Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/Virus! Unsure of cause, but numerous problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 riche96

riche96

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 02 June 2010 - 11:09 PM

I have a Dell D620 running Windows XP Professional service pack 3. I am sure I mistakenly allowed a download that I obviously shouldn't have that started this problem. I believe the first issue I began having was related to downloading Antispyware Soft. After following the advice offered through other posts, I thought I had this removed using HiJack this and Malwarebytes.

Initially, after having run Malwarebytes and Hijack this, when windows was trying to load, I would get 2 errors, they said that Data Execution Prevention shut down Windows Logon UI and Userinit. None of my desktop icons would load, nor would the windows taskbar. I had to manually run explorer.exe from the task manager to get them to come up. This problem is no longer happening.

The second problem I am having involves having browser problems. Google Chrome will not work at all. Internet explorer does work, but will not access some web pages, and if I do a search and try to access a page by selecting the link the search provided, I will be redirected to a page completely unrelated.

Finally I decided to begin my own thread here on bleepingcomputer. I was able to easily got the dds logs you needed, but had problems when trying to get the GMER log. During one of the scans, I stepped away from the pc for a minute, when I returned, it was on a blue screen that said....
"A problem has been detected and windows has been shut down to prevent damage to your computer.
The problem seems to be caused by the following file: agkoyfoc.sys
PAGE_FAULT_IN_NONPAGED_AREA".
It goes on to give some technical data:
*** STOP: 0x00000050 (0xE4A9B000, 0x00000000, 0xA6F8FC3E, 0x00000001)
*** agkoyfoc.sys - Address A6F8FC3E base at A6F8F000, DateStamp 4b274f8d

I have webroot antivirus with spy sweeper on the pc. When I ran a full scan with it, it detected numerous malware and trojans it was able to remove, but there is a virus that it first said it quarantined, but during a later scan said it was unable to quarantine that has me worried. It was called W32/Scribble-B. Is there any hope? I appreciate any help that can be offered in advance.

Here is log......


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 19:42:07.21 on Sun 05/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.313 [GMT -5:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\smartctr.exe
C:\lotus\smartctr\suitest.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] "c:\windows\system32\macromed\flash\FlashUtil10b.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [SigmatelSysTrayApp] "%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BlackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~2.lnk - c:\lotus\smartctr\smartctr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\smartctr\suitest.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-8-26 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-2-16 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-8-26 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-5-24 1201640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-25 38224]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S0 uzlasvtu;uzlasvtu; [x]

=============== Created Last 30 ================

2010-05-31 00:39:30 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-05-30 21:55:14 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 21:53:06 0 d-----w- C:\HJT
2010-05-30 17:23:44 26112 ----a-w- c:\windows\system32\OLD1E8.tmp
2010-05-30 17:02:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-05-28 02:40:22 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-05-28 02:40:20 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-05-28 02:33:35 0 d-----w- c:\program files\Spyware Doctor
2010-05-28 02:33:35 0 d-----w- c:\program files\common files\PC Tools
2010-05-26 02:09:11 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-26 01:45:24 0 d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 01:13:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-25 22:54:46 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:33:55 0 d-----w- c:\windows\pss
2010-05-25 03:07:28 0 d-----w- c:\program files\MSSOAP
2010-05-25 03:06:53 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 03:06:53 0 d-----w- c:\program files\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\user\applic~1\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-05-15 02:27:24 0 d-----w- c:\program files\iPod
2010-05-15 02:27:10 0 d-----w- c:\program files\iTunes
2010-05-15 02:23:00 0 d-----w- c:\program files\Bonjour
2010-05-05 01:04:05 0 d-----w- c:\program files\DivX
2010-05-05 01:03:51 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-05-03 23:41:34 898 ----a-w- c:\documents and settings\user\.recently-used.xbel
2010-05-03 23:41:17 0 d-----w- c:\documents and settings\user\.thumbnails
2010-05-03 23:40:26 0 d-----w- c:\documents and settings\user\.gimp-2.6

