Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Hackers Don't Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within Hours

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

System Security Virus (I think)

Started by cleveland7 , Dec 30 2009 12:03 PM

This topic is locked

27 replies to this topic

#1 cleveland7

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 30 December 2009 - 12:03 PM

For the past week my computer has been acting up (I believe it is the System Security virus) because as soon as the computer booted up I would get fake security warnings (saying my computer is at risk or my information is at risk) and then my computer would freeze (no blue screen, just freeze). I am able to work in safe mode fine and the virus does not seem to be working in safe mode. I have run Malwarebytes Anti-Malware (but only after I renamed the mbam.exe file to xxxx.exe because it was being blocked by the malware). Everytime I run MBAM it would find three infections (all related to some 'H8SRT' name) and seemed like MBAM got rid of the infections and all I needed to do was restart but it was never able to completely remove it because everytime I ran MBAM it would come up with the same 3 infections. Also I have Spybot Search and Destroy but it will not open (I have renamed the files too and have even redownloaded the program) but it still won't open. Whenever I try to boot-up normally I would get an error message that has to do with ViewMgr and whether or not to send a report about the error. I am not sure if the ViewMgr error has to do with the virus or not but I have not clicked on it because I do not want to make the virus worse if they are related. Also my USB ports work and I am able to use them (I have read online that some viruses block USB's or disable them)
Thank you in advance for all your help.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Miami Student at 11:17:07.17 on Wed 12/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Miami Student\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://mymiami.muohio.edu/webapps/portal/frameset.jsp
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.cavfanatic.com/go/thread/view/3816/21955773/NBA_Fastbreak_Are_Calling_Out_The_Cavs"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\xxxx.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245441590948
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\miamis~1\applic~1\mozilla\firefox\profiles\dvh71123.default\
FF - prefs.js: browser.startup.homepage - hxxps://mymiami.muohio.edu/
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

S0 cdyn;cdyn;c:\windows\system32\drivers\chpot.sys --> c:\windows\system32\drivers\chpot.sys [?]
S0 cerc6;cerc6; [x]
S0 fvxjosk;fvxjosk;c:\windows\system32\drivers\ghulqgxw.sys --> c:\windows\system32\drivers\ghulqgxw.sys [?]
S0 kxpc;kxpc;c:\windows\system32\drivers\earsam.sys --> c:\windows\system32\drivers\earsam.sys [?]
S0 lwcqns;lwcqns;c:\windows\system32\drivers\waweyuee.sys --> c:\windows\system32\drivers\waweyuee.sys [?]
S0 odpukyl;odpukyl;c:\windows\system32\drivers\rnccb.sys --> c:\windows\system32\drivers\rnccb.sys [?]
S1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2008-2-1 191616]
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-29 31944]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-22 55152]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-6-19 104000]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-29 144960]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-29 54872]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-27 24652]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\4.tmp [2009-12-26 6144]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-6-19 72264]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-6-19 34152]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-6-19 168776]

=============== Created Last 30 ================

2009-12-26 18:00:13 6144 ------w- c:\windows\system32\4.tmp
2009-12-26 18:00:12 6144 ------w- c:\windows\system32\3.tmp
2009-12-26 17:59:58 6144 ------w- c:\windows\system32\2.tmp
2009-12-26 17:59:51 0 d-----w- c:\program files\Sophos
2009-12-23 06:58:45 0 d-----w- c:\program files\View Mgr Removal Tool[1]
2009-12-22 23:28:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 23:28:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 23:28:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 23:04:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 20:46:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 20:46:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-22 18:43:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-22 16:04:54 672 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-22 16:03:53 199 ----a-w- c:\windows\system32\srcr.dat
2009-12-20 02:41:58 0 d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-12-20 02:40:04 6654 ----a-w- c:\windows\system32\LexFiles.ulf
2009-12-20 02:39:32 0 d-----w- c:\program files\Lx_cats
2009-12-20 02:38:57 7654 ----a-w- c:\windows\system32\lxcjhelp.cnt
2009-12-20 02:38:57 1488037 ----a-w- c:\windows\system32\lxcjhelp.hlp
2009-12-20 02:38:53 1585 ----a-r- c:\windows\system32\lxcj.loc
2009-12-20 02:34:34 0 d-----w- c:\program files\Lexmark 8300 Series
2009-12-20 02:34:22 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-12-20 02:34:22 87040 ----a-w- c:\windows\system32\wiafbdrv.dll

==================== Find3M ====================

2009-12-09 17:57:09 28599 ----a-w- c:\windows\system32\nvModes.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2005-11-15 19:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico
2009-08-31 18:42:10 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-31 18:42:10 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-31 18:42:10 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:18:45.45 ===============

Attached Files

Attach.txt 16.49KB 57 downloads
ark.txt 7.24KB 63 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 31 December 2009 - 01:04 PM

Hello!

