Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

notepad.dll Trojan/ntload.dll is not a valid Windows image


  • This topic is locked This topic is locked
17 replies to this topic

#1 chris714

chris714

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 13 February 2010 - 12:15 AM

I noticed my computer began to slow down a few days ago, so I did a virus scan. When it was done, I deleted all of the infected files except for one because my program (Trend Micro) said it could not delete it. Or quarantine it for that matter. It identified the file as notepad.dll and told me it was a trojan.

I searched for the file to manually delete it to no avail. I couldn't find it in its specified location, so I turned my computer off.

The next day when I turned it back on (and every time since then), two boxes have popped up:

Box 1
The application or DLL C:\DOCUME~1\CHRISC~1\ntload.dll is not a valid Windows image. Please check this against your installation diskette.

Box 2
Error loading C:\DOCUME~1\CHRISC~1\ntload.dll
%1 is not a valid Win32 application.

I searched for answers to these problems, which led me to this forum.

I ran all of the things asked of me and I will post the first DDS, and attach the other 2 logs (attach and ark) as requested.

I would like to note that it seems the longer my computer remains on, the slower it gets.

Also, after I ran all of the scripts (or whatever they are called), my computer flipped on me and went to a blue screen with the following message:
STOP: c000021a {Fatal System Error}
The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005 (0x10001b6b 0x0053e15c).
The system has been shut down.

Needless to say, I had to turn off my computer and reboot.

Thank you for all of your help!

DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chris Cowan at 20:53:25.60 on Fri 02/12/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.175 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Chris Cowan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hewlett-packard\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [notepad] rundll32.exe c:\docume~1\chrisc~1\ntload.dll,_IWMPEvents@0
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] "c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe" /r
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Compress Image Using Image Compressor 2008 - c:\program files\masrizal\imc2008\imcieex_compress.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hewlett-packard\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hewlett-packard\smart web printing\hpswp_extensions.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187851528531
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} - hxxps://oca.microsoft.com/en/secure/ocarpt.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-15 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-11-9 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-11-16 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-11-9 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-28 24652]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-28 822424]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-11-9 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" --> c:\program files\lavasoft\ad-aware 2007\aawservice.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-1-13 16512]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2008-10-30 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [2008-10-30 3768]

=============== Created Last 30 ================

2010-02-13 02:49:27 0 ----a-w- c:\documents and settings\chris cowan\defogger_reenable
2010-02-09 03:32:06 0 d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21:52 0 d-----w- c:\documents and settings\all users\CrypKey
2010-02-09 03:20:54 0 d-----w- c:\docume~1\chrisc~1\applic~1\iBlubox Ltd

==================== Find3M ====================

2010-02-12 20:36:30 26816 ----a-w- c:\windows\Sysvxd.exe
2010-02-09 02:56:15 1024 ----a-w- c:\docume~1\alluse~1\applic~1\imgdoc2.dll
2010-01-13 02:06:44 137675 -c--a-w- c:\windows\HPHins15.dat
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-19 23:00:01 44716 ----a-w- c:\windows\system32\drivers\svchost.exe
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2007-02-19 23:50:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53:54 99840 -c--a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 -c--a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 -c--a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 -c--a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 -c--a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 -c--a-w- c:\program files\common files\IRASRIAL.DLL
2008-04-28 05:34:52 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34:57 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2009-03-21 14:06:58 27136 --sha-w- c:\windows\system32\notepad.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-21 15:47:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052120090522\index.dat
2009-05-22 16:01:13 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01:13 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 20:54:19.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 13 February 2010 - 03:18 PM

Hi chris714
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

I'm looking over your logs now.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 13 February 2010 - 08:27 PM

Hi chris714
Please do the following in the order given.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\windows\system32\Smab0.dll
  • Click on the submit button
  • Please post the results in your next reply.
Now this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Please post the Jotti results and the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#4 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 14 February 2010 - 12:38 AM

Jotti results

Filename: Smab0.dll
Status: Scan finished. 0 out of 21 scanners reported malware.


