Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desktop defender2010


  • This topic is locked This topic is locked
34 replies to this topic

#1 111

111

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 13 January 2010 - 04:21 AM

having a lot of fake antivirus/spyware popup


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/21/2009 9:16:17 AM
System Uptime: 1/12/2010 11:39:39 PM (2 hours ago)

Motherboard: Hewlett-Packard | | 30AA
Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | U10 | 1828/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 66.41 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Agere Systems HDA Modem
CA eTrustITM Agent
CA iTechnology iGateway
Compatibility Pack for the 2007 Office system
Desktop Defender 2010
GroupWise
GroupWise Internet Browser Mail Integration
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Intel® Graphics Media Accelerator Driver
Intel® PRO Ethernet Adapter and Software
Java™ 6 Update 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (2.0.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NICI (Shared) U.S./Worldwide (128 bit) (2.7.3-1)
NMAS Challenge Response Method
NMAS Client
Novell Client for Windows
Novell iPrint Client v04.26.00
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Spybot - Search & Destroy
Spyware Doctor 7.0
VideoLAN VLC media player 0.8.6f
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows NT Messaging
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
ZENworks Asset Management - Client Apps
ZENworks Desktop Management Agent

==== Event Viewer Messages From Past Week ========

1/13/2010 12:25:10 AM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
1/12/2010 9:27:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect.
1/12/2010 9:27:30 PM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/12/2010 9:19:39 PM, error: Service Control Manager [7023] - The BtwSrv service terminated with the following error: The specified module could not be found.
1/12/2010 9:14:17 PM, error: Service Control Manager [7034] - The Verdiem Surveyor Client service terminated unexpectedly. It has done this 1 time(s).
1/12/2010 9:14:16 PM, error: Service Control Manager [7034] - The ZENworks Asset Management - Collection Client service terminated unexpectedly. It has done this 1 time(s).
1/12/2010 9:14:16 PM, error: Service Control Manager [7034] - The Workstation Manager service terminated unexpectedly. It has done this 1 time(s).
1/12/2010 7:04:31 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
1/12/2010 7:01:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Net Driver HPZ12 service to connect.
1/12/2010 7:01:13 PM, error: Service Control Manager [7000] - The Net Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/12/2010 6:53:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
1/12/2010 6:53:19 PM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/12/2010 4:00:04 PM, error: NETw4x32 [5005] - \DEVICE\{BB1ACEC4-8CFB-4D3B-B5AE-7DB3EFB70390} : Has encountered an internal error and has failed.
1/12/2010 10:30:25 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/11/2010 9:43:44 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Verdiem Surveyor Client service to connect.
1/11/2010 9:43:44 PM, error: Service Control Manager [7000] - The Verdiem Surveyor Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/11/2010 9:42:29 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/11/2010 9:42:29 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
1/11/2010 11:29:38 PM, error: NETw4x32 [5002] - Intel® PRO/Wireless 3945ABG Network Connection : Has determined that the adapter is not functioning properly.
1/11/2010 11:29:38 PM, error: NETw4x32 [5002] - \DEVICE\{BB1ACEC4-8CFB-4D3B-B5AE-7DB3EFB70390} : Has determined that the adapter is not functioning properly.
1/11/2010 10:33:24 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SurveyorSD service.

==== End Of File ===========================


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:10 AM

Posted 19 January 2010 - 10:14 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 25 January 2010 - 12:44 PM

haVe alot of popups for desktop defender2010

DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 9:37:46.01 on Mon 01/25/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.421 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\DRIVERS\PROGKILL\ProgKill.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\DVE3J56D\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {a9d722cb-743e-92a0-209f-b0b8e448b0ad} - c:\windows\alokomejesuxi.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [notepad] rundll32.exe c:\docume~1\user\ntload.dll,_IWMPEvents@0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB312] command.com /c del "c:\windows\amarexurivikiki.dll_old"
uRunOnce: [SpybotDeletingD586] cmd.exe /c del "c:\windows\amarexurivikiki.dll_old"
uRunOnce: [SpybotDeletingB4342] command.com /c del "c:\windows\alokomejesuxi.dll_old"
uRunOnce: [SpybotDeletingD2146] cmd.exe /c del "c:\windows\alokomejesuxi.dll_old"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Nhimoq] rundll32.exe "c:\windows\alokomejesuxi.dll",Startup
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA6222] command.com /c del "c:\windows\amarexurivikiki.dll_old"
mRunOnce: [SpybotDeletingC9824] cmd.exe /c del "c:\windows\amarexurivikiki.dll_old"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA9393] command.com /c del "c:\windows\alokomejesuxi.dll_old"
mRunOnce: [SpybotDeletingC5652] cmd.exe /c del "c:\windows\alokomejesuxi.dll_old"
dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\lh4aeiljq.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\win16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: Btn_Back = 1 (0x1)
uPolicies-explorer: Btn_Forward = 1 (0x1)
uPolicies-explorer: Btn_Stop = 1 (0x1)
uPolicies-explorer: Btn_Refresh = 1 (0x1)
uPolicies-explorer: Btn_Home = 1 (0x1)
uPolicies-explorer: Btn_Search = 2 (0x2)
uPolicies-explorer: Btn_Favorites = 2 (0x2)
uPolicies-explorer: Btn_History = 2 (0x2)
uPolicies-explorer: Btn_Media = 2 (0x2)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Fullscreen = 2 (0x2)
uPolicies-explorer: Btn_Tools = 2 (0x2)
uPolicies-explorer: Btn_MailNews = 2 (0x2)
uPolicies-explorer: Btn_Size = 2 (0x2)
uPolicies-explorer: Btn_Print = 1 (0x1)
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Cut = 2 (0x2)
uPolicies-explorer: Btn_Copy = 2 (0x2)
uPolicies-explorer: Btn_Paste = 2 (0x2)
uPolicies-explorer: Btn_Encoding = 2 (0x2)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182435572927
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182435562181
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {45434FCB-4A5D-4005-B9B0-157B71BB63EB} = 193.104.110.38,4.2.2.1
TCP: {BB1ACEC4-8CFB-4D3B-B5AE-7DB3EFB70390} = 193.104.110.38,4.2.2.1,192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
AppInit_DLLs: c:\windows\system32\muzurimo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kagekiziw - {a81e2720-84b1-47e1-9c92-052dcc124081} - c:\windows\system32\muzurimo.dll
STS: tokatiluy: {a81e2720-84b1-47e1-9c92-052dcc124081} - c:\windows\system32\muzurimo.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli jentas40.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XULRunner: {D81091BF-4BDB-41D9-B8A1-03A6157A7E9F} - c:\documents and settings\user\local settings\application data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-11 207792]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-4-21 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2005-3-11 41984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-11 359624]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-4-21 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-4-21 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-12-24 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-6-30 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-6-30 35968]
S2 AutoExNT;AutoExNT;c:\windows\system32\autoexnt.exe [2005-6-6 7168]
S2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-11 1141712]
S3 winsts;winsts;c:\windows\system32\winsts.sys [2004-8-4 2304]