==================== Find3M ====================

2010-05-26 22:43:33 31744 ----a-w- c:\windows\system32\regsvr32.exe
2010-05-26 22:43:32 24064 ----a-w- c:\windows\system32\unlodctr.exe
2010-05-26 22:43:29 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43:28 28160 ----a-w- c:\windows\system32\control.exe
2010-05-26 22:43:28 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43:26 36352 ----a-w- c:\windows\system32\wbem\mofcomp.exe
2010-05-26 22:43:25 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:43:10 96256 ----a-w- c:\windows\system32\telnet.exe
2010-05-26 22:43:10 100864 ----a-w- c:\windows\system32\tlntsess.exe
2010-05-26 22:42:38 409088 ----a-w- c:\windows\system32\cmd.exe
2010-05-26 22:41:28 65536 ----a-w- c:\windows\system32\mshta.exe
2010-05-26 22:38:37 87040 ----a-w- c:\windows\system32\rdshost.exe
2010-05-26 22:38:37 55296 ----a-w- c:\windows\system32\sc.exe
2010-05-26 22:38:36 37888 ----a-w- c:\windows\system32\ping.exe
2010-05-26 22:38:35 144896 ----a-w- c:\windows\system32\net1.exe
2010-05-26 22:38:34 62464 ----a-w- c:\windows\system32\net.exe
2010-05-26 22:38:29 30720 ----a-w- c:\windows\hh.exe
2010-05-26 22:38:29 244736 ----a-w- c:\windows\system32\dmadmin.exe
2010-05-26 22:38:14 176128 ----a-w- c:\windows\system32\wscript.exe
2010-05-26 22:38:14 155648 ----a-w- c:\windows\system32\cscript.exe
2010-05-26 22:37:55 105984 ----a-w- c:\windows\system32\netsh.exe
2010-05-26 22:37:24 216576 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2010-05-26 22:37:22 440832 ----a-w- c:\windows\system32\ntvdm.exe
2010-05-26 22:37:21 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37:20 534528 ----a-w- c:\windows\system32\logonui.exe
2010-05-26 22:37:18 77824 ----a-w- c:\windows\system32\spoolsv.exe
2010-05-26 22:37:17 115712 ----a-w- c:\windows\system32\scardsvr.exe
2010-05-26 22:37:16 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37:14 1053696 ----a-w- c:\windows\explorer.exe
2010-05-26 22:37:12 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:37:09 83968 ----a-w- c:\windows\system32\cleanmgr.exe
2010-05-26 22:37:09 45056 ----a-w- c:\windows\system32\defrag.exe
2010-05-26 22:35:59 98816 ----a-w- c:\windows\system32\msiexec.exe
2010-05-26 22:35:57 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35:56 155648 ----a-w- c:\windows\system32\taskmgr.exe
2010-05-26 22:35:54 363008 ----a-w- c:\windows\system32\mspaint.exe
2010-05-26 22:35:42 1434624 ----a-w- c:\windows\system32\mmc.exe
2010-05-26 22:35:34 558592 ----a-w- c:\windows\system32\spider.exe
2010-05-26 22:35:34 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35:33 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35:22 30720 ----a-w- c:\windows\system32\dumprep.exe
2010-05-26 22:35:19 247808 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2010-05-26 22:35:16 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 22:35:14 64512 ----a-w- c:\windows\system32\alg.exe
2010-05-26 22:35:13 53248 ----a-w- c:\windows\system32\rundll32.exe
2010-05-26 14:52:48 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-15 14:38:24 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 19:43:09.34 ===============

The other 2 logs are attached as requested. Thanks again.

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 05 June 2010 - 09:37 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 06 June 2010 - 10:53 AM

Thanks EB!! No problem for the delay. I appreciate the time and effort you put in helping others fix problems! As requested, the logs are below. The problems I am currently experiencing are...

1)Internet explorer will not work on some sites. I just receive an error msg. like the server is down. If I perform a search and then click on one of the links, I am redirected to a site that is completely unrelated to what I just selected. Occassionally, for example, when I was logged into bleepingcomputer.com and I clicked on "My Topics", another window opened to www.google.com.

2)Google chrome will not work at all. Just a blank screen.

3)Webroot Antivirus and Spy Sweeper detected W32/Scribble-B virus, and will not quarantine it.

4)Intermittently, I still have to manually run explorer.exe to get the task manager to come up. The taskmanager sometimes loads, but looks like that of an older version of windows. It is a gray bar rather than blue.

5)Overall the computer also just runs very slow. It constantly hangs up and must be restarted. Sometimes it will hang up when shutting down and I must do a hard restart to proceed.

DDS log...


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 22:40:03.67 on Sat 06/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.493 [GMT -5:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\smartctr.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\CyberDefender\Registry Cleaner\CDregclean.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [CyberDefender Registry Cleaner] "c:\program files\cyberdefender\registry cleaner\CDregclean.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [SigmatelSysTrayApp] "%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BlackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [CyberDefender Registry Cleaner]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~2.lnk - c:\lotus\smartctr\smartctr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\smartctr\suitest.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-8-26 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-2-16 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-8-26 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-5-24 1201640]
S0 uzlasvtu;uzlasvtu; [x]

