Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis with Log


  • This topic is locked This topic is locked
17 replies to this topic

#1 mll2

mll2

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 26 February 2010 - 05:32 PM

Hi all,

Thanks so much in advance for your help. Yesterday I started getting popups saying my computer has been infected. It calls itself "Antivius XP 2010" and has an Alert that pops up constantly. There is also a registration popup that keeps poping up. I'm afraid my computer has been infected and it seems pretty serious. I've ran HijackThis and here's the log.. Again, thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13:30, on 26-Feb-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\mobile automation\rstate.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\mlamana\Local Settings\Application Data\av.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\mlamana\LOCALS~1\Temp\wdyjsc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\program files\mobile automation\rsstatus.exe
C:\WINDOWS\sprscore.exe
C:\DOCUME~1\mlamana\LOCALS~1\Temp\install.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\rundys32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ip.clarkstonconsulting.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\MPK.exe
O2 - BHO: C:\WINDOWS\system32\q9bpsliy.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\q9bpsliy.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" /StartInTray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\Program Files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\winlogin.exe] "C:\Program Files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\CritProc.exe" /R
O4 - HKLM\..\Run: [forsinit] C:\WINDOWS\sprscore.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Mobile Automation Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\q9bpsliy.dll, HUI_proc
O4 - HKCU\..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\DOCUME~1\mlamana\LOCALS~1\Temp\wdyjsc.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\mlamana\LOCALS~1\Temp\install.exe
O4 - HKUS\S-1-5-18\..\Run: [Spark] C:\Program Files\Spark\Spark.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spark] C:\Program Files\Spark\Spark.exe (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsp8.dll
O15 - Trusted Zone: www.citrixonline.com
O15 - Trusted Zone: clarkston.travelasp.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.0.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://remote.rjrt.com/CACHE/webvpn/stc/1/...ries/stcweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204821146859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204821189921
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://ip.clarkstonconsulting.com/crystalr...tiveXViewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ip.clarkstonconsulting.com/client/T...SSL+ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ip.clarkstonconsulting.com/dana-cac...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clarkstongroup.com
O17 - HKLM\Software\..\Telephony: DomainName = clarkstongroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clarkstongroup.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: urqQiFUN - urqQiFUN.dll (file missing)
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\q9bpsliy.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Mobile Automation Agent (MobileAutmationAgentService) - Mobile Automation, Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: Network Configuration Service (netcfgsvr) - AT&T - C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 15602 bytes


BC AdBot (Login to Remove)

 


#2 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 February 2010 - 11:19 AM

Hi everyone,

Could someone please help me solve this issue? I need it fixed pretty soon. I have the HijackThis log in the initial post, and if there's anything else you need let me know.

Thanks a lot!


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 28 February 2010 - 06:20 AM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 01 March 2010 - 06:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 01 March 2010 - 08:34 PM

Hi m0le, thanks for helping! I really appreciate your help! Feel free to begin with your first instructions!

Thanks!
mll2

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 01 March 2010 - 08:39 PM

Okay, well we need to see some more information about what is happening in your machine than HijackThis can show.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#6 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 02 March 2010 - 01:12 PM

Hi m0le! This virus is really annoying. I was unable to run either of the DDS scripts. The link to the second one didn't work and the first one wouldn't produce the .txt files even though I disabled all antivirus and spyware programs. I'm assuming the virus is disabling it, just as it does my adaware software.

I was able to download the gmer.log file below. Also, I ran the defogger after the gmer and it produced the following log. Thanks so much for your help! Please let me know what else you need.

thanks again,
mll2

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:44 on 02/03/2010 (mlamana)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 11:41:14
Windows 5.1.2600 Service Pack 2
Running: ugkcv8ph.exe; Driver: C:\DOCUME~1\mlamana\LOCALS~1\Temp\kfairaog.sys


---- System - GMER 1.0.15 ----

SSDT 8A4EC900 ZwConnectPort
SSDT spnu.sys ZwCreateKey [0xB9EA70E0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8D14CC0]
SSDT spnu.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spnu.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT spnu.sys ZwOpenKey [0xB9EA70C0]
SSDT spnu.sys ZwQueryKey [0xB9EC610A]
SSDT spnu.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8D14F20]