=============== Created Last 30 ================

2010-01-14 06:58:42 96512 ----a-w- c:\windows\system32\drivers\OLD17.tmp
2010-01-13 08:40:04 0 d-----w- c:\windows\system32\appmgmt
2010-01-13 08:33:46 147 ----a-w- c:\windows\wininit.ini
2010-01-13 08:28:31 3665920 ----a-w- c:\windows\system32\j8shpnvvewwa.exe
2010-01-13 08:27:38 113664 ----a-w- c:\windows\system32\lj8shpnuuewfq.exe
2010-01-13 08:09:34 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 08:09:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-13 06:51:26 2363 ----a-w- c:\windows\system32\arc0012.tmp
2010-01-13 06:51:19 1865 ----a-w- c:\windows\system32\arc0011.tmp
2010-01-13 06:51:05 1857 ----a-w- c:\windows\system32\arc0010.tmp
2010-01-13 06:50:58 9810 ----a-w- c:\windows\system32\arc0009.tmp
2010-01-13 06:50:51 9798 ----a-w- c:\windows\system32\arc0008.tmp
2010-01-13 06:50:37 9818 ----a-w- c:\windows\system32\arc0007.tmp
2010-01-13 06:50:30 9798 ----a-w- c:\windows\system32\arc0006.tmp
2010-01-13 06:50:23 9798 ----a-w- c:\windows\system32\arc0005.tmp
2010-01-13 06:50:09 9762 ----a-w- c:\windows\system32\arc0004.tmp
2010-01-13 06:50:02 9770 ----a-w- c:\windows\system32\arc0003.tmp
2010-01-13 06:49:55 9770 ----a-w- c:\windows\system32\arc0002.tmp
2010-01-13 06:49:48 9749 ----a-w- c:\windows\system32\arc0001.tmp
2010-01-13 06:49:40 9749 ----a-w- c:\windows\system32\arc0000.tmp
2010-01-13 06:47:00 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 06:41:19 0 d-----w- c:\program files\Lavasoft
2010-01-13 06:08:27 0 d-----w- c:\docume~1\user\applic~1\AVG8
2010-01-13 05:32:02 480588 ----a-w- c:\windows\system32\PerfStringBackup.TMP_003
2010-01-13 05:09:20 0 ----a-w- c:\windows\system32\41.exe
2010-01-13 02:56:43 480588 ----a-w- c:\windows\system32\PerfStringBackup.TMP_002
2010-01-12 07:06:15 479142 ----a-w- c:\windows\system32\PerfStringBackup.TMP_001
2010-01-12 06:02:24 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-12 06:02:24 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-12 06:01:47 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-12 06:01:47 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-12 06:01:47 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-12 06:01:47 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-12 06:01:33 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-01-12 06:01:33 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-12 06:01:23 0 d-----w- c:\program files\Spyware Doctor
2010-01-12 06:01:23 0 d-----w- c:\program files\common files\PC Tools
2010-01-12 06:01:23 0 d-----w- c:\docume~1\user\applic~1\PC Tools
2010-01-12 06:01:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-12 05:46:46 0 ----a-w- c:\windows\Ccikiriqur.bin
2010-01-12 05:46:45 120 ----a-w- c:\windows\Kxevanonul.dat
2010-01-12 05:33:19 2098 --sh--w- c:\windows\system32\wumomara.dll
2010-01-12 05:33:07 2098 --sh--w- c:\windows\system32\midogiru.dll
2010-01-12 05:32:39 2098 --sh--w- c:\windows\system32\gedekuye.dll