=============== Created Last 30 ================

2010-06-05 08:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-06-03 03:14:45 0 d-----w- c:\docume~1\user\applic~1\CyberDefender
2010-06-03 03:14:13 0 d-----w- c:\program files\CyberDefender
2010-05-31 00:39:30 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-05-30 21:55:14 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 21:53:06 0 d-----w- C:\HJT
2010-05-28 02:40:22 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-05-28 02:40:20 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-05-28 02:33:35 0 d-----w- c:\program files\Spyware Doctor
2010-05-26 02:09:11 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-26 01:45:24 0 d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 01:13:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-25 22:54:46 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:33:55 0 d-----w- c:\windows\pss
2010-05-25 03:07:28 0 d-----w- c:\program files\MSSOAP
2010-05-25 03:06:53 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 03:06:53 0 d-----w- c:\program files\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\user\applic~1\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-05-15 02:27:24 0 d-----w- c:\program files\iPod
2010-05-15 02:27:10 0 d-----w- c:\program files\iTunes
2010-05-15 02:23:00 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-26 22:43:33 31744 ----a-w- c:\windows\system32\regsvr32.exe
2010-05-26 22:43:32 24064 ----a-w- c:\windows\system32\unlodctr.exe
2010-05-26 22:43:29 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43:28 28160 ----a-w- c:\windows\system32\control.exe
2010-05-26 22:43:28 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43:26 36352 ----a-w- c:\windows\system32\wbem\mofcomp.exe
2010-05-26 22:43:25 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:43:10 96256 ----a-w- c:\windows\system32\telnet.exe
2010-05-26 22:43:10 100864 ----a-w- c:\windows\system32\tlntsess.exe
2010-05-26 22:42:38 409088 ----a-w- c:\windows\system32\cmd.exe
2010-05-26 22:41:28 65536 ----a-w- c:\windows\system32\mshta.exe
2010-05-26 22:38:37 87040 ----a-w- c:\windows\system32\rdshost.exe
2010-05-26 22:38:37 55296 ----a-w- c:\windows\system32\sc.exe
2010-05-26 22:38:36 37888 ----a-w- c:\windows\system32\ping.exe
2010-05-26 22:38:35 144896 ----a-w- c:\windows\system32\net1.exe
2010-05-26 22:38:34 62464 ----a-w- c:\windows\system32\net.exe
2010-05-26 22:38:29 30720 ----a-w- c:\windows\hh.exe
2010-05-26 22:38:29 244736 ----a-w- c:\windows\system32\dmadmin.exe
2010-05-26 22:38:14 176128 ----a-w- c:\windows\system32\wscript.exe
2010-05-26 22:38:14 155648 ----a-w- c:\windows\system32\cscript.exe
2010-05-26 22:37:55 105984 ----a-w- c:\windows\system32\netsh.exe
2010-05-26 22:37:24 216576 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2010-05-26 22:37:22 440832 ----a-w- c:\windows\system32\ntvdm.exe
2010-05-26 22:37:21 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37:20 534528 ----a-w- c:\windows\system32\logonui.exe
2010-05-26 22:37:18 77824 ----a-w- c:\windows\system32\spoolsv.exe
2010-05-26 22:37:17 115712 ----a-w- c:\windows\system32\scardsvr.exe
2010-05-26 22:37:16 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37:14 1053696 ----a-w- c:\windows\explorer.exe
2010-05-26 22:37:12 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:37:09 83968 ----a-w- c:\windows\system32\cleanmgr.exe
2010-05-26 22:37:09 45056 ----a-w- c:\windows\system32\defrag.exe
2010-05-26 22:35:59 98816 ----a-w- c:\windows\system32\msiexec.exe
2010-05-26 22:35:57 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35:56 155648 ----a-w- c:\windows\system32\taskmgr.exe
2010-05-26 22:35:54 363008 ----a-w- c:\windows\system32\mspaint.exe
2010-05-26 22:35:42 1434624 ----a-w- c:\windows\system32\mmc.exe
2010-05-26 22:35:34 558592 ----a-w- c:\windows\system32\spider.exe
2010-05-26 22:35:34 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35:33 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35:22 30720 ----a-w- c:\windows\system32\dumprep.exe
2010-05-26 22:35:19 247808 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2010-05-26 22:35:16 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 22:35:14 64512 ----a-w- c:\windows\system32\alg.exe
2010-05-26 22:35:13 53248 ----a-w- c:\windows\system32\rundll32.exe
2010-05-26 14:52:48 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-15 14:38:24 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 22:41:11.54 ===============

Thanks again,
Rich

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 06 June 2010 - 05:10 PM

Hello.

I see the infection we are dealing with, The TDL3 rootkit. We will start with Combofix and continue from there and see if it can be disinfected, if not we'll try something else next post.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 07 June 2010 - 06:14 AM

Thanks EB, here is the combo fix log...