INT 0x62 ? 8A703BF8
INT 0x82 ? 8A703BF8
INT 0x84 ? 8A5F3F00
INT 0x94 ? 8A5F3F00
INT 0xA4 ? 8A5F3F00

---- Kernel code sections - GMER 1.0.15 ----

? spnu.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B947C62C 5 Bytes JMP 8A5F34E0
.text are11r4f.SYS B933B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text are11r4f.SYS B933B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text are11r4f.SYS B933B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text are11r4f.SYS B933B3C9 1 Byte [2E]
.text are11r4f.SYS B933B3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[608] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 00402455
.text C:\WINDOWS\Explorer.EXE[764] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 0111E1F0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\Explorer.EXE[764] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0111EDA0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\Explorer.EXE[764] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0111E330 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\Explorer.EXE[764] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 011125B0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\Explorer.EXE[764] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01112850 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\Explorer.EXE[764] kernel32.dll!OpenProcess 7C8309E1 5 Bytes JMP 0111E190 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 1000E1F0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 1000EDA0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000E330 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100025B0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002850 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[2976] kernel32.dll!OpenProcess 7C8309E1 5 Bytes JMP 1000E190 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 1000E1F0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 1000EDA0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000E330 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100025B0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002850 C:\WINDOWS\system32\msaun0ero.dll
.text C:\WINDOWS\system32\taskmgr.exe[3540] kernel32.dll!OpenProcess 7C8309E1 5 Bytes JMP 1000E190 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 1000E1F0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 1000EDA0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000E330 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100025B0 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002850 C:\WINDOWS\system32\msaun0ero.dll
.text C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe[3856] kernel32.dll!OpenProcess 7C8309E1 5 Bytes JMP 1000E190 C:\WINDOWS\system32\msaun0ero.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spnu.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spnu.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spnu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spnu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spnu.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spnu.sys
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KfAcquireSpinLock] 001C9C96
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!READ_PORT_UCHAR] C6168B00
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KeGetCurrentIrql] 001CB986
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KfRaiseIrql] 428A0A00
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KfLowerIrql] BA86880C
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!HalGetInterruptVector] 8B00001C
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!HalTranslateBusAddress] 24A48DFA
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KeStallExecutionProcessor] 00000000
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!KfReleaseSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D3F0304
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!READ_PORT_USHORT] CB033043
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 0673C13B
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[HAL.dll!WRITE_PORT_UCHAR] C13B0003
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[WMILIB.SYS!WmiSystemControl] 75000E7B
IAT \SystemRoot\System32\Drivers\are11r4f.SYS[WMILIB.SYS!WmiCompleteRequest] 0B7D80E3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 010A9220
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 010A8F10
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 010A1640
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 010A29D0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 010A6070
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 010A3BB0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 010A2F80
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 010A53B0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 010A83F0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 010A8430
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 010A9570
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 010A7FE0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 010A5FD0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 010A46E0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 010A37B0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 010A4160
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 010A9AF0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 010A5700
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 010A5E30
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 010A6A60
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 010A6540
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 010A69E0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 010A7540
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 010A6C10
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 010A33B0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 010A4590
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 010A8510
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 010A6680
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 010A5F70
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 010A5B30
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 010A6180
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 010A9590
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 010A6480
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 010A9830
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 010A97D0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 010A9A20
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 010A9AC0
IAT C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe[3016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 010A98F0

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7021F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_620_13515.SYS (NetBIOS Redirector/Juniper Networks)

Device \Driver\usbuhci \Device\USBPDO-0 8A6181F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6181F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D6B1247A-BCA7-44FD-A54B-ECE9C49535D8} 88CE61F8
Device \Driver\usbuhci \Device\USBPDO-2 8A6181F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{EBCFFB61-43BE-4E01-BAC1-A978EBCC47CB} 88CE61F8
Device \Driver\usbuhci \Device\USBPDO-3 8A6181F8
Device \Driver\usbehci \Device\USBPDO-4 8A53C1F8

AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_620_13515.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6921F8
Device \Driver\Cdrom \Device\CdRom0 8A5301F8
Device \Driver\Cdrom \Device\CdRom1 8A5301F8
Device \Driver\atapi \Device\Ide\IdePort0 8A7031F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A7031F8
Device \Driver\atapi \Device\Ide\IdePort1 8A7031F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A7031F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88CE61F8
Device \Driver\NetBT \Device\NetbiosSmb 88CE61F8

AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_620_13515.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{B734E225-4CCC-4FB0-96C1-25DF8F64B1ED} 88CE61F8

AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_620_13515.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\PCI_PNP7348 \Device\0000005e spnu.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A6181F8
Device \Driver\usbuhci \Device\USBFDO-1 8A6181F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88CDF1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A6181F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88CDF1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A6181F8
Device \Driver\usbehci \Device\USBFDO-4 8A53C1F8
Device \Driver\Ftdisk \Device\FtControl 8A6921F8
Device \Driver\sptd \Device\701671098 spnu.sys
Device \Driver\are11r4f \Device\Scsi\are11r4f1Port2Path0Target0Lun0 8A5201F8
Device \Driver\are11r4f \Device\Scsi\are11r4f1 8A5201F8
Device \FileSystem\Cdfs \Cdfs 88C9C500
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\msaun0ero.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [764] 0x01110000

Process C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe (*** hidden *** ) 2976
Library C:\WINDOWS\system32\msaun0ero.dll (*** hidden *** ) @ C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe [2976] 0x10000000

Process C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe (*** hidden *** ) 3016
Library C:\WINDOWS\system32\msaun0ero.dll (*** hidden *** ) @ C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe [3016] 0x10000000
Library C:\WINDOWS\system32\msaun0ero.dll (*** hidden *** ) @ C:\WINDOWS\system32\taskmgr.exe [3540] 0x10000000
Library C:\WINDOWS\system32\msaun0ero.dll (*** hidden *** ) @ C:\Documents and Settings\mlamana\Desktop\ugkcv8ph.exe [3856] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x35 0x0C 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x39 0xDD 0x80 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDE 0x09 0x08 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x35 0x0C 0x07 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x39 0xDD 0x80 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDE 0x09 0x08 0x0E ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@026d- C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe de
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@026d- C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe de

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\msaun0ero.dll 147456 bytes executable
File C:\Program Files\Qtvxspglxyjwo 0 bytes
File C:\Program Files\Qtvxspglxyjwo\dehjlgd.exe 2180749 bytes executable
File C:\Program Files\Qtvxspglxyjwo\Log 0 bytes
File C:\Program Files\Qtvxspglxyjwo\Log\Audio 0 bytes
File C:\Program Files\Qtvxspglxyjwo\Log\Text 0 bytes
File C:\Program Files\Qtvxspglxyjwo\Log\Text\aiotxt.dat 10104 bytes
File C:\Program Files\Qtvxspglxyjwo\Log\Visual 0 bytes
File C:\Program Files\Qtvxspglxyjwo\Log\Visual\03022010.dat 30134566 bytes
File C:\Program Files\Qtvxspglxyjwo\unins000.dat 12297 bytes
File C:\Program Files\Qtvxspglxyjwo\unins000.exe 686706 bytes

---- EOF - GMER 1.0.15 ----


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 02 March 2010 - 06:59 PM

Yes, you're rootkitted. sad.gif

We need to try and stop as many malicious processes as we can.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Finally,

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 03 March 2010 - 12:04 AM

Hi m0le,

exeHelper wouldn't run, after saving the file I got a Warning box that said "exeHelper.exe is not a valid Win32 Application."
Rkill and ComboFix did run and the logs are below. Again, I can't thank you enough for your help!

thanks,
mll2

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as mlamana on 02-Mar-10 at 23:05:30.


Processes terminated by Rkill or while it was running:


C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\DOCUME~1\mlamana\LOCALS~1\Temp\wdyjsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\mlamana\Local Settings\Temp\notepad.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\mlamana\Desktop\rkill.pif


Rkill completed on 02-Mar-10 at 23:05:35.

.......