My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Make sure that you save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 31 December 2009 - 07:46 PM

Hi Sam,

Thank you for your response and help. I will try to have the combofix log up by tomorrow but I am not sure when that will be due to the holidays (I will have it by Saturday at the latest). Thank you again. Have a great new year!

Mark

#4 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 31 December 2009 - 10:43 PM

Sounds good. Have a safe New Year!

#5 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 01 January 2010 - 09:24 PM

here is the log from combofix:

ComboFix 09-12-31.A1 - Miami Student 01/01/2010 21:15:09.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.688 [GMT -5:00]
Running from: c:\documents and settings\Miami Student\Desktop\cccc.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\EventSystem.log
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\4.tmp
c:\windows\system32\drivers\H8SRTfuwkostjlq.sys
c:\windows\system32\H8SRTgoewswqlro.dll
c:\windows\system32\H8SRTtgqrbxfixu.dll
c:\windows\system32\H8SRTvbrnkpyevl.dat
c:\windows\system32\srcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2

((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2009-12-26 17:59 . 2009-12-26 17:59 -------- d-----w- c:\program files\Sophos
2009-12-23 06:58 . 2009-12-24 22:51 -------- d-----w- c:\program files\View Mgr Removal Tool[1]
2009-12-22 23:28 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 23:28 . 2009-12-22 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 23:28 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 23:04 . 2010-01-01 16:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 20:46 . 2009-12-26 18:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 20:46 . 2009-12-26 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-22 18:43 . 2009-12-22 18:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-22 17:56 . 2009-12-22 17:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-22 16:04 . 2010-01-01 16:14 865 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-20 02:41 . 2009-12-20 03:15 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-12-20 02:39 . 2009-12-20 18:53 -------- d-----w- c:\program files\Lx_cats
2009-12-20 02:34 . 2009-12-20 02:40 -------- d-----w- c:\program files\Lexmark 8300 Series
2009-12-20 02:34 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-12-20 02:34 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-12-09 06:06 . 2009-12-22 18:32 -------- d-----w- c:\documents and settings\Miami Student\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 05:49 . 2009-08-27 23:32 -------- d-----w- c:\program files\Common Files\AOL
2009-12-09 21:19 . 2009-06-22 13:00 72272 ----a-w- c:\documents and settings\Miami Student\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 17:57 . 2009-06-19 19:53 28599 ----a-w- c:\windows\system32\nvModes.dat
2009-12-09 08:04 . 2009-08-27 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2005-11-15 19:32 . 2005-11-15 19:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-22 39408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-10-30 153416]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1680:TCP"= 1680:TCP:*:Disabled:Altiris_Carbon_Copy
"402:TCP"= 402:TCP:*:Disabled:Altiris_Client
"401:TCP"= 401:TCP:*:Disabled:Altiris_Client
"43189:TCP"= 43189:TCP:*:Disabled:Altiris_Recovery_Solution
"43190:TCP"= 43190:TCP:*:Disabled:Altiris_Recovery_Solution
"43190:UDP"= 43190:UDP:*:Disabled:Altiris_Recovery_Solution
"3829:TCP"= 3829:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4949:TCP"= 4949:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4950:TCP"= 4950:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4951:TCP"= 4951:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4952:TCP"= 4952:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration

S0 cdyn;cdyn;c:\windows\system32\drivers\chpot.sys --> c:\windows\system32\drivers\chpot.sys [?]
S0 cerc6;cerc6; [x]
S0 fvxjosk;fvxjosk;c:\windows\system32\drivers\ghulqgxw.sys --> c:\windows\system32\drivers\ghulqgxw.sys [?]
S0 kxpc;kxpc;c:\windows\system32\drivers\earsam.sys --> c:\windows\system32\drivers\earsam.sys [?]
S0 lwcqns;lwcqns;c:\windows\system32\drivers\waweyuee.sys --> c:\windows\system32\drivers\waweyuee.sys [?]
S0 odpukyl;odpukyl;c:\windows\system32\drivers\rnccb.sys --> c:\windows\system32\drivers\rnccb.sys [?]
S1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2/1/2008 2:50 PM 191616]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 8:13 AM 55152]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/27/2009 6:34 PM 24652]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-02 c:\windows\Tasks\User_Feed_Synchronization-{59C4DC40-17F4-4BFF-8102-77A9DC3AE0E1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mymiami.muohio.edu/webapps/portal/frameset.jsp
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Miami Student\Application Data\Mozilla\Firefox\Profiles\dvh71123.default\
FF - prefs.js: browser.startup.homepage - hxxps://mymiami.muohio.edu/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-lxcjmon.exe - c:\program files\Lexmark 8300 Series\lxcjmon.exe
HKLM-Run-EzPrint - c:\program files\Lexmark 8300 Series\ezprint.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(728)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-01-01 21:21:41
ComboFix-quarantined-files.txt 2010-01-02 02:21