ComboFix 10-06-06.03 - User 06/07/2010 2:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1665 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Adobe\sp.DLL
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\CyberDefender Registry Cleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\Uninstall CyberDefender Registry Cleaner.lnk
c:\documents and settings\User\Application Data\CyberDefender
c:\documents and settings\User\Application Data\CyberDefender\Registry Cleaner\lastresults.cdr
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\Local Settings\Application Data\Windows Server
c:\program files\CyberDefender
c:\program files\CyberDefender\Registry Cleaner\BeforeUninstall.exe
c:\program files\CyberDefender\Registry Cleaner\cdinstx.ini
c:\program files\CyberDefender\Registry Cleaner\CDRC.dll
c:\program files\CyberDefender\Registry Cleaner\CDRCU.DLL
c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
c:\program files\CyberDefender\Registry Cleaner\cdswx.exe
c:\program files\CyberDefender\Registry Cleaner\cduninstx.exe
c:\program files\CyberDefender\Registry Cleaner\KillCDRCProcesses.exe
c:\program files\CyberDefender\Registry Cleaner\startcdrc.exe
c:\program files\CyberDefender\Registry Cleaner\support.ico
c:\program files\CyberDefender\Registry Cleaner\unins000.dat
c:\program files\CyberDefender\Registry Cleaner\unins000.exe
c:\program files\CyberDefender\Registry Cleaner\unins000.msg
c:\windows\system32\st325602.dll

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\hh.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\hh.exe

c:\windows\inf\unregmp2.exe . . . is infected!!

Infected copy of c:\windows\pchealth\helpctr\binaries\helpctr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\helpctr.exe

c:\windows\pchealth\helpctr\binaries\HelpHost.exe . . . is infected!!

Infected copy of c:\windows\pchealth\helpctr\binaries\helpsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\helpsvc.exe

Infected copy of c:\windows\system32\alg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe

c:\windows\system32\calc.exe . . . is infected!!

Infected copy of c:\windows\system32\cisvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cisvc.exe

Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe

Infected copy of c:\windows\system32\clipsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe

Infected copy of c:\windows\system32\cmd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmd.exe

Infected copy of c:\windows\system32\control.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\control.exe

Infected copy of c:\windows\system32\cscript.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB951978\SP3QFE\cscript.exe

Infected copy of c:\windows\system32\defrag.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\defrag.exe

Infected copy of c:\windows\system32\dfrgntfs.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dfrgntfs.exe

Infected copy of c:\windows\system32\dllhost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dllhost.exe

Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe

c:\windows\system32\drwtsn32.exe . . . is infected!!

Infected copy of c:\windows\system32\dumprep.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dumprep.exe

Infected copy of c:\windows\system32\dwwin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dwwin.exe

Infected copy of c:\windows\system32\ie4uinit.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ie4uinit.exe

Infected copy of c:\windows\system32\imapi.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe

Infected copy of c:\windows\system32\locator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe

c:\windows\system32\lodctr.exe . . . is infected!!

c:\windows\system32\logagent.exe . . . is infected!!

Infected copy of c:\windows\system32\logonui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logonui.exe

Infected copy of c:\windows\system32\mmc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mmc.exe

Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe

c:\windows\system32\mpnotify.exe . . . is infected!!

Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe

c:\windows\system32\mshearts.exe . . . is infected!!

Infected copy of c:\windows\system32\mshta.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mshta.exe

Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe

Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB978706\SP3QFE\mspaint.exe

Infected copy of c:\windows\system32\net.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\net.exe

Infected copy of c:\windows\system32\net1.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\net1.exe

Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe

Infected copy of c:\windows\system32\netsh.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netsh.exe

Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntvdm.exe

Infected copy of c:\windows\system32\ping.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ping.exe

Infected copy of c:\windows\system32\rdshost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rdshost.exe

Infected copy of c:\windows\system32\regsvr32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\regsvr32.exe

c:\windows\system32\rsvp.exe . . . is infected!!

Infected copy of c:\windows\system32\rundll32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rundll32.exe

Infected copy of c:\windows\system32\sc.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\sc.exe

Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe

Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe

c:\windows\system32\sndvol32.exe . . . is infected!!

Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe

Infected copy of c:\windows\system32\taskmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\taskmgr.exe

Infected copy of c:\windows\system32\telnet.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB960859\SP3QFE\telnet.exe

Infected copy of c:\windows\system32\tlntsess.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB960859\SP3QFE\tlntsess.exe

Infected copy of c:\windows\system32\tlntsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\tlntsvr.exe

c:\windows\system32\tourstart.exe . . . is infected!!

Infected copy of c:\windows\system32\unlodctr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\unlodctr.exe

Infected copy of c:\windows\system32\ups.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ups.exe

Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe

Infected copy of c:\windows\system32\wiaacmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wiaacmgr.exe

Infected copy of c:\windows\system32\wscntfy.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wscntfy.exe

Infected copy of c:\windows\system32\wscript.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB951978\SP3QFE\wscript.exe

Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe

Infected copy of c:\windows\system32\usmt\migwiz.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\migwiz.exe

Infected copy of c:\windows\system32\wbem\mofcomp.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mofcomp.exe

c:\windows\system32\wbem\unsecapp.exe . . . is infected!!

