2009-12-23 01:55:03 77312 ----a-w- c:\windows\MBR.exe
2009-12-23 01:55:03 261632 ----a-w- c:\windows\PEV.exe
2009-12-23 01:55:03 161792 ----a-w- c:\windows\SWREG.exe
2009-12-17 14:44:50 0 d-sha-r- C:\cmdcons
2009-12-12 03:48:16 0 d-----w- c:\program files\CCleaner
2009-11-30 05:41:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 05:41:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 05:41:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 19:55:40 0 d-----w- C:\VundoFix Backups
2009-11-24 01:50:47 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 01:50:44 0 d-----w- c:\program files\Avira
2009-11-24 01:50:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-23 23:29:50 0 d-----w- C:\snapshot_temp_mb
2009-11-23 23:25:23 0 d-----w- c:\windows\tmp
2009-11-23 23:00:52 0 d-----w- c:\docume~1\tbizzl~1\applic~1\TeamViewer
2009-11-23 23:00:47 0 d-----w- c:\documents and settings\t bizzle\temp
2009-11-23 19:46:17 0 d-----w- c:\docume~1\tbizzl~1\applic~1\Malwarebytes
2009-11-23 19:46:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-23 19:29:36 489 ----a-w- c:\windows\wininit.ini
2009-11-23 18:55:51 0 d-----w- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2009-12-10 03:11:15 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-11-23 19:42:25 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42:25 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42:25 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42:25 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42:24 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-18 16:52:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 21:23:47.46 ===============


------------------------------


I also re-checked the ComboFix-quarantined-files.txt file and there appears to now be more entries, so here is the log file after running everything you requested in your post:

2009-12-23 02:12:13 . 2009-12-23 02:12:14 419 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2}.reg.dat
2009-12-23 02:01:16 . 2009-12-23 02:01:16 2,622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_munut.reg.dat
2009-12-23 02:01:16 . 2009-12-23 02:01:16 2,706 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_iistdskolhwxir.reg.dat
2009-12-23 02:01:16 . 2009-12-23 02:01:16 2,616 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_hhkrkpy.reg.dat
2009-12-23 01:55:47 . 2009-12-23 01:55:47 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-12-19 01:02:45 . 2009-12-19 01:02:45 1,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-ShockwaveFlash.reg.dat
2009-12-19 01:02:45 . 2009-12-19 01:02:45 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2009-12-19 01:02:22 . 2009-12-19 01:02:22 550 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WinDefend.reg.dat
2009-12-19 01:02:22 . 2009-12-19 01:02:22 554 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-aawservice.reg.dat
2009-12-19 01:02:01 . 2009-12-19 01:02:01 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2009-12-18 14:39:31 . 2009-12-18 14:39:31 4,028 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2009-12-18 14:39:30 . 2009-12-18 14:39:30 790 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SSHNAS.reg.dat
2009-12-18 14:39:30 . 2009-12-18 14:39:30 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2009-12-18 14:39:21 . 2009-12-23 02:01:07 4,881 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-12-17 14:41:14 . 2009-12-23 01:54:59 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-12-04 12:32:45 . 2009-12-04 12:32:45 78,720 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\xlrgfnpewiv.sys.vir
2009-11-29 21:47:54 . 2009-11-29 21:47:54 78,720 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ktbwqfxaat.sys.vir
2009-11-24 17:47:51 . 2009-11-24 17:47:57 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\TestBrowser.html.vir
2009-11-08 15:32:31 . 2009-11-23 20:08:24 1,210 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\search.xml.vir
2007-07-01 13:54:18 . 2007-07-01 13:54:18 736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir

Attached Files



#13 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 23 December 2009 - 04:08 PM

Hi Elle,

Unfortunately, my friend that I am trying to help decided to run some additional scans on his own without consulting me. He emailed me and told me he ran CCleaner and Avira AntiVir scans after I posted the above information. I'm not sure if he made any other changes or what the results of those scans were - but I wanted to let you know in case it screwed anything up that we are doing or in case you want to have me re-run any of the diagnostic scans again to see where we stand. Sorry 'bout that.

I've told my friend not to do anything on the computer without first talking to me - although it is his computer...

Let me know how you want me to proceed. Thanks.

#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:06 PM

Posted 24 December 2009 - 03:57 AM

Hi mbressman,

I want to check if something is still reported as being infected.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 28 December 2009 - 10:07 AM

Elle,

Sorry I haven't responded sooner. Because of the holidays, my friend went away and his computer has been turned off since. I just spoke with him and he will be turning it on tonight, so I will be able to run your latest instructions tonight and post something later tonight. Thanks again, and happy holidays and new year!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users