ComboFix 10-03-02.02 - mlamana 02-Mar-10 23:26:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1332 [GMT -5:00]
Running from: c:\documents and settings\mlamana\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
The following files were disabled during the run:
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\mlamana\LOCALS~1\Temp\lsass.exe
c:\documents and settings\mlamana\Application Data\wiaservg.log
c:\documents and settings\mlamana\Local Settings\Application Data\av.exe
c:\documents and settings\mlamana\Local Settings\Temporary Internet Files\a5oBaM.jpg
c:\documents and settings\mlamana\Local Settings\Temporary Internet Files\bP467m.jpg
c:\documents and settings\mlamana\Local Settings\Temporary Internet Files\LaAa26Ab.jpg
c:\documents and settings\mlamana\Local Settings\Temporary Internet Files\n0njP.jpg
c:\recycler\S-1-5-21-1945010074-62018654-1971066577-10694
c:\recycler\S-1-5-21-1945010074-62018654-1971066577-12489
C:\test.txt
c:\windows\system32\abvensdk.ini
c:\windows\system32\avyqgiap.ini
c:\windows\system32\bogsdeoa.ini
c:\windows\system32\ctuiwwfn.ini
c:\windows\system32\ehbtvjcf.ini
c:\windows\system32\exfxewhv.ini
c:\windows\system32\hryqtbxl.ini
c:\windows\system32\hujsrbeu.ini
c:\windows\system32\inumundj.ini
c:\windows\system32\jfcbiwfy.ini
c:\windows\system32\kr_done1
c:\windows\system32\maafthwn.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\nqohssue.ini
c:\windows\system32\oahmbrcu.ini
c:\windows\system32\p2hhr.bat
c:\windows\system32\q9bpsliy.dll
c:\windows\system32\rijiwhhv.ini
c:\windows\system32\rolbhnaa.ini
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\stacsv.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\uc84pgk.dll
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\xxacxkky.ini
c:\windows\system32\ydcuttvw.ini
c:\windows\system32\yGfNqBeg.ini
c:\windows\system32\yGfNqBeg.ini2
c:\windows\Temp\158661978.exe
c:\windows\Temp\lsass.exe
c:\windows\Temp\scsE.tmp
c:\windows\Temp\scsF.tmp

Infected copy of c:\windows\system32\tlntsvr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\tlntsvr.exe