Pre-Run: 42,259,419,136 bytes free
Post-Run: 42,245,369,856 bytes free

- - End Of File - - EFB85C58EA26E0BD139E578E42AC226B

#6 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 01 January 2010 - 09:50 PM

I had to rename the .exe file for combofix because it wouldn't open (I'm guessing the virus blocked it). Once it opened, everything seemed to be going fine and it rebooted my computer twice while running but when it loaded back up the 3rd time nothing happened and no log was created. But I re-ran the program and that log popped up so am not sure what happened the first time but hopefully that is what you were looking for.

#7 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 02 January 2010 - 09:43 AM

Yep, that's what I needed to see.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
cdyn
cerc6
fvxjosk
kxpc
lwcqns
odpukyl

File::
c:\windows\system32\drivers\chpot.sys
c:\windows\system32\drivers\ghulqgxw.sys
c:\windows\system32\drivers\earsam.sys
c:\windows\system32\drivers\waweyuee.sys
c:\windows\system32\drivers\rnccb.sys

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#8 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 02 January 2010 - 01:28 PM

Hi Sam,

I am having trouble disabling my antivirus program (I have Mcafee 8.5i). I found this link: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ but neither of them work for me. When I right click the logo there is no "disable" or "exit" option. When I go through the security center there is no advanced option. When I scroll over the Mcafee icon in the taskbar (it's a shield with a V in it) it says "Mcafee OAS: disabled" but Combofix still says that the Antivirus program is still running. I don't see any icons related to Mcafee's Antispyware so I am not sure if that is the problem or not. Could you please help me disable it? Thank you.

#9 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 02 January 2010 - 03:59 PM

Just follow the directions that you have for disabling Mcafee. Once you are certain that it's disabled, run Combofix as posted and disregard any notification that Combofix gives you about it still running.

#10 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 02 January 2010 - 08:23 PM

Here's the log, as far as I could tell I disabled the antivirus program so hopefully it worked.

ComboFix 09-12-31.A1 - Miami Student 01/02/2010 20:06:05.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.591 [GMT -5:00]
Running from: c:\documents and settings\Miami Student\Desktop\cccc.exe
Command switches used :: c:\documents and settings\Miami Student\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\system32\drivers\chpot.sys"
"c:\windows\system32\drivers\earsam.sys"
"c:\windows\system32\drivers\ghulqgxw.sys"
"c:\windows\system32\drivers\rnccb.sys"
"c:\windows\system32\drivers\waweyuee.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cdyn
-------\Service_cerc6
-------\Service_fvxjosk
-------\Service_kxpc
-------\Service_lwcqns
-------\Service_odpukyl

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2009-12-26 17:59 . 2010-01-02 18:20 -------- d-----w- c:\program files\Sophos
2009-12-23 06:58 . 2009-12-24 22:51 -------- d-----w- c:\program files\View Mgr Removal Tool[1]
2009-12-22 23:28 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 23:28 . 2009-12-22 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 23:28 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 23:04 . 2010-01-02 07:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-22 20:46 . 2010-01-02 18:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-22 20:46 . 2010-01-02 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-22 18:43 . 2009-12-22 18:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-22 17:56 . 2009-12-22 17:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-22 16:04 . 2010-01-01 16:14 865 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-20 02:41 . 2009-12-20 03:15 -------- d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-12-20 02:39 . 2009-12-20 18:53 -------- d-----w- c:\program files\Lx_cats
2009-12-20 02:34 . 2009-12-20 02:40 -------- d-----w- c:\program files\Lexmark 8300 Series
2009-12-20 02:34 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-12-20 02:34 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-12-09 06:06 . 2009-12-22 18:32 -------- d-----w- c:\documents and settings\Miami Student\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 05:49 . 2009-08-27 23:32 -------- d-----w- c:\program files\Common Files\AOL
2009-12-09 21:19 . 2009-06-22 13:00 72272 ----a-w- c:\documents and settings\Miami Student\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 17:57 . 2009-06-19 19:53 28599 ----a-w- c:\windows\system32\nvModes.dat
2009-12-09 08:04 . 2009-08-27 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 07:45 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2005-11-15 19:32 . 2005-11-15 19:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((( SnapShot@2010-01-02_02.20.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-03 01:14 . 2010-01-03 01:14 16384 c:\windows\temp\Perflib_Perfdata_258.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-22 39408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-10-30 153416]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1680:TCP"= 1680:TCP:*:Disabled:Altiris_Carbon_Copy
"402:TCP"= 402:TCP:*:Disabled:Altiris_Client
"401:TCP"= 401:TCP:*:Disabled:Altiris_Client
"43189:TCP"= 43189:TCP:*:Disabled:Altiris_Recovery_Solution
"43190:TCP"= 43190:TCP:*:Disabled:Altiris_Recovery_Solution
"43190:UDP"= 43190:UDP:*:Disabled:Altiris_Recovery_Solution
"3829:TCP"= 3829:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4949:TCP"= 4949:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4950:TCP"= 4950:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4951:TCP"= 4951:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration
"4952:TCP"= 4952:TCP:*:Disabled:Altiris_PCT_Real_Time_Migration