ComboFix log

ComboFix 10-02-12.01 - Chris Cowan 02/13/2010 20:11:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.313 [GMT -6:00]
Running from: c:\documents and settings\Chris Cowan\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001.dir.0003\~df394b.tmp
c:\documents and settings\All Users\Application Data\92205616.ini
c:\documents and settings\Chris Cowan\Local Settings\Temp\clclean.0001.dir.0003\~df394b.tmp
c:\documents and settings\Chris Cowan\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\config.ini
c:\program files\Dealio Toolbar\DealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettingsKit.exe
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
C:\Thumbs.db
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\790151
c:\windows\system32\Data
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\logs
c:\windows\system32\notepad.dll
c:\windows\system32\reboot.txt
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-09 03:32 . 2010-02-09 03:53 -------- d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21 . 2010-02-09 03:21 4 ----a-w- c:\windows\vx86036.dat
2010-02-09 03:21 . 2010-02-09 03:21 -------- d-----w- c:\documents and settings\All Users\CrypKey
2010-02-09 03:21 . 2008-08-22 20:14 21638 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-09 03:21 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-09 03:21 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-09 03:21 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-09 03:21 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-09 03:21 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-09 03:20 . 2010-02-09 03:23 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\iBlubox Ltd
2010-01-24 23:35 . 2010-01-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 23:57 . 2008-04-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-12 05:42 . 2007-02-20 23:38 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\dvdcss
2010-02-09 21:03 . 2009-11-16 04:42 79488 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-01-25 00:16 . 2006-09-11 23:35 -------- d-----w- c:\program files\Dl_cats
2010-01-17 06:31 . 2009-03-18 18:09 -------- d-----w- c:\program files\Bonjour
2010-01-17 05:18 . 2006-08-28 16:19 -------- d-----w- c:\program files\Common Files\AOL
2010-01-13 02:06 . 2008-01-21 06:23 137675 -c--a-w- c:\windows\HPHins15.dat
2010-01-07 03:44 . 2010-01-07 03:44 -------- d-----w- c:\program files\OLYMPUS
2010-01-05 10:00 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-05 04:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 08:12 . 2009-04-01 03:57 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\LimeWire
2009-12-24 05:20 . 2009-10-09 00:13 -------- d-----w- c:\program files\Free FLV Converter
2009-12-24 05:20 . 2009-04-02 21:27 -------- d-----w- c:\program files\Musicnotes
2009-12-24 03:29 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\Move Networks
2009-12-20 06:44 . 2009-12-20 06:44 127325 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\uninstall.exe
2009-12-20 06:44 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-26 22:49 . 2009-11-26 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 23:50 . 2007-02-19 23:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2008-04-28 05:34 . 2006-09-08 05:50 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06 . 2008-04-21 22:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34 . 2006-09-08 05:50 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-04-21 22:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-21 22:50 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-22 16:01 . 2009-05-22 14:15 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01 . 2009-05-22 14:15 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-28 169984]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Chris Cowan\Start Menu\Programs\Startup\
scandisk.dll [2009-3-21 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 07:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-04-08 18:45 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-08 09:10 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2008 10:04 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/13/2007 12:37 PM 16512]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [10/30/2008 4:12 PM 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [10/30/2008 4:12 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 01:03]

2009-12-01 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard76002003-04-08 18:45Y34T114ZM7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: &Compress Image Using Image Compressor 2008 - c:\program files\MasRizal\IMC2008\imcieex_compress.html
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Search Settings\kb128\SearchSettings.dll
BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
BHO-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Search Settings\kb128\SearchSettings.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-notepad - c:\windows\system32\notepad.dll
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
AddRemove-12133444-BF36-4d4e-B7FB-A3424C645DE4 - c:\program files\GemMaster\uninstallgemmaster.exe
AddRemove-openStages - c:\program files\OpenStages\openStages\DeIsL1.isu
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{45B6180B-DCAB-4093-8EE8-6164457517F0} - c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 20:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"mamcpmjaocefloonbgnjmffioe"=hex:6a,61,63,65,64,63,66,6b,6e,68,67,6c,6a,70,6f,
68,66,6e,6a,6c,00,18
"lamcpmjaocoebjgmndehlohc"=hex:69,61,61,67,6a,63,64,69,6a,6c,6d,6e,6d,67,62,6a,
6f,6b,00,80