==================== Find3M ====================

2010-01-25 17:37:48 767488 ----a-w- c:\windows\system32\drivers\ogewa.sys
2010-01-21 09:22:45 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 09:22:45 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-24 20:46:19 114 ----a-w- C:\cjtrke5hfg108.bat
2009-12-24 20:46:04 50688 ----a-w- C:\haypsixd.exe
2009-12-24 20:46:02 156672 ----a-w- C:\oqnqso.exe
2009-12-24 20:41:25 2098 --sh--w- c:\windows\system32\lelizomo.exe
2009-12-24 20:39:25 2098 --sh--w- c:\windows\system32\jevaziji.exe
2009-12-23 19:10:59 52736 ----a-w- C:\uwlwfa.exe
2005-10-12 20:07:12 874240 ----a-w- c:\windows\inf\iastor.sys
2009-09-23 19:16:09 0 --sha-w- c:\windows\system32\bovejuto.dll
2008-04-14 00:11:56 27136 --sha-w- c:\windows\system32\notepad.dll
1601-01-01 00:03:28 92672 --sha-w- c:\windows\system32\sahomosa.dll
1601-01-01 00:03:28 76800 --sha-w- c:\windows\system32\vinelewe.exe
2008-04-14 00:11:56 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2008-04-14 00:11:56 27136 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 9:38:41.60 ===============

Edited by Orange Blossom, 25 January 2010 - 06:43 PM.
Merged topics. ~ OB


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:10 PM

Posted 25 January 2010 - 06:44 PM

Hello 111,

I have merged your latest topic to your previously existing topic for the sake of continuity and to avoid confusion. A HiJack This team member should be with you soon.

Orange Blossom fruits_cherry.gif
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 26 January 2010 - 08:45 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

==========

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Spyware Doc or E-Trust.

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Which AV did you remove?
* Combofix.txt
* Gmer log
* How is it running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 27 January 2010 - 05:39 AM

Thank you 4 all your help........I removed spyware doctor and everything seems to running fine.ComboFix 10-01-26.02 - User 01/26/2010 17:11:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.520 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\thcbytes.exe
AV: eTrust ITM *On-access scanning disabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Local Settings\Application Data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}
c:\documents and settings\User\Local Settings\Application Data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{D81091BF-4BDB-41D9-B8A1-03A6157A7E9F}\install.rdf
C:\haypsixd.exe
C:\oqnqso.exe
c:\recycler\S-1-5-21-1236686813-3677284032-831781080-500
c:\recycler\S-1-5-21-606747145-790525478-682003330-500
C:\uwlwfa.exe
c:\windows\Install.txt
c:\windows\jentas40.dll
c:\windows\system32\41.exe
c:\windows\system32\6to4ex.dll
c:\windows\system32\AVR10.exe
c:\windows\system32\bovejuto.dll
c:\windows\system32\drivers\ogewa.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\gedekuye.dll
c:\windows\system32\Install.txt
c:\windows\system32\j8shpnvvewwa.exe
c:\windows\system32\jevaziji.exe
c:\windows\system32\lelizomo.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\midogiru.dll
c:\windows\system32\notepad.dll
c:\windows\system32\opeia.exe
c:\windows\system32\vinelewe.exe
c:\windows\system32\wbem\Performance\WmiApRpl_new.h
c:\windows\system32\winhelper86.dll
c:\windows\system32\winsts.sys
c:\windows\system32\wumomara.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
hxxp://85.12.18.120
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_WINSTS
-------\Service_6to4
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_winsts
-------\Legacy_ogewa
-------\Service_ogewa