c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-26 22:08 . 2010-02-26 22:08 -------- d-----w- c:\program files\Trend Micro
2010-02-26 14:49 . 2010-02-26 15:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-26 14:49 . 2010-02-26 14:49 -------- d-----w- c:\program files\Lavasoft
2010-02-26 14:49 . 2010-02-26 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-26 14:32 . 2010-02-26 14:32 64512 ----a-w- c:\windows\system32\lsp8.dll
2010-02-15 20:07 . 2010-02-15 20:07 -------- d-----w- c:\program files\iPod
2010-02-15 20:07 . 2010-02-15 20:08 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 04:39 . 2008-09-18 04:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 04:37 . 2008-03-11 17:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-03 04:21 . 2010-02-26 14:38 6 ---ha-w- c:\windows\system32\x93842.tmp
2010-03-03 04:13 . 2008-11-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-02 03:17 . 2008-06-11 16:46 -------- d-----w- c:\program files\Mobile Automation
2010-02-27 23:59 . 2008-09-17 02:22 -------- d-----w- c:\documents and settings\mlamana\Application Data\DNA
2010-02-27 23:24 . 2008-11-14 16:00 -------- d-----w- c:\documents and settings\mlamana\Application Data\Skype
2010-02-27 21:04 . 2008-11-14 16:06 -------- d-----w- c:\documents and settings\mlamana\Application Data\skypePM
2010-02-26 18:22 . 2009-05-11 12:44 -------- d-----w- c:\program files\Taskbar Shuffle
2010-02-26 18:22 . 2008-09-17 02:22 -------- d-----w- c:\program files\DNA
2010-02-26 14:32 . 2010-02-26 14:32 0 ----a-w- c:\windows\system32\lsp8.tmp
2010-02-23 12:43 . 2008-09-17 02:22 -------- d-----w- c:\documents and settings\mlamana\Application Data\BitTorrent
2010-02-23 02:48 . 2008-03-11 22:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-21 05:55 . 2008-09-01 13:10 -------- d-----w- c:\documents and settings\mlamana\Application Data\U3
2010-02-15 20:07 . 2009-08-04 03:33 -------- d-----w- c:\program files\Common Files\Apple
2010-02-15 20:00 . 2009-09-17 00:41 -------- d-----w- c:\program files\QuickTime
2010-02-04 04:55 . 2008-11-16 03:35 -------- d-----w- c:\program files\Google
2010-02-03 04:57 . 2009-02-12 13:18 -------- d-----w- c:\documents and settings\mlamana\Application Data\Move Networks
2010-01-27 15:25 . 2009-08-22 01:53 -------- d-----w- c:\program files\LivingEarthDesktop
2010-01-22 16:59 . 2010-01-22 16:59 -------- d-----w- c:\documents and settings\mlamana\Application Data\webex
2010-01-14 14:20 . 2008-03-11 17:16 -------- d-----w- c:\program files\Java
2010-01-05 20:15 . 2008-11-14 15:59 -------- d-----r- c:\program files\Skype
2010-01-05 20:14 . 2010-01-05 20:14 -------- d-----w- c:\program files\Common Files\Skype
2010-01-05 20:14 . 2008-11-14 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"="c:\program files\Qtvxspglxyjwo\dehjlgd.exe" [2006-06-18 2180749]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"="c:\program files\Qtvxspglxyjwo\dehjlgd.exe" [2006-06-18 2180749]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\dfjdkjfdkjfldjf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-09 15:07 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-24 21:14 53408 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\forsinit]
2008-10-22 13:08 765952 ----a-w- c:\windows\sprscore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 22:07 133104 ----atw- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-31 00:00 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-31 00:00 138008 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Automation Agent]
2003-12-09 23:53 94208 ----a-w- c:\progra~1\MOBILE~1\rstate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2008-07-30 19:28 87320 ----a-w- c:\program files\AT&T Global Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-17 08:03 8495104 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-11-17 08:03 86016 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-17 08:03 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 08:03 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-30 23:59 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeperEnterprise]
2006-02-06 19:27 1327616 ----a-w- c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar Shuffle]
2008-04-17 05:28 818176 ----a-w- c:\program files\Taskbar Shuffle\taskbarshuffle.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-06-15 05:40 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=
"c:\\Documents and Settings\\mlamana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\mlamana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Spark\\Spark.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 NEOFLTR_600_12875;Juniper Networks TDI Filter Driver (NEOFLTR_600_12875);c:\windows\system32\drivers\NEOFLTR_600_12875.sys [14-Mar-08 04:10 64160]
R1 NEOFLTR_620_13515;Juniper Networks TDI Filter Driver (NEOFLTR_620_13515);c:\windows\system32\drivers\NEOFLTR_620_13515.sys [22-Aug-08 12:04 64480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [26-Dec-09 06:47 54752]
R2 MobileAutmationAgentService;Mobile Automation Agent;c:\program files\Mobile Automation\rstate.exe [11-Jun-08 11:47 94208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [28-Aug-09 19:01 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-Dec-09 10:45 135664]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [01-Dec-09 13:55 22136]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-Aug-09 16:48 704864]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15-Jun-06 00:40 115952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26-Oct-09 22:06 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
senekalight
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-16 16:31]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 15:45]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 15:45]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1945010074-62018654-1971066577-14898Core.job
- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:07]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1945010074-62018654-1971066577-14898UA.job
- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = https://ip.clarkstonconsulting.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\lsp8.dll
Trusted Zone: adp.com\ipay
Trusted Zone: citrixonline.com
Trusted Zone: citrixonline.com\www
Trusted Zone: clarkstonconsulting.com\cc
Trusted Zone: clarkstonconsulting.com\cp
Trusted Zone: clarkstonconsulting.com\ip
Trusted Zone: travelasp.com\clarkston
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://remote.rjrt.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://ip.clarkstonconsulting.com/crystalreportviewers10/ActiveXControls/,DanaInfo=changepoint+ActiveXViewer.cab
FF - ProfilePath - c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\mlamana\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\mlamana\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\mlamana\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\q9bpsliy.dll
HKCU-Run-Remote System Protection - c:\windows\system32\q9bpsliy.dll
SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\q9bpsliy.dll
Notify-urqQiFUN - urqQiFUN.dll
SafeBoot-senekalight
MSConfigStartUp-asg984jgkfmgasi8ug98jgkfgfb - c:\docume~1\mlamana\LOCALS~1\Temp\install.exe
MSConfigStartUp-winlogin - c:\program files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\CritProc.exe
MSConfigStartUp-Remote System Protection - c:\windows\system32\q9bpsliy.dll
MSConfigStartUp-uishf9wuifwuh387fh3wufinhjfdwefe - c:\docume~1\mlamana\LOCALS~1\Temp\wdyjsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 23:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc2A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\WRLogonNtf.DLL
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\lsp8.dll
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll

- - - - - - - > 'explorer.exe'(1776)
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll
c:\windows\system32\msaun0ero.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(920)
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\SSL VPN Client\agent.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-03-02 23:52:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-03 04:52

Pre-Run: 2,759,680,000 bytes free
Post-Run: 3,502,927,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2B40732750BE8FCFB431A116E64E5977


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 03 March 2010 - 08:21 PM

Let's go back and remove some other entries.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/298800/hijackthis-with-log/

Collect::
c:\windows\system32\lsp8.dll
c:\windows\system32\x93842.tmp
c:\windows\system32\lsp8.tmp

Folder::
c:\program files\Qtvxspglxyjwo

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"=-

NetSvc::
senekalight

Driver::
senekalight

DDS::
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#10 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 03 March 2010 - 11:52 PM

Hi m0le,

It really seems that everything is taken care of already! Thanks so much!

Before I run the Combofix again I should let you know that I have a Keylogger installed on the machine for parental purposes.
I know it's logs are stored in c:\program files\Qtvxspglxyjwo, therefore perhaps we should leave this alone. However, I'm not sure about the other paths from your text file, do you think these are other malicious intent other than the keylogger?

Thanks,
mll2

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 04 March 2010 - 08:00 AM

QUOTE
I know it's logs are stored in c:\program files\Qtvxspglxyjwo, therefore perhaps we should leave this alone


Yes, some of that still needs to be removed. We'll need to amend the Combofix script to the one below:

QUOTE
File::
c:\windows\system32\lsp8.dll
c:\windows\system32\x93842.tmp
c:\windows\system32\lsp8.tmp

NetSvc::
senekalight

Driver::
senekalight

DDS::
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -



If I'm correct this may disconnect the internet connection so please make a note this info and download the program before you run the script.

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.


Instructions
  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.
  • If your computer was not using DHCP, you will need to reconfigure TCP/IP.
  • You should have connectivity restored.

Posted Image
m0le is a proud member of UNITE

#12 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 05 March 2010 - 10:12 PM

Hi m0le,

Here's the ComboFix log. Thanks so much for your help, I really appreciate the help. Seems like we're getting close. smile.gif

mll2

ComboFix 10-03-02.02 - mlamana 05-Mar-10 17:42:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1330 [GMT -5:00]
Running from: c:\documents and settings\mlamana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mlamana\Desktop\CFScript.txt.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\lsp8.dll"
"c:\windows\system32\lsp8.tmp"
"c:\windows\system32\x93842.tmp"
.
The following files were disabled during the run:
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsp8.dll
c:\windows\system32\lsp8.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\x93842.tmp