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-13 20:37:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 02:37
ComboFix2.txt 2009-05-22 14:53

Pre-Run: 4,624,097,280 bytes free
Post-Run: 4,746,346,496 bytes free

- - End Of File - - FCAE8586860D84AD036ACDF342ED8243



I noticed that my computer is running faster now after I ran ComboFix. I'm not saying it's fixed or anything, I have no clue...

#5 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 14 February 2010 - 02:30 AM

Hi
OK that's good.

While I am going over the combofix log here is something you need to look at.

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections. See here and here

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

I'll be back asap.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 14 February 2010 - 01:16 PM

Hi
Please do the following.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\windows\system32\E1C6C0540C.sys
  • Click on the submit button
  • Please post the results in your next reply.

Now this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::

RegNul::
[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]


Please post the Combofix log and the Jotti results.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 February 2010 - 01:28 AM

I noticed when ComboFix restarted my computer that the "Bad Image" boxes did not pop up, just to let you know.

Jotti results

Filename: E1C6C0540C.sys
Status: Scan finished. 0 out of 20 scanners reported malware.



ComboFix log

ComboFix 10-02-12.01 - Chris Cowan 02/15/2010 0:03.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.281 [GMT -6:00]
Running from: c:\documents and settings\Chris Cowan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Cowan\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris Cowan\Start Menu\Programs\Startup\scandisk.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-09 03:32 . 2010-02-09 03:53 -------- d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21 . 2010-02-09 03:21 4 ----a-w- c:\windows\vx86036.dat
2010-02-09 03:21 . 2010-02-09 03:21 -------- d-----w- c:\documents and settings\All Users\CrypKey
2010-02-09 03:21 . 2008-08-22 20:14 21638 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-09 03:21 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-09 03:21 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-09 03:21 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-09 03:21 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-09 03:21 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-09 03:20 . 2010-02-09 03:23 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\iBlubox Ltd
2010-01-24 23:35 . 2010-01-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 04:45 . 2008-04-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-12 05:42 . 2007-02-20 23:38 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\dvdcss
2010-02-09 21:03 . 2009-11-16 04:42 79488 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-01-25 00:16 . 2006-09-11 23:35 -------- d-----w- c:\program files\Dl_cats
2010-01-17 06:31 . 2009-03-18 18:09 -------- d-----w- c:\program files\Bonjour
2010-01-17 05:18 . 2006-08-28 16:19 -------- d-----w- c:\program files\Common Files\AOL
2010-01-13 02:06 . 2008-01-21 06:23 137675 -c--a-w- c:\windows\HPHins15.dat
2010-01-07 03:44 . 2010-01-07 03:44 -------- d-----w- c:\program files\OLYMPUS
2010-01-05 10:00 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-05 04:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 08:12 . 2009-04-01 03:57 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\LimeWire
2009-12-24 05:20 . 2009-10-09 00:13 -------- d-----w- c:\program files\Free FLV Converter
2009-12-24 05:20 . 2009-04-02 21:27 -------- d-----w- c:\program files\Musicnotes
2009-12-24 03:29 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\Move Networks
2009-12-20 06:44 . 2009-12-20 06:44 127325 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\uninstall.exe
2009-12-20 06:44 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-26 22:49 . 2009-11-26 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 23:50 . 2007-02-19 23:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2008-04-28 05:34 . 2006-09-08 05:50 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06 . 2008-04-21 22:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34 . 2006-09-08 05:50 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-04-21 22:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-21 22:50 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-22 16:01 . 2009-05-22 14:15 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01 . 2009-05-22 14:15 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-28 169984]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 07:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-04-08 18:45 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-08 09:10 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2008 10:04 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/13/2007 12:37 PM 16512]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [10/30/2008 4:12 PM 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [10/30/2008 4:12 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 01:03]