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2/1/2008 2:50 PM 191616]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 8:13 AM 55152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/27/2009 6:34 PM 24652]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-02 c:\windows\Tasks\User_Feed_Synchronization-{59C4DC40-17F4-4BFF-8102-77A9DC3AE0E1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mymiami.muohio.edu/webapps/portal/frameset.jsp
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Miami Student\Application Data\Mozilla\Firefox\Profiles\dvh71123.default\
FF - prefs.js: browser.startup.homepage - hxxps://mymiami.muohio.edu/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 20:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-02 20:20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 01:19
ComboFix2.txt 2010-01-02 02:21

Pre-Run: 42,564,997,120 bytes free
Post-Run: 42,616,635,392 bytes free

- - End Of File - - 4181AAD722F23876E7944AB3E314E1FA

#11 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 03 January 2010 - 10:00 AM

Please update Malwarebytes and run a full scan.

Open Malwarebytes and select the Update tab.
Click on the Check for Updates button and allow the program to download the latest updates.
Once you have the latest updates, select the Scanner tab.
Select "Perform full scan" and click the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

How is your computer behaving now?

#12 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 03 January 2010 - 02:26 PM

Malwarebytes' Anti-Malware 1.43
Database version: 3488
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/3/2010 1:50:04 PM
mbam-log-2010-01-03 (13-50-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 174521
Time elapsed: 38 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\desktop defender 2010 (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Defender 2010 (Rogue.DesktopDefender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Desktop Defender 2010 (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010 (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Miami Student\Local Settings\temp\.tt2C3.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miami Student\Local Settings\temp\.tt2C3.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\securitycenter.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2367F3E9-7E86-4B97-8C5C-180953192F43}\RP0\A0000001.exe (Rogue.DesktopDefender) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2367F3E9-7E86-4B97-8C5C-180953192F43}\RP1\A0000002.exe (Rogue.DesktopDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uufav1twuu4p.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\daily.cvd (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\guide.chm (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\hjengine.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\mfc71.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\MFC71ENU.DLL (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\msvcp71.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\msvcr71.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\pthreadVC2.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\taskmgr.dll (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Program Files\Desktop Defender 2010\uninstall.exe (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Activate Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Help.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\How to Activate Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010.LNK (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miami Student\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Defender 2010.LNK (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.

After running combofix the first time my computer had been acting better and I was able to run windows in normal mode without it freezing, but today when searching Google whenever I clicked on a link it would redirect me to what seems random sites that are unrelated to what I was trying to go to. I tried searching in another search engine and the same problem occurs. I am not sure if this is part of the same virsu or a new one.

#13 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 03 January 2010 - 02:50 PM

Also, I just tried to run in safe mode to see if the problem with google occurred in safe mode and before I could log in I got a blue screen error that read: 0x0000007E (0x000005, 0x80537009, 0xF7B03508, 0xF7B03204)

#14 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:03:18 AM

Posted 04 January 2010 - 08:08 AM

That's a separate infection.

Download GMER from here:

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

#15 cleveland7

Topic Starter

Members
22 posts
OFFLINE

Local time:03:18 AM

Posted 04 January 2010 - 12:29 PM

In the middle of GMER running it froze and I checked and my computer was at 100% usage and then it froze (no blue screen). I had to shut it down by holding down the power button and after turning it back on I got a blue screen. I tried restarting again and continued to get a blue screen no matter what mode I tried to run it in, so I am not sure what to do. I am using my brother's computer right now.