Infected copy of c:\windows\system32\wbem\wmiadap.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wmiadap.exe

Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wmiapsrv.exe

Infected copy of c:\windows\system32\wbem\wmiprvse.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-05-30 21:53 . 2010-05-30 21:53 -------- d-----w- C:\HJT
2010-05-28 02:48 . 2010-05-28 02:48 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-05-28 02:33 . 2010-05-31 21:27 -------- d-----w- c:\program files\Spyware Doctor
2010-05-28 02:32 . 2010-05-30 22:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 14:16 . 2010-05-26 14:16 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcp71.dll
2010-05-26 14:16 . 2010-05-26 14:16 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\jmc.dll
2010-05-26 14:16 . 2010-05-26 14:16 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcr71.dll
2010-05-26 02:09 . 2010-05-26 02:09 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-05-26 01:45 . 2010-05-30 22:04 -------- d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 00:03 . 2010-05-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-05-25 23:53 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2010-05-25 23:41 . 2010-05-25 23:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 87424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 23:13 . 2010-05-26 00:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-25 22:54 . 2010-05-25 22:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:36 . 2010-05-25 22:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-05-25 22:11 . 2010-05-25 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-25 03:43 . 2010-05-25 03:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-25 03:07 . 2010-05-25 03:07 -------- d-----w- c:\program files\MSSOAP
2010-05-25 03:06 . 2010-05-25 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\program files\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\documents and settings\User\Application Data\Webroot
2010-05-25 03:06 . 2009-08-31 15:16 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 01:27 . 2010-05-26 22:43 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\cbuncqspw
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-15 02:27 . 2010-05-15 02:27 -------- d-----w- c:\program files\iPod
2010-05-15 02:27 . 2010-05-15 02:28 -------- d-----w- c:\program files\iTunes
2010-05-15 02:23 . 2010-05-15 02:23 -------- d-----w- c:\program files\Bonjour
2010-05-15 02:18 . 2010-05-15 02:18 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 07:15 . 2010-06-07 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Gosu
2010-06-06 13:16 . 2010-02-24 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-06-04 06:11 . 2010-05-30 21:55 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 22:07 . 2009-12-05 00:25 -------- d-----w- c:\program files\Orb Networks
2010-05-30 22:05 . 2010-04-27 01:14 -------- d-----w- c:\program files\Interbank FX Trader 4
2010-05-30 22:05 . 2010-01-25 16:00 -------- d-----w- c:\program files\Citrix
2010-05-30 22:04 . 2009-05-04 13:55 -------- d-----w- c:\program files\Google
2010-05-30 17:25 . 2010-01-14 18:40 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-26 22:43 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43 . 2004-08-04 10:00 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:43 . 2009-05-03 17:15 119808 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2010-05-26 22:37 . 2004-08-04 10:00 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37 . 2008-04-14 00:12 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37 . 2004-08-04 10:00 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 1646592 ----a-w- c:\windows\system32\nwiz.exe
2010-05-26 22:36 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 176128 ----a-w- c:\windows\system32\nvsvc32.exe
2010-05-26 22:36 . 2004-08-04 10:00 152576 ----a-w- c:\windows\system32\rsvp.exe
2010-05-26 22:36 . 2009-05-03 17:13 134656 ----a-w- c:\windows\system32\calc.exe
2010-05-26 22:35 . 2009-05-03 17:13 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35 . 2009-05-03 17:13 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35 . 2004-08-04 10:00 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35 . 2009-05-03 17:13 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 14:52 . 2004-08-04 10:00 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-25 23:14 . 2010-05-25 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2010-05-25 22:38 . 2009-12-14 22:40 -------- d-----w- c:\program files\Alawar
2010-05-25 22:37 . 2010-05-05 01:07 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-25 22:37 . 2010-05-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-25 22:37 . 2010-05-05 01:04 -------- d-----w- c:\program files\DivX
2010-05-15 02:27 . 2010-01-10 03:05 -------- d-----w- c:\program files\Common Files\Apple
2010-05-14 03:10 . 2010-03-22 03:03 -------- d-----w- c:\program files\KompoZer
2010-05-10 23:08 . 2010-04-17 13:06 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2010-05-06 15:36 . 2009-11-01 15:41 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 01:11 . 2010-05-05 01:07 -------- d-----w- c:\documents and settings\User\Application Data\DivX
2010-05-05 01:03 . 2010-05-05 01:07 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-03 23:41 . 2010-05-03 23:41 -------- d-----w- c:\documents and settings\User\Application Data\gtk-2.0
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Zynga
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Conduit
2010-04-28 00:36 . 2009-05-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-19 22:18 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 14:43 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2010-04-16 07:36 . 2010-02-24 17:05 87424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:49 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\User\Application Data\HP
2010-04-15 14:38 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-15 14:38 . 2010-04-15 14:25 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-15 14:38 . 2010-04-15 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-15 14:38 . 2009-05-12 14:48 87424 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:31 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2010-04-15 14:31 . 2010-04-04 18:33 -------- d-----w- c:\program files\Yahoo!
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\program files\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:26 -------- d-----w- c:\program files\HP
2010-04-15 14:29 . 2010-04-15 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\HP
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-13 19:33 . 2010-04-07 15:10 256 ----a-w- c:\windows\system32\pool.bin
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