2009-12-01 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard76002003-04-08 18:45Y34T114ZM7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: &Compress Image Using Image Compressor 2008 - c:\program files\MasRizal\IMC2008\imcieex_compress.html
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"mamcpmjaocefloonbgnjmffioe"=hex:6a,61,63,65,64,63,66,6b,6e,68,67,6c,6a,70,6f,
68,66,6e,6a,6c,00,18
"lamcpmjaocoebjgmndehlohc"=hex:69,61,61,67,6a,63,64,69,6a,6c,6d,6e,6d,67,62,6a,
6f,6b,00,80

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-15 00:24:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 06:24
ComboFix2.txt 2010-02-14 02:37
ComboFix3.txt 2009-05-22 14:53

Pre-Run: 4,773,416,960 bytes free
Post-Run: 4,780,244,992 bytes free

- - End Of File - - F93B3DA2220C9200D3837274C33CD7DA


#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 15 February 2010 - 07:51 AM

Hi
OK lets try this one more time.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::

RegNul::
[-HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]


Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 February 2010 - 11:08 PM

ComboFix 10-02-12.01 - Chris Cowan 02/15/2010 21:45:26.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.282 [GMT -6:00]
Running from: c:\documents and settings\Chris Cowan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Cowan\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
.

2010-02-09 03:32 . 2010-02-09 03:53 -------- d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21 . 2010-02-09 03:21 4 ----a-w- c:\windows\vx86036.dat
2010-02-09 03:21 . 2010-02-09 03:21 -------- d-----w- c:\documents and settings\All Users\CrypKey
2010-02-09 03:21 . 2008-08-22 20:14 21638 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-09 03:21 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-09 03:21 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-09 03:21 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-09 03:21 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-09 03:21 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-09 03:20 . 2010-02-09 03:23 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\iBlubox Ltd
2010-01-24 23:35 . 2010-01-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 04:45 . 2008-04-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-12 05:42 . 2007-02-20 23:38 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\dvdcss
2010-02-09 21:03 . 2009-11-16 04:42 79488 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-01-25 00:16 . 2006-09-11 23:35 -------- d-----w- c:\program files\Dl_cats
2010-01-17 06:31 . 2009-03-18 18:09 -------- d-----w- c:\program files\Bonjour
2010-01-17 05:18 . 2006-08-28 16:19 -------- d-----w- c:\program files\Common Files\AOL
2010-01-13 02:06 . 2008-01-21 06:23 137675 -c--a-w- c:\windows\HPHins15.dat
2010-01-07 03:44 . 2010-01-07 03:44 -------- d-----w- c:\program files\OLYMPUS
2010-01-05 10:00 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-05 04:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 08:12 . 2009-04-01 03:57 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\LimeWire
2009-12-24 05:20 . 2009-10-09 00:13 -------- d-----w- c:\program files\Free FLV Converter
2009-12-24 05:20 . 2009-04-02 21:27 -------- d-----w- c:\program files\Musicnotes
2009-12-24 03:29 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\Move Networks
2009-12-20 06:44 . 2009-12-20 06:44 127325 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\uninstall.exe
2009-12-20 06:44 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-26 22:49 . 2009-11-26 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 23:50 . 2007-02-19 23:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2008-04-28 05:34 . 2006-09-08 05:50 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06 . 2008-04-21 22:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34 . 2006-09-08 05:50 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-04-21 22:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-21 22:50 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-22 16:01 . 2009-05-22 14:15 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01 . 2009-05-22 14:15 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-28 169984]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 07:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-04-08 18:45 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-08 09:10 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2008 10:04 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/13/2007 12:37 PM 16512]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [10/30/2008 4:12 PM 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [10/30/2008 4:12 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 01:03]