((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-13 08:27 . 2010-01-13 08:27 113664 ----a-w- c:\windows\system32\lj8shpnuuewfq.exe
2010-01-13 08:09 . 2010-01-13 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 08:09 . 2010-01-13 08:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 06:47 . 2010-01-13 06:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 06:47 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-13 06:41 . 2010-01-13 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 06:41 . 2010-01-13 06:41 -------- d-----w- c:\program files\Lavasoft
2010-01-13 06:08 . 2010-01-13 06:08 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2010-01-12 06:33 . 2010-01-12 06:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-01-12 06:01 . 2010-01-26 16:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-12 05:46 . 2010-01-25 17:22 0 ----a-w- c:\windows\Ccikiriqur.bin
2010-01-12 05:46 . 2010-01-26 04:07 120 ----a-w- c:\windows\Kxevanonul.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 18:04 . 2004-08-04 06:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 06:58 . 2010-01-14 06:58 96512 ----a-w- c:\windows\system32\drivers\OLD17.tmp
2010-01-13 06:51 . 2010-01-13 06:51 2363 ----a-w- c:\windows\system32\arc0012.tmp
2010-01-13 06:51 . 2010-01-13 06:51 1865 ----a-w- c:\windows\system32\arc0011.tmp
2010-01-13 06:51 . 2010-01-13 06:51 1857 ----a-w- c:\windows\system32\arc0010.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9810 ----a-w- c:\windows\system32\arc0009.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0008.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9818 ----a-w- c:\windows\system32\arc0007.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0006.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0005.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9762 ----a-w- c:\windows\system32\arc0004.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9770 ----a-w- c:\windows\system32\arc0003.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9770 ----a-w- c:\windows\system32\arc0002.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9749 ----a-w- c:\windows\system32\arc0001.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9749 ----a-w- c:\windows\system32\arc0000.tmp
2009-12-24 20:46 . 2009-12-24 20:46 114 ----a-w- C:\cjtrke5hfg108.bat
2008-04-17 18:27 . 2006-12-06 15:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-17 18:27 . 2006-12-06 15:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-17 18:27 . 2006-12-06 15:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-17 18:27 . 2006-12-06 15:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-17 18:27 . 2006-12-06 15:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:03 . 1601-01-01 00:03 92672 --sha-w- c:\windows\system32\sahomosa.dll
2008-04-14 00:11 . 2004-08-04 08:56 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2008-04-14 00:11 . 2004-08-04 08:56 27136 --sha-w- c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"NWTRAY"="NWTRAY.EXE" [2007-12-20 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"="c:\windows\system32\config\SYSTEM~1\ntload.dll" [2008-04-14 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2007-12-24 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Back"= 1 (0x1)
"Btn_Forward"= 1 (0x1)
"Btn_Stop"= 1 (0x1)
"Btn_Refresh"= 1 (0x1)
"Btn_Home"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"Btn_Favorites"= 2 (0x2)
"Btn_History"= 2 (0x2)
"Btn_Media"= 2 (0x2)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Print"= 1 (0x1)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 2 (0x2)
"Btn_Paste"= 2 (0x2)
"Btn_Encoding"= 2 (0x2)
"NoThumbnailCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-03 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 17:51 24576 ----a-r- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPrint Event Monitor]
2006-10-18 22:14 45056 ----a-w- c:\windows\system32\iprntlgn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]
2007-12-20 19:55 28672 ----a-w- c:\windows\system32\nwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-20 19:45 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
2007-01-17 04:27 407632 ----a-w- c:\program files\CA\eTrustITM\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-20 19:45 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZENRC Tray Icon]
2005-05-19 00:04 40960 ----a-w- c:\windows\system32\zentray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [4/21/2009 8:26 AM 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 1:47 PM 6899]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1184912]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 9:59 AM 167936]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [4/21/2009 8:39 AM 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [4/21/2009 8:39 AM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [12/24/2007 9:51 AM 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 1:11 PM 2773]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/30/2008 9:18 AM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/30/2008 9:13 AM 35968]
S2 AutoExNT;AutoExNT;c:\windows\system32\autoexnt.exe [6/6/2005 8:05 AM 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 13:19]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {45434FCB-4A5D-4005-B9B0-157B71BB63EB} = 193.104.110.38,4.2.2.1
TCP: {BB1ACEC4-8CFB-4D3B-B5AE-7DB3EFB70390} = 193.104.110.38,4.2.2.1,192.168.1.254
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

BHO-{a9d722cb-743e-92a0-209f-b0b8e448b0ad} - c:\windows\alokomejesuxi.dll
SharedTaskScheduler-{a81e2720-84b1-47e1-9c92-052dcc124081} - c:\windows\system32\muzurimo.dll
SSODL-kagekiziw-{a81e2720-84b1-47e1-9c92-052dcc124081} - c:\windows\system32\muzurimo.dll
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-Nhimoq - c:\windows\amarexurivikiki.dll
MSConfigStartUp-notepad - c:\windows\system32\notepad.dll
MSConfigStartUp-SurveyorSession - c:\program files\Verdiem\SurveyorSD\bin\SurveyorSession.exe
MSConfigStartUp-tqammy - c:\windows\system32\msaouahn.dll
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
MSConfigStartUp-winiredik - c:\windows\system32\muzurimo.dll
MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe
AddRemove-Desktop Defender 2010 - c:\program files\Desktop Defender 2010\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll

- - - - - - - > 'Explorer.exe'(2760)
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRpc.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\Novell\ZENworks\wm.exe
c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\wscntfy.exe
c:\drivers\PROGKILL\ProgKill.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Novell\ZENworks\NalAgent.exe
.
**************************************************************************
.
Completion time: 2010-01-26 17:48:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 01:48

Pre-Run: 71,468,564,480 bytes free
Post-Run: 71,500,460,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - AF3708DE94CB2E7F0A705340BCD0AF35





#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 27 January 2010 - 09:20 AM

Well done. thumbup2.gif

Yikes. That was ugly. Much better but your still infected.

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\lj8shpnuuewfq.exe
c:\windows\Ccikiriqur.bin
c:\windows\Kxevanonul.dat
c:\windows\system32\drivers\OLD17.tmp
c:\windows\system32\arc0012.tmp
c:\windows\system32\arc0011.tmp
c:\windows\system32\arc0010.tmp
c:\windows\system32\arc0009.tmp
c:\windows\system32\arc0008.tmp
c:\windows\system32\arc0007.tmp
c:\windows\system32\arc0006.tmp
c:\windows\system32\arc0005.tmp
c:\windows\system32\arc0004.tmp
c:\windows\system32\arc0003.tmp
c:\windows\system32\arc0002.tmp
c:\windows\system32\arc0001.tmp
c:\windows\system32\arc0000.tmp
C:\cjtrke5hfg108.bat
c:\windows\system32\config\systemprofile\ntload.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll

DDS::
TCP: {45434FCB-4A5D-4005-B9B0-157B71BB63EB} = 193.104.110.38,4.2.2.1
TCP: {BB1ACEC4-8CFB-4D3B-B5AE-7DB3EFB70390} = 193.104.110.38,4.2.2.1,192.168.1.254

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

==========

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

With your next post please provide:

* Combofix.txt
* MBAM log
* ESET log
* Still running ok?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 28 January 2010 - 10:04 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 31 January 2010 - 04:02 PM

Sorry for the delay, the computer is running better...............