------- Sigcheck -------

[-] 2010-05-26 . 21C2F57B07B64B2E5A195D5E074964E7 . 35328 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-05-26 415744]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-11 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-05-26 1388544]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-05-26 1212416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2010-05-26 196608]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2010-05-26 425984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2010-05-26 1646592]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-14 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-05-26 442368]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-08-31 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 403968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2002-8-8 53248]
Lotus SmartCenter.lnk - c:\lotus\smartctr\smartctr.exe [2002-7-23 224768]
Lotus SuiteStart.lnk - c:\lotus\smartctr\suitest.exe [2002-7-23 52736]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Digital Surveillance Recorder\\Remote Station\\MDServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29214:TCP"= 29214:TCP:spport
"20486:TCP"= 20486:TCP:spport
"7586:TCP"= 7586:TCP:spport
"10979:TCP"= 10979:TCP:spport
"26151:TCP"= 26151:TCP:spport

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 10:09 PM 11032]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/24/2010 10:08 PM 1201640]
S0 uzlasvtu;uzlasvtu; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]

2010-06-07 c:\windows\Tasks\wrSpySweeper_L8BB9FEAD8AFA4E22B709F3757BA6EA18.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-05-25 15:16]

2010-06-07 c:\windows\Tasks\wrSpySweeper_L8BB9FEAD8AFA4E22B709F3757BA6EA18.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-05-25 15:16]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
HKCU-Run-CyberDefender Registry Cleaner - c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
HKLM-Run-CyberDefender Registry Cleaner - (no file)
AddRemove-TorrentPrivacy 1.4.1.0 - c:\torrentprivacy\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 02:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-06-07 02:18:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 07:18

Pre-Run: 19,616,632,832 bytes free
Post-Run: 21,587,451,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 86D8CBE322C48055E6C4CB73ACA28C29


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 08 June 2010 - 09:10 PM

Hello.

Okay, that's better than before but I want to check a couple of things here.

Could you do the following for me...

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/321199/malwarevirus-unsure-of-cause-but-numerous-problems/
    FCopy::
    c:\windows\ServicePackFiles\i386\ctfmon.exe | C:\windows\System32\ctfmon.exe
    Suspect::[68]
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\tourstart.exe
    c:\windows\system32\sndvol32.exe
    c:\windows\system32\rsvp.exe
    c:\windows\system32\mshearts.exe
    c:\windows\system32\mpnotify.exe
    c:\windows\system32\lodctr.exe
    c:\windows\system32\logagent.exe
    c:\windows\system32\drwtsn32.exe
    c:\windows\system32\calc.exe
    c:\windows\pchealth\helpctr\binaries\HelpHost.exe
    c:\windows\inf\unregmp2.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 08 June 2010 - 10:57 PM

EB -

Looks like the upload was successful. Attached you'll find the latest combofix log. I did want to mention something that may be irrelevant, but on the combofix screen that says please wait for the report log to pop up, an error msg showed up that said:

SED: can't read catchlog: No such file or directory
SED: can't read catchlog: No such file or directory
grep: catchlog: No such file or directory

Thanks. Let me know what's next.

ComboFix 10-06-08.02 - User 06/08/2010 22:34:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1373 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

file zipped: c:\windows\inf\unregmp2.exe
file zipped: c:\windows\pchealth\helpctr\binaries\HelpHost.exe
file zipped: c:\windows\system32\calc.exe
file zipped: c:\windows\system32\drwtsn32.exe
file zipped: c:\windows\system32\lodctr.exe
file zipped: c:\windows\system32\logagent.exe
file zipped: c:\windows\system32\mpnotify.exe
file zipped: c:\windows\system32\mshearts.exe
file zipped: c:\windows\system32\rsvp.exe
file zipped: c:\windows\system32\sndvol32.exe
file zipped: c:\windows\system32\tourstart.exe
file zipped: c:\windows\system32\wbem\unsecapp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\inf\unregmp2.exe . . . is infected!!

c:\windows\pchealth\helpctr\binaries\HelpHost.exe . . . is infected!!