2009-12-01 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard76002003-04-08 18:45Y34T114ZM7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: &Compress Image Using Image Compressor 2008 - c:\program files\MasRizal\IMC2008\imcieex_compress.html
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 21:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"mamcpmjaocefloonbgnjmffioe"=hex:6a,61,63,65,64,63,66,6b,6e,68,67,6c,6a,70,6f,
68,66,6e,6a,6c,00,18
"lamcpmjaocoebjgmndehlohc"=hex:69,61,61,67,6a,63,64,69,6a,6c,6d,6e,6d,67,62,6a,
6f,6b,00,80

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-15 22:04:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-16 04:04
ComboFix2.txt 2010-02-15 06:24
ComboFix3.txt 2010-02-14 02:37
ComboFix4.txt 2009-05-22 14:53

Pre-Run: 4,784,672,768 bytes free
Post-Run: 4,748,726,272 bytes free

- - End Of File - - 1985690F4C2566493DB24B589E8803D7


#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 15 February 2010 - 11:39 PM

Hi chris714
OK this is being stubborn. Lets use this code.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::

RegLockDel::
[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-100\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]


Please post the Combofix log.

Thanks
maranatha

Edited by maranatha, 15 February 2010 - 11:41 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 16 February 2010 - 12:54 AM

I'm sorry it's being stubborn. If it's any consolation, I think it may be fixed.



ComboFix 10-02-12.01 - Chris Cowan 02/15/2010 23:34:21.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -6:00]
Running from: c:\documents and settings\Chris Cowan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Cowan\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
.

2010-02-09 03:32 . 2010-02-09 03:53 -------- d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21 . 2010-02-09 03:21 4 ----a-w- c:\windows\vx86036.dat
2010-02-09 03:21 . 2010-02-09 03:21 -------- d-----w- c:\documents and settings\All Users\CrypKey
2010-02-09 03:21 . 2008-08-22 20:14 21638 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-09 03:21 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-09 03:21 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-09 03:21 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-09 03:21 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-09 03:21 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-09 03:20 . 2010-02-09 03:23 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\iBlubox Ltd
2010-01-24 23:35 . 2010-01-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 05:47 . 2008-04-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-12 05:42 . 2007-02-20 23:38 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\dvdcss
2010-02-09 21:03 . 2009-11-16 04:42 79488 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-01-25 00:16 . 2006-09-11 23:35 -------- d-----w- c:\program files\Dl_cats
2010-01-17 06:31 . 2009-03-18 18:09 -------- d-----w- c:\program files\Bonjour
2010-01-17 05:18 . 2006-08-28 16:19 -------- d-----w- c:\program files\Common Files\AOL
2010-01-13 02:06 . 2008-01-21 06:23 137675 -c--a-w- c:\windows\HPHins15.dat
2010-01-07 03:44 . 2010-01-07 03:44 -------- d-----w- c:\program files\OLYMPUS
2010-01-05 10:00 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-05 04:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 08:12 . 2009-04-01 03:57 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\LimeWire
2009-12-24 05:20 . 2009-10-09 00:13 -------- d-----w- c:\program files\Free FLV Converter
2009-12-24 05:20 . 2009-04-02 21:27 -------- d-----w- c:\program files\Musicnotes
2009-12-24 03:29 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\Move Networks
2009-12-20 06:44 . 2009-12-20 06:44 127325 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\uninstall.exe
2009-12-20 06:44 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-26 22:49 . 2009-11-26 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 23:50 . 2007-02-19 23:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2008-04-28 05:34 . 2006-09-08 05:50 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06 . 2008-04-21 22:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34 . 2006-09-08 05:50 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-04-21 22:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-21 22:50 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-22 16:01 . 2009-05-22 14:15 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01 . 2009-05-22 14:15 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-28 169984]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 07:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-04-08 18:45 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-08 09:10 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2008 10:04 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/13/2007 12:37 PM 16512]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [10/30/2008 4:12 PM 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [10/30/2008 4:12 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 01:03]