c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-02-26 22:08 . 2010-02-26 22:08 -------- d-----w- c:\program files\Trend Micro
2010-02-26 14:49 . 2010-02-26 15:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-26 14:49 . 2010-02-26 14:49 -------- d-----w- c:\program files\Lavasoft
2010-02-26 14:49 . 2010-02-26 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-15 20:07 . 2010-02-15 20:07 -------- d-----w- c:\program files\iPod
2010-02-15 20:07 . 2010-02-15 20:08 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 22:58 . 2008-09-18 04:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-05 22:56 . 2008-03-11 17:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-05 22:19 . 2008-11-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-02 03:17 . 2008-06-11 16:46 -------- d-----w- c:\program files\Mobile Automation
2010-02-27 23:59 . 2008-09-17 02:22 -------- d-----w- c:\documents and settings\mlamana\Application Data\DNA
2010-02-27 23:24 . 2008-11-14 16:00 -------- d-----w- c:\documents and settings\mlamana\Application Data\Skype
2010-02-27 21:04 . 2008-11-14 16:06 -------- d-----w- c:\documents and settings\mlamana\Application Data\skypePM
2010-02-26 18:22 . 2009-05-11 12:44 -------- d-----w- c:\program files\Taskbar Shuffle
2010-02-26 18:22 . 2008-09-17 02:22 -------- d-----w- c:\program files\DNA
2010-02-24 20:02 . 2010-02-24 20:02 5515984 ----a-w- c:\documents and settings\mlamana\Application Data\TVU Networks\AutoUpgrade\TVUPlayer2.5.2.1.exe
2010-02-23 12:43 . 2008-09-17 02:22 -------- d-----w- c:\documents and settings\mlamana\Application Data\BitTorrent
2010-02-23 02:48 . 2008-03-11 22:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-21 05:55 . 2008-09-01 13:10 -------- d-----w- c:\documents and settings\mlamana\Application Data\U3
2010-02-18 09:00 . 2010-02-19 15:15 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\ECMSVR32.DLL
2010-02-15 20:07 . 2009-08-04 03:33 -------- d-----w- c:\program files\Common Files\Apple
2010-02-15 20:00 . 2009-09-17 00:41 -------- d-----w- c:\program files\QuickTime
2010-02-15 19:54 . 2010-02-15 19:54 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-11 09:00 . 2010-02-12 18:27 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309602.vdb\ECMSVR32.DLL
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\mlamana\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-04 16:02 . 2010-02-04 16:02 593920 ----a-w- c:\documents and settings\mlamana\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2010-02-04 15:53 . 2010-02-26 14:49 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 04:55 . 2008-11-16 03:35 -------- d-----w- c:\program files\Google
2010-02-03 04:57 . 2009-02-12 13:18 -------- d-----w- c:\documents and settings\mlamana\Application Data\Move Networks
2010-01-27 15:25 . 2009-08-22 01:53 -------- d-----w- c:\program files\LivingEarthDesktop
2010-01-22 16:59 . 2010-01-22 16:59 -------- d-----w- c:\documents and settings\mlamana\Application Data\webex
2010-01-14 14:20 . 2008-03-11 17:16 -------- d-----w- c:\program files\Java
2010-01-14 14:16 . 2010-01-14 14:16 152576 ----a-w- c:\documents and settings\mlamana\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-14 14:15 . 2009-11-24 23:58 79488 ----a-w- c:\documents and settings\mlamana\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 21:13 . 2009-09-09 01:42 144160 ----a-w- c:\documents and settings\mlamana\Application Data\Move Networks\uninstall.exe
2010-01-05 21:13 . 2009-12-07 01:22 5603776 ----a-w- c:\documents and settings\mlamana\Application Data\Move Networks\plugins\npqmp071705000014.dll
2010-01-05 21:13 . 2010-01-05 21:13 1795704 ----a-w- c:\documents and settings\mlamana\Application Data\Move Networks\MoveMediaPlayerWin_071705000014.exe
2010-01-05 20:15 . 2008-11-14 15:59 -------- d-----r- c:\program files\Skype
2010-01-05 20:14 . 2010-01-05 20:14 -------- d-----w- c:\program files\Common Files\Skype
2010-01-05 20:14 . 2008-11-14 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-08 00:01 . 2010-02-19 15:15 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\CCERASER.DLL
2009-12-08 00:01 . 2010-02-12 18:27 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309602.vdb\CCERASER.DLL
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\mlamana\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"="c:\program files\Qtvxspglxyjwo\dehjlgd.exe" [2006-06-18 2180749]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"026d-"="c:\program files\Qtvxspglxyjwo\dehjlgd.exe" [2006-06-18 2180749]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-09 15:07 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-24 21:14 53408 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\forsinit]
2008-10-22 13:08 765952 ----a-w- c:\windows\sprscore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 22:07 133104 ----atw- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-31 00:00 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-31 00:00 138008 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Automation Agent]
2003-12-09 23:53 94208 ----a-w- c:\progra~1\MOBILE~1\rstate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2008-07-30 19:28 87320 ----a-w- c:\program files\AT&T Global Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-17 08:03 8495104 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-11-17 08:03 86016 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-17 08:03 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 08:03 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-30 23:59 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeperEnterprise]
2006-02-06 19:27 1327616 ----a-w- c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar Shuffle]
2008-04-17 05:28 818176 ----a-w- c:\program files\Taskbar Shuffle\taskbarshuffle.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-06-15 05:40 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=
"c:\\Documents and Settings\\mlamana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\mlamana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Spark\\Spark.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 NEOFLTR_600_12875;Juniper Networks TDI Filter Driver (NEOFLTR_600_12875);c:\windows\system32\drivers\NEOFLTR_600_12875.sys [14-Mar-08 04:10 64160]
R1 NEOFLTR_620_13515;Juniper Networks TDI Filter Driver (NEOFLTR_620_13515);c:\windows\system32\drivers\NEOFLTR_620_13515.sys [22-Aug-08 12:04 64480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [26-Dec-09 06:47 54752]
R2 MobileAutmationAgentService;Mobile Automation Agent;c:\program files\Mobile Automation\rstate.exe [11-Jun-08 11:47 94208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [28-Aug-09 19:01 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-Dec-09 10:45 135664]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [01-Dec-09 13:55 22136]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-Aug-09 16:48 704864]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15-Jun-06 00:40 115952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26-Oct-09 22:06 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-16 16:31]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 15:45]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 15:45]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1945010074-62018654-1971066577-14898Core.job
- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:07]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1945010074-62018654-1971066577-14898UA.job
- c:\documents and settings\mlamana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = https://ip.clarkstonconsulting.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: adp.com\ipay
Trusted Zone: citrixonline.com
Trusted Zone: citrixonline.com\www
Trusted Zone: clarkstonconsulting.com\cc
Trusted Zone: clarkstonconsulting.com\cp
Trusted Zone: clarkstonconsulting.com\ip
Trusted Zone: travelasp.com\clarkston
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://remote.rjrt.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://ip.clarkstonconsulting.com/crystalreportviewers10/ActiveXControls/,DanaInfo=changepoint+ActiveXViewer.cab
FF - ProfilePath - c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\mlamana\Application Data\Mozilla\Firefox\Profiles\uavm2em1.default\extensions\piclens@cooliris.com\components\cooliris.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 17:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc2D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\WRLogonNtf.DLL
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll

- - - - - - - > 'lsass.exe'(1000)
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll

- - - - - - - > 'explorer.exe'(1628)
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll
c:\windows\system32\msaun0ero.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(920)
c:\program files\Webroot\Enterprise\Spy Sweeper\ssi15.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\SSL VPN Client\agent.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2010-03-05 18:11:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 23:11
ComboFix2.txt 2010-03-03 04:52

Pre-Run: 3,467,554,816 bytes free
Post-Run: 3,426,361,344 bytes free

- - End Of File - - 4C70794F9C009E71592AB2EFE3CBBFBD


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 06 March 2010 - 07:54 AM

Yes, that looks a lot better. smile.gif

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.


Now please run ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#14 mll2

mll2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 07 March 2010 - 03:24 AM

Hi m0le,

Here's the log. Thanks so much for your help! Seems like we're almost there! here's the ESETScan log..

C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mlamana\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.CVX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\abvensdk.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\avyqgiap.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\bogsdeoa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ctuiwwfn.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehbtvjcf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\exfxewhv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hryqtbxl.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hujsrbeu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\inumundj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jfcbiwfy.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\maafthwn.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nqohssue.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\oahmbrcu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\rijiwhhv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\rolbhnaa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxacxkky.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ydcuttvw.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\yGfNqBeg.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\yGfNqBeg.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir a variant of Win32/Kryptik.CVX trojan cleaned by deleting - quarantined


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:56 PM

Posted 07 March 2010 - 05:40 AM

Yes, we're nearly there.


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it mll2, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users