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\drwtsn32.exe . . . is infected!!

c:\windows\system32\lodctr.exe . . . is infected!!

c:\windows\system32\logagent.exe . . . is infected!!

c:\windows\system32\mpnotify.exe . . . is infected!!

c:\windows\system32\mshearts.exe . . . is infected!!

c:\windows\system32\rsvp.exe . . . is infected!!

c:\windows\system32\sndvol32.exe . . . is infected!!

c:\windows\system32\tourstart.exe . . . is infected!!

c:\windows\system32\wbem\unsecapp.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\System32\ctfmon.exe
.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-09 03:34 . 2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-06-09 03:34 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-06-08 15:35 . 2010-06-08 15:35 -------- d-----w- c:\windows\LastGood
2010-06-07 07:14 . 2010-06-07 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Gosu
2010-05-30 21:53 . 2010-05-30 21:53 -------- d-----w- C:\HJT
2010-05-28 02:48 . 2010-05-28 02:48 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-05-28 02:33 . 2010-05-31 21:27 -------- d-----w- c:\program files\Spyware Doctor
2010-05-28 02:32 . 2010-05-30 22:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 14:16 . 2010-05-26 14:16 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcp71.dll
2010-05-26 14:16 . 2010-05-26 14:16 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\jmc.dll
2010-05-26 14:16 . 2010-05-26 14:16 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcr71.dll
2010-05-26 02:09 . 2010-05-26 02:09 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-05-26 01:45 . 2010-05-30 22:04 -------- d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 00:03 . 2010-05-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-05-25 23:53 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2010-05-25 23:41 . 2010-05-25 23:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 87424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 23:13 . 2010-05-26 00:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-25 22:54 . 2010-05-25 22:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:36 . 2010-05-25 22:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-05-25 22:11 . 2010-05-25 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-25 03:43 . 2010-05-25 03:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-25 03:07 . 2010-05-25 03:07 -------- d-----w- c:\program files\MSSOAP
2010-05-25 03:06 . 2010-05-25 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\program files\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\documents and settings\User\Application Data\Webroot
2010-05-25 03:06 . 2009-08-31 15:16 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 01:27 . 2010-05-26 22:43 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\cbuncqspw
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-15 02:27 . 2010-05-15 02:27 -------- d-----w- c:\program files\iPod
2010-05-15 02:27 . 2010-05-15 02:28 -------- d-----w- c:\program files\iTunes
2010-05-15 02:23 . 2010-05-15 02:23 -------- d-----w- c:\program files\Bonjour
2010-05-15 02:18 . 2010-05-15 02:18 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 15:35 . 2009-12-20 18:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 13:16 . 2010-02-24 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-06-04 06:11 . 2010-05-30 21:55 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 22:07 . 2009-12-05 00:25 -------- d-----w- c:\program files\Orb Networks
2010-05-30 22:05 . 2010-04-27 01:14 -------- d-----w- c:\program files\Interbank FX Trader 4
2010-05-30 22:05 . 2010-01-25 16:00 -------- d-----w- c:\program files\Citrix
2010-05-30 22:04 . 2009-05-04 13:55 -------- d-----w- c:\program files\Google
2010-05-30 17:25 . 2010-01-14 18:40 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-26 22:43 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43 . 2004-08-04 10:00 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:43 . 2009-05-03 17:15 119808 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2010-05-26 22:37 . 2004-08-04 10:00 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37 . 2008-04-14 00:12 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37 . 2004-08-04 10:00 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 1646592 ----a-w- c:\windows\system32\nwiz.exe
2010-05-26 22:36 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 176128 ----a-w- c:\windows\system32\nvsvc32.exe
2010-05-26 22:36 . 2004-08-04 10:00 152576 ----a-w- c:\windows\system32\rsvp.exe
2010-05-26 22:36 . 2009-05-03 17:13 134656 ----a-w- c:\windows\system32\calc.exe
2010-05-26 22:35 . 2009-05-03 17:13 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35 . 2009-05-03 17:13 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35 . 2004-08-04 10:00 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35 . 2009-05-03 17:13 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 14:52 . 2004-08-04 10:00 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-25 23:14 . 2010-05-25 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2010-05-25 22:38 . 2009-12-14 22:40 -------- d-----w- c:\program files\Alawar
2010-05-25 22:37 . 2010-05-05 01:07 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-25 22:37 . 2010-05-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-25 22:37 . 2010-05-05 01:04 -------- d-----w- c:\program files\DivX
2010-05-15 02:27 . 2010-01-10 03:05 -------- d-----w- c:\program files\Common Files\Apple
2010-05-14 03:10 . 2010-03-22 03:03 -------- d-----w- c:\program files\KompoZer
2010-05-10 23:08 . 2010-04-17 13:06 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2010-05-06 15:36 . 2009-11-01 15:41 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 01:11 . 2010-05-05 01:07 -------- d-----w- c:\documents and settings\User\Application Data\DivX
2010-05-05 01:03 . 2010-05-05 01:07 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-03 23:41 . 2010-05-03 23:41 -------- d-----w- c:\documents and settings\User\Application Data\gtk-2.0
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Zynga
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Conduit
2010-04-28 00:36 . 2009-05-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-19 22:18 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 14:43 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2010-04-16 07:36 . 2010-02-24 17:05 87424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:49 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\User\Application Data\HP
2010-04-15 14:38 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-15 14:38 . 2010-04-15 14:25 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-15 14:38 . 2010-04-15 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-15 14:38 . 2009-05-12 14:48 87424 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:31 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2010-04-15 14:31 . 2010-04-04 18:33 -------- d-----w- c:\program files\Yahoo!
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\program files\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:26 -------- d-----w- c:\program files\HP
2010-04-15 14:29 . 2010-04-15 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\HP
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-13 19:33 . 2010-04-07 15:10 256 ----a-w- c:\windows\system32\pool.bin
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-07_07.13.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2009-11-12 03:45 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2009-11-12 03:45 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-05-03 17:22 . 2010-06-07 07:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-03 17:22 . 2010-06-06 15:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-03 17:22 . 2010-06-06 15:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-03 17:22 . 2010-06-07 07:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-05-03 17:22 . 2010-06-06 15:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-06-07 11:16 . 2010-06-07 07:13 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-06-08 15:36 . 2010-06-08 15:36 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-06-08 15:35 . 2010-06-08 15:35 195584 c:\windows\Installer\6f2490b.msi
+ 2010-06-08 15:35 . 2010-06-08 15:35 20242432 c:\windows\Installer\6f24912.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-05-26 415744]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-11 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-05-26 1388544]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-05-26 1212416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2010-05-26 196608]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2010-05-26 425984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2010-05-26 1646592]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-14 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-05-26 442368]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-08-31 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 403968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2002-8-8 53248]
Lotus SmartCenter.lnk - c:\lotus\smartctr\smartctr.exe [2002-7-23 224768]
Lotus SuiteStart.lnk - c:\lotus\smartctr\suitest.exe [2002-7-23 52736]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Digital Surveillance Recorder\\Remote Station\\MDServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29214:TCP"= 29214:TCP:spport
"20486:TCP"= 20486:TCP:spport
"7586:TCP"= 7586:TCP:spport
"10979:TCP"= 10979:TCP:spport
"26151:TCP"= 26151:TCP:spport