2009-12-01 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard76002003-04-08 18:45Y34T114ZM7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: &Compress Image Using Image Compressor 2008 - c:\program files\MasRizal\IMC2008\imcieex_compress.html
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 23:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"mamcpmjaocefloonbgnjmffioe"=hex:6a,61,63,65,64,63,66,6b,6e,68,67,6c,6a,70,6f,
68,66,6e,6a,6c,00,18
"lamcpmjaocoebjgmndehlohc"=hex:69,61,61,67,6a,63,64,69,6a,6c,6d,6e,6d,67,62,6a,
6f,6b,00,80

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1468)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-15 23:52:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-16 05:52
ComboFix2.txt 2010-02-16 04:04
ComboFix3.txt 2010-02-15 06:24
ComboFix4.txt 2010-02-14 02:37
ComboFix5.txt 2010-02-16 05:33

Pre-Run: 4,879,073,280 bytes free
Post-Run: 4,853,596,160 bytes free

- - End Of File - - F7A2ADD756ECCC9E3FB972E553AF9E00


#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 16 February 2010 - 09:16 PM

Hi chris

I'm glad it's working, but this is a left over from the infection and it really should be deleted. I would like to make sure you are compleatly clean.
I don't like doing a half way job. thumbup2.gif

OK lets try this again OK?

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::

RegNull::
[HKEY_USERS\S-1-5-21-2318725428-931493984-64454331-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{20ABB8C6-EEB5-0A44-282D-3923D6AEBBE5}*]


Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 18 February 2010 - 01:51 AM

After I ComboFix updated itself and began to run the first time, the following blue screen popped up, just an FYI:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

BAD_POOL_HEADER

If this is the first time you've seen this Stop Error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Techinal Information:

*** STOP: 0x00000019 (0x00000020, 0x84D64000, 0x84D64418, 0x1A830000)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or techincal support group for further assistance.



I had to restart and then run ComboFix again. Here's the log:


ComboFix 10-02-16.03 - Chris Cowan 02/18/2010 0:19.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.316 [GMT -6:00]
Running from: c:\documents and settings\Chris Cowan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Cowan\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-09 03:32 . 2010-02-09 03:53 -------- d-----w- c:\program files\Advanced JPEG Compressor
2010-02-09 03:21 . 2010-02-09 03:21 4 ----a-w- c:\windows\vx86036.dat
2010-02-09 03:21 . 2010-02-09 03:21 -------- d-----w- c:\documents and settings\All Users\CrypKey
2010-02-09 03:21 . 2008-08-22 20:14 21638 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-09 03:21 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-09 03:21 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-09 03:21 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-09 03:21 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-09 03:21 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-09 03:20 . 2010-02-09 03:23 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\iBlubox Ltd
2010-01-24 23:35 . 2010-01-24 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 05:47 . 2008-04-18 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-12 05:42 . 2007-02-20 23:38 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\dvdcss
2010-02-09 21:03 . 2009-11-16 04:42 79488 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-02-09 02:56 . 2008-12-21 23:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgdoc2.dll
2010-01-25 00:16 . 2006-09-11 23:35 -------- d-----w- c:\program files\Dl_cats
2010-01-17 06:31 . 2009-03-18 18:09 -------- d-----w- c:\program files\Bonjour
2010-01-17 05:18 . 2006-08-28 16:19 -------- d-----w- c:\program files\Common Files\AOL
2010-01-13 02:06 . 2008-01-21 06:23 137675 -c--a-w- c:\windows\HPHins15.dat
2010-01-07 03:44 . 2010-01-07 03:44 -------- d-----w- c:\program files\OLYMPUS
2010-01-05 10:00 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-05 04:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 08:12 . 2009-04-01 03:57 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\LimeWire
2009-12-24 05:20 . 2009-10-09 00:13 -------- d-----w- c:\program files\Free FLV Converter
2009-12-24 05:20 . 2009-04-02 21:27 -------- d-----w- c:\program files\Musicnotes
2009-12-24 03:29 . 2009-12-20 06:44 -------- d-----w- c:\documents and settings\Chris Cowan\Application Data\Move Networks
2009-12-20 06:44 . 2009-12-20 06:44 127325 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\uninstall.exe
2009-12-20 06:44 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chris Cowan\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-26 22:49 . 2009-11-26 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 23:50 . 2007-02-19 23:51 774144 -c--a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
2008-04-28 05:34 . 2006-09-08 05:50 88 --sh--r- c:\windows\system32\E1C6C0540C.sys
2006-05-03 09:06 . 2008-04-21 22:50 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-04-28 05:34 . 2006-09-08 05:50 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-04-21 22:50 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-04-21 22:50 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-05-22 16:01 . 2009-05-22 14:15 415776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-05-22 16:01 . 2009-05-22 14:15 27936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-05-28 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-28 169984]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-21 07:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-04-08 18:45 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-08 09:10 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2008 10:04 PM 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S1 ftdiskk;ftdiskk;c:\windows\system32\drivers\ftdiskk.sys --> c:\windows\system32\drivers\ftdiskk.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/13/2007 12:37 PM 16512]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [10/30/2008 4:12 PM 23096]
S3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [10/30/2008 4:12 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 01:03]