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 31 January 2010 - 06:17 PM

Hello,

Please copy and paste all logs directly into your reply unless directed otherwise. I have done this for you. I will review the logs and post your next steps. You appear to still be infected. sad.gif

ComboFix 10-01-27.03 - User 01/27/2010 17:34:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.416 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\User\Desktop\cfScript.txt
AV: eTrust ITM *On-access scanning disabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-13 08:27 . 2010-01-13 08:27 113664 ----a-w- c:\windows\system32\lj8shpnuuewfq.exe
2010-01-13 08:09 . 2010-01-13 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 08:09 . 2010-01-13 08:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 06:47 . 2010-01-13 06:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 06:47 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-13 06:41 . 2010-01-13 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 06:41 . 2010-01-13 06:41 -------- d-----w- c:\program files\Lavasoft
2010-01-13 06:08 . 2010-01-13 06:08 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2010-01-12 06:33 . 2010-01-12 06:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-01-12 06:01 . 2010-01-26 16:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-12 05:46 . 2010-01-25 17:22 0 ----a-w- c:\windows\Ccikiriqur.bin
2010-01-12 05:46 . 2010-01-26 04:07 120 ----a-w- c:\windows\Kxevanonul.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 18:04 . 2004-08-04 06:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-14 06:58 . 2010-01-14 06:58 96512 ----a-w- c:\windows\system32\drivers\OLD17.tmp
2010-01-13 06:51 . 2010-01-13 06:51 2363 ----a-w- c:\windows\system32\arc0012.tmp
2010-01-13 06:51 . 2010-01-13 06:51 1865 ----a-w- c:\windows\system32\arc0011.tmp
2010-01-13 06:51 . 2010-01-13 06:51 1857 ----a-w- c:\windows\system32\arc0010.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9810 ----a-w- c:\windows\system32\arc0009.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0008.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9818 ----a-w- c:\windows\system32\arc0007.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0006.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9798 ----a-w- c:\windows\system32\arc0005.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9762 ----a-w- c:\windows\system32\arc0004.tmp
2010-01-13 06:50 . 2010-01-13 06:50 9770 ----a-w- c:\windows\system32\arc0003.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9770 ----a-w- c:\windows\system32\arc0002.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9749 ----a-w- c:\windows\system32\arc0001.tmp
2010-01-13 06:49 . 2010-01-13 06:49 9749 ----a-w- c:\windows\system32\arc0000.tmp
2009-12-24 20:46 . 2009-12-24 20:46 114 ----a-w- C:\cjtrke5hfg108.bat
2008-04-17 18:27 . 2006-12-06 15:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-17 18:27 . 2006-12-06 15:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-17 18:27 . 2006-12-06 15:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-17 18:27 . 2006-12-06 15:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-17 18:27 . 2006-12-06 15:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:03 . 1601-01-01 00:03 92672 --sha-w- c:\windows\system32\sahomosa.dll
2008-04-14 00:11 . 2004-08-04 08:56 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2008-04-14 00:11 . 2004-08-04 08:56 27136 --sha-w- c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-27_01.45.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-28 01:35 . 2010-01-28 01:35 16384 c:\windows\Temp\Perflib_Perfdata_c10.dat
- 2010-01-27 01:45 . 2010-01-27 01:45 53248 c:\windows\Temp\catchme.dll
+ 2010-01-28 01:38 . 2010-01-28 01:38 53248 c:\windows\Temp\catchme.dll
+ 2005-03-11 16:28 . 2010-01-27 10:25 65068 c:\windows\system32\perfc009.dat
- 2005-03-11 16:28 . 2010-01-27 01:21 65068 c:\windows\system32\perfc009.dat
+ 2005-03-11 16:28 . 2010-01-27 10:25 408392 c:\windows\system32\perfh009.dat
- 2005-03-11 16:28 . 2010-01-27 01:21 408392 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"NWTRAY"="NWTRAY.EXE" [2007-12-20 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2007-12-24 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Back"= 1 (0x1)
"Btn_Forward"= 1 (0x1)
"Btn_Stop"= 1 (0x1)
"Btn_Refresh"= 1 (0x1)
"Btn_Home"= 1 (0x1)
"Btn_Search"= 2 (0x2)
"Btn_Favorites"= 2 (0x2)
"Btn_History"= 2 (0x2)
"Btn_Media"= 2 (0x2)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Print"= 1 (0x1)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 2 (0x2)
"Btn_Paste"= 2 (0x2)
"Btn_Encoding"= 2 (0x2)
"NoThumbnailCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-03 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 17:51 24576 ----a-r- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPrint Event Monitor]
2006-10-18 22:14 45056 ----a-w- c:\windows\system32\iprntlgn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]
2007-12-20 19:55 28672 ----a-w- c:\windows\system32\nwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-20 19:45 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
2007-01-17 04:27 407632 ----a-w- c:\program files\CA\eTrustITM\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-20 19:45 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZENRC Tray Icon]
2005-05-19 00:04 40960 ----a-w- c:\windows\system32\zentray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [4/21/2009 8:26 AM 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 1:47 PM 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 9:59 AM 167936]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [4/21/2009 8:39 AM 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [4/21/2009 8:39 AM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [12/24/2007 9:51 AM 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 1:11 PM 2773]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/30/2008 9:18 AM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/30/2008 9:13 AM 35968]
S2 AutoExNT;AutoExNT;c:\windows\system32\autoexnt.exe [6/6/2005 8:05 AM 7168]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll

- - - - - - - > 'Explorer.exe'(1748)
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-27 17:39:38
ComboFix-quarantined-files.txt 2010-01-28 01:39

Pre-Run: 71,261,696,000 bytes free
Post-Run: 71,254,265,856 bytes free

- - End Of File - - 559094D449133B0E893B5092CC4649A2

==========

Malwarebytes' Anti-Malware 1.44
Database version: 3669
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/31/2010 12:19:59 PM
mbam-log-2010-01-31 (12-19-59).txt

Scan type: Quick Scan
Objects scanned: 118430
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010 (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\sahomosa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exex (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\Systemprofile\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Activate Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\Help.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010\How to Activate Desktop Defender 2010.lnk (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Desktop Defender 2010.LNK (Rogue.DesktopDefender2010) -> Quarantined and deleted successfully.

==========

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwu.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\haypsixd.exe.vir a variant of Win32/PSW.WOW.NOW trojan
C:\Qoobox\Quarantine\C\oqnqso.exe.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\uwlwfa.exe.vir a variant of Win32/Kryptik.BIM trojan
C:\Qoobox\Quarantine\C\WINDOWS\jentas40.dll.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir a variant of Win32/Routmo.N trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\FastNetSrv.exe.vir a variant of Win32/Refpron.EA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\j8shpnvvewwa.exe.vir Win32/Adware.DesktopDefender2010 application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsm32.sys.vir a variant of Win32/TrojanClicker.VB.NMN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.dll.vir Win32/Opachki.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\opeia.exe.vir Win32/Delf.OYV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsts.sys.vir Win32/Agent.QMG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ogewa.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ogewa_.sys.zip a variant of Win32/Rootkit.Kryptik.AF trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000060.exe a variant of Win32/PSW.WOW.NOW trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000061.exe a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000062.exe a variant of Win32/Kryptik.BIM trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000063.dll a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000065.dll a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000068.exe a variant of Win32/Refpron.EA trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000071.exe Win32/Adware.DesktopDefender2010 application
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000074.sys a variant of Win32/TrojanClicker.VB.NMN trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000076.dll Win32/Opachki.A trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000077.exe Win32/Delf.OYV trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000080.sys Win32/Agent.QMG trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000089.sys a variant of Win32/Rootkit.Kryptik.AF trojan
C:\WINDOWS\system32\lj8shpnuuewfq.exe a variant of Win32/Kryptik.BMW trojan
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTYFCH2F\so[1].bin Win32/Refpron.DM trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\d[1].bin a variant of Win32/TrojanClicker.VB.NMG trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\ms[1].bin a variant of Win32/Refpron.EK trojan
C:\WINDOWS\system32\drivers\OLD17.tmp Win32/Olmarik.RF virus

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 31 January 2010 - 08:56 PM

That last run of Combofix did not work very well. If CF asks to update please allow it to do so.

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\lj8shpnuuewfq.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\Ccikiriqur.bin
c:\windows\Kxevanonul.dat
c:\windows\system32\drivers\OLD17.tmp
c:\windows\system32\arc0012.tmp
c:\windows\system32\arc0011.tmp
c:\windows\system32\arc0010.tmp
c:\windows\system32\arc0009.tmp
c:\windows\system32\arc0008.tmp
c:\windows\system32\arc0007.tmp
c:\windows\system32\arc0006.tmp
c:\windows\system32\arc0005.tmp
c:\windows\system32\arc0004.tmp
c:\windows\system32\arc0003.tmp
c:\windows\system32\arc0002.tmp
c:\windows\system32\arc0001.tmp
c:\windows\system32\arc0000.tmp
C:\cjtrke5hfg108.bat
c:\windows\system32\sahomosa.dll
c:\windows\system32\config\systemprofile\ntload.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=-
"SpecifyDefaultButtons"=-
"Btn_Back"=-
"Btn_Forward"=-
"Btn_Stop"=-
"Btn_Refresh"=-
"Btn_Home"=-
"Btn_Search"=-
"Btn_Favorites"=-
"Btn_History"=-
"Btn_Media"=-
"Btn_Folders"=-
"Btn_Fullscreen"=-
"Btn_Tools"=-
"Btn_MailNews"=-
"Btn_Size"=-
"Btn_Print"=-
"Btn_Edit"=-
"Btn_Discussions"=-
"Btn_Cut"=-
"Btn_Copy"=-
"Btn_Paste"=-
"Btn_Encoding"=-
"NoThumbnailCache"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Open MBAM again, press the update tab then run it again.

==========

Run ESET online again

==========

With your next post please provide:

* Combofix.txt
* MBAM
* ESET
* How is it running?

Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 01 February 2010 - 12:47 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3669
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/1/2010 9:20:48 AM
mbam-log-2010-02-01 (09-20-48).txt

Scan type: Quick Scan
Objects scanned: 117453
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ComboFix 10-01-31.06 - User 02/01/2010 9:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.495 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: eTrust ITM *On-access scanning disabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}

FILE ::
"C:\cjtrke5hfg108.bat"
"c:\documents and settings\All Users\Application Data\TEMP"
"c:\windows\Ccikiriqur.bin"
"c:\windows\Kxevanonul.dat"
"c:\windows\system32\arc0000.tmp"
"c:\windows\system32\arc0001.tmp"
"c:\windows\system32\arc0002.tmp"
"c:\windows\system32\arc0003.tmp"
"c:\windows\system32\arc0004.tmp"
"c:\windows\system32\arc0005.tmp"
"c:\windows\system32\arc0006.tmp"
"c:\windows\system32\arc0007.tmp"
"c:\windows\system32\arc0008.tmp"
"c:\windows\system32\arc0009.tmp"
"c:\windows\system32\arc0010.tmp"
"c:\windows\system32\arc0011.tmp"
"c:\windows\system32\arc0012.tmp"
"c:\windows\system32\config\systemprofile\ntload.dll"
"c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll"
"c:\windows\system32\drivers\OLD17.tmp"
"c:\windows\system32\lj8shpnuuewfq.exe"
"c:\windows\system32\sahomosa.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cjtrke5hfg108.bat
c:\windows\Ccikiriqur.bin
c:\windows\Kxevanonul.dat
c:\windows\system32\arc0000.tmp
c:\windows\system32\arc0001.tmp
c:\windows\system32\arc0002.tmp
c:\windows\system32\arc0003.tmp
c:\windows\system32\arc0004.tmp
c:\windows\system32\arc0005.tmp
c:\windows\system32\arc0006.tmp
c:\windows\system32\arc0007.tmp
c:\windows\system32\arc0008.tmp
c:\windows\system32\arc0009.tmp
c:\windows\system32\arc0010.tmp
c:\windows\system32\arc0011.tmp
c:\windows\system32\arc0012.tmp
c:\windows\system32\drivers\OLD17.tmp
c:\windows\system32\lj8shpnuuewfq.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-01-31 22:25 . 2010-01-31 22:25 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple Computer
2010-01-31 20:27 . 2010-01-31 20:27 -------- d-----w- c:\program files\ESET
2010-01-31 20:14 . 2010-01-31 20:14 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-01-31 20:14 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 20:14 . 2010-01-31 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 20:14 . 2010-01-31 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 20:14 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 04:27 . 2010-01-31 04:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-13 08:09 . 2010-01-13 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 08:09 . 2010-01-13 08:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-13 06:47 . 2010-01-13 06:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-13 06:47 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-13 06:41 . 2010-01-13 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 06:41 . 2010-01-13 06:41 -------- d-----w- c:\program files\Lavasoft
2010-01-13 06:08 . 2010-01-13 06:08 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2010-01-12 06:33 . 2010-01-12 06:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-01-12 06:01 . 2010-01-26 16:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 18:04 . 2004-08-04 06:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2008-04-17 18:27 . 2006-12-06 15:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-17 18:27 . 2006-12-06 15:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-17 18:27 . 2006-12-06 15:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-17 18:27 . 2006-12-06 15:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-17 18:27 . 2006-12-06 15:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-27_01.45.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-01 17:11 . 2010-02-01 17:11 16384 c:\windows\Temp\Perflib_Perfdata_9b0.dat
- 2010-01-27 01:45 . 2010-01-27 01:45 53248 c:\windows\Temp\catchme.dll
+ 2010-02-01 17:14 . 2010-02-01 17:14 53248 c:\windows\Temp\catchme.dll
+ 2005-03-11 16:28 . 2010-02-01 17:09 65068 c:\windows\system32\perfc009.dat
- 2005-03-11 16:28 . 2010-01-27 01:21 65068 c:\windows\system32\perfc009.dat
+ 2008-05-08 16:50 . 2010-01-31 06:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-08 16:50 . 2010-01-26 16:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-31 06:49 . 2010-01-31 06:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-31 04:26 . 2010-01-31 04:26 49664 c:\windows\Installer\4c3fc.msi
+ 2005-03-11 16:28 . 2010-02-01 17:09 408392 c:\windows\system32\perfh009.dat
- 2005-03-11 16:28 . 2010-01-27 01:21 408392 c:\windows\system32\perfh009.dat
- 2008-05-08 16:50 . 2010-01-26 18:46 868352 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-08 16:50 . 2010-01-31 06:49 868352 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-31 04:26 . 2010-01-31 04:26 15710720 c:\windows\Installer\4c402.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"NWTRAY"="NWTRAY.EXE" [2007-12-20 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2007-12-24 35840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-03 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 17:51 24576 ----a-r- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPrint Event Monitor]
2006-10-18 22:14 45056 ----a-w- c:\windows\system32\iprntlgn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]
2007-12-20 19:55 28672 ----a-w- c:\windows\system32\nwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-20 19:45 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
2007-01-17 04:27 407632 ----a-w- c:\program files\CA\eTrustITM\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-20 19:45 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZENRC Tray Icon]
2005-05-19 00:04 40960 ----a-w- c:\windows\system32\zentray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [4/21/2009 8:26 AM 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 1:47 PM 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 9:59 AM 167936]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [4/21/2009 8:39 AM 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [4/21/2009 8:39 AM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [12/24/2007 9:51 AM 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 1:11 PM 2773]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/30/2008 9:18 AM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/30/2008 9:13 AM 35968]
S2 AutoExNT;AutoExNT;c:\windows\system32\autoexnt.exe [6/6/2005 8:05 AM 7168]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 5:19 AM 1181328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:49]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
Completion time: 2010-02-01 09:16:19
ComboFix-quarantined-files.txt 2010-02-01 17:16
ComboFix2.txt 2010-01-28 01:39