2009-12-01 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard76002003-04-08 18:45Y34T114ZM7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: &Compress Image Using Image Compressor 2008 - c:\program files\MasRizal\IMC2008\imcieex_compress.html
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/20c38e05cea85538f005/netzip/RdxIE601.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 00:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1468)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4912)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\CHRISC~1\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-18 00:41:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 06:41
ComboFix2.txt 2010-02-16 05:52
ComboFix3.txt 2010-02-16 04:04
ComboFix4.txt 2010-02-15 06:24
ComboFix5.txt 2010-02-18 06:11

Pre-Run: 4,829,954,048 bytes free
Post-Run: 4,806,922,240 bytes free

- - End Of File - - C59B534B4356474CC79D7F3039CA495E


#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:31 AM

Posted 18 February 2010 - 07:57 AM

Hi chris
OK, that got it.

Lets get a on line scan to make sure nothing is lurking.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side, Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 chris714

chris714
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 18 February 2010 - 10:47 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, February 18, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 18, 2010 21:16:05
Records in database: 3554703
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 109368
Threats found: 6
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 02:43:10


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Backdoor.Win32.Buterat.du 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP94\A0053587.dll Infected: Trojan-Spy.Win32.Vbot.b 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP94\A0053588.dll Infected: Trojan-Spy.Win32.Vbot.b 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP94\A0053589.dll Infected: Trojan-Spy.Win32.Vbot.b 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP94\A0055688.exe Infected: Backdoor.Win32.Buterat.du 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP94\A0055689.dll Infected: Trojan-Spy.Win32.Vbot.b 1
C:\System Volume Information\_restore{97FFEFF3-CA81-4738-BD29-AEB00E358B51}\RP46\A0006925.exe Infected: Trojan-Downloader.Win32.VB.bsa 1
C:\System Volume Information\_restore{97FFEFF3-CA81-4738-BD29-AEB00E358B51}\RP46\A0006926.exe Infected: Trojan-Downloader.Win32.VB.bsa 1
C:\System Volume Information\_restore{97FFEFF3-CA81-4738-BD29-AEB00E358B51}\RP46\A0006929.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp 1
C:\System Volume Information\_restore{F6F41583-EFD6-4EB6-A09F-692FAE753781}\RP100\A0011060.exe Infected: Trojan.Win32.FraudPack.nkf 1
C:\System Volume Information\_restore{F6F41583-EFD6-4EB6-A09F-692FAE753781}\RP100\A0011063.exe Infected: Trojan-Proxy.Win32.Agent.bnq 1

Selected area has been scanned.






Looks like we aren't completely done..ha.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users