Pre-Run: 71,105,490,944 bytes free
Post-Run: 71,075,209,216 bytes free

- - End Of File - - EFF68A63AB0FF287CA4CFB50754EBFEF
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwu.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\haypsixd.exe.vir a variant of Win32/PSW.WOW.NOW trojan
C:\Qoobox\Quarantine\C\oqnqso.exe.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\uwlwfa.exe.vir a variant of Win32/Kryptik.BIM trojan
C:\Qoobox\Quarantine\C\WINDOWS\jentas40.dll.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir a variant of Win32/Routmo.N trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\FastNetSrv.exe.vir a variant of Win32/Refpron.EA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\j8shpnvvewwa.exe.vir Win32/Adware.DesktopDefender2010 application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lj8shpnuuewfq.exe.vir a variant of Win32/Kryptik.BMW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsm32.sys.vir a variant of Win32/TrojanClicker.VB.NMN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.dll.vir Win32/Opachki.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\opeia.exe.vir Win32/Delf.OYV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsts.sys.vir Win32/Agent.QMG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ogewa.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\OLD17.tmp.vir Win32/Olmarik.RF virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ogewa_.sys.zip a variant of Win32/Rootkit.Kryptik.AF trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000060.exe a variant of Win32/PSW.WOW.NOW trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000061.exe a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000062.exe a variant of Win32/Kryptik.BIM trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000063.dll a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000065.dll a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000068.exe a variant of Win32/Refpron.EA trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000071.exe Win32/Adware.DesktopDefender2010 application
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000074.sys a variant of Win32/TrojanClicker.VB.NMN trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000076.dll Win32/Opachki.A trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000077.exe Win32/Delf.OYV trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000080.sys Win32/Agent.QMG trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000089.sys a variant of Win32/Rootkit.Kryptik.AF trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP3\A0001610.exe a variant of Win32/Kryptik.BMW trojan
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTYFCH2F\so[1].bin Win32/Refpron.DM trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\d[1].bin a variant of Win32/TrojanClicker.VB.NMG trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\ms[1].bin a variant of Win32/Refpron.EK trojan


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 01 February 2010 - 01:16 PM

Much better.
Well done. thumbup2.gif

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

We need to create an OTL Quick Scan
  1. Double click on the icon on your desktop.
  2. Click the "Scan All Users" checkbox.
  3. Push the button.
  4. A report will open, copy and paste it in a reply here

==========

Please re-run ESET one last time please.

==========

With your next post please provide:

* OTL log
* ESET log
* How is your computer running? Any further problems?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 02 February 2010 - 02:29 PM

I couldnt find otl quick scan not sure where to download from ........computer is running better ..........

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwu.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\haypsixd.exe.vir a variant of Win32/PSW.WOW.NOW trojan
C:\Qoobox\Quarantine\C\oqnqso.exe.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\WINDOWS\jentas40.dll.vir a variant of Win32/Cimag.BK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir a variant of Win32/Routmo.N trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\FastNetSrv.exe.vir a variant of Win32/Refpron.EA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\j8shpnvvewwa.exe.vir Win32/Adware.DesktopDefender2010 application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lj8shpnuuewfq.exe.vir a variant of Win32/Kryptik.BMW trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsm32.sys.vir a variant of Win32/TrojanClicker.VB.NMN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.dll.vir Win32/Opachki.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\opeia.exe.vir Win32/Delf.OYV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsts.sys.vir Win32/Agent.QMG trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000060.exe a variant of Win32/PSW.WOW.NOW trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000061.exe a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000063.dll a variant of Win32/Cimag.BK trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000065.dll a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000068.exe a variant of Win32/Refpron.EA trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000071.exe Win32/Adware.DesktopDefender2010 application
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000074.sys a variant of Win32/TrojanClicker.VB.NMN trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000076.dll Win32/Opachki.A trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000077.exe Win32/Delf.OYV trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP1\A0000080.sys Win32/Agent.QMG trojan
C:\System Volume Information\_restore{149FA417-1670-45D1-A885-4DC7AFC53A83}\RP3\A0001610.exe a variant of Win32/Kryptik.BMW trojan
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTYFCH2F\so[1].bin Win32/Refpron.DM trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\d[1].bin a variant of Win32/TrojanClicker.VB.NMG trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\ms[1].bin a variant of Win32/Refpron.EK trojan


#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 02 February 2010 - 04:42 PM

Sorry. whistling.gif
It helps if I give you the link.

That ESET log is identical to the 1st. Did you accidentally post the same log or are you not allowing ESET to clean the infection?

I will do it manually.

==========

Do this.....

Open Notepad.
Copy contents in the code box into Notepad:

CODE
@ECHO OFF
IF EXIST log.txt DEL log1.txt
ECHO Deleting files>>log1.txt
FOR %%g in (
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentwu.zip"
"C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTYFCH2F\so[1].bin "
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\d[1].bin "
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YRIJYPO9\ms[1].bin") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log1.txt
) ELSE (
ECHO %%g deleted>>log1.txt)
) ELSE (
ECHO %%g not found>>log1.txt))
START NOTEPAD.EXE log.txt
EXIT


Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.

Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

With your next post please provide:

* Answer to question
* Log.txt
* OTL.txt
* Extra.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users