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 10:09 PM 11032]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/24/2010 10:08 PM 1201640]
S0 uzlasvtu;uzlasvtu; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-06-08 22:43:56
ComboFix-quarantined-files.txt 2010-06-09 03:43
ComboFix2.txt 2010-06-07 07:18

Pre-Run: 21,389,885,440 bytes free
Post-Run: 21,391,613,952 bytes free

- - End Of File - - E98B9C2A81C3F48B8E232ACAB8219B5A
Upload was successful


#8 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 08 June 2010 - 11:36 PM

Eb,

Just a quick update. I'm not sure if something could have happened during the brief time I was connected to the internet with my antivirus/spyware software turned off or not, but it appears as thought Antispyware Soft has re-emerged. I again have the small greenish shield in the lower right corner, and have all the syptoms described with it. I was unable to access any websites until I turned off using a proxy server in the LAN settings. Sorry if I've made things more difficult, but I've no idea how this happened again. Nothing else has been downloaded. I can barely even use the computer except for accessing some lotus123 files I use for work.

Rich

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 09 June 2010 - 06:53 PM

Hello.

That's not good.

Let's try doing the following and see if this removes it. Download this tool.

Run it and then..

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 June 2010 - 09:45 PM

Thanks EB, Thats better. Still obvioiusly have some issues. Let me know what is next. Here is the MBAM log...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/9/2010 9:30:58 PM
mbam-log-2010-06-09 (21-30-58).txt

Scan type: Quick scan
Objects scanned: 129088
Time elapsed: 15 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddhrbqdoijgc (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddhrbqdoijgc (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\User\local settings\application data\ehcialm\sbtrtet.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\temp\wkLi.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 10 June 2010 - 04:02 PM

Re-download Combofix and run it once more please.

Post the log once done.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 June 2010 - 04:32 PM

EB, Here is the latest combofix log...

ComboFix 10-06-10.03 - User 06/10/2010 16:16:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1334 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Application Data\syssvc.exe

c:\windows\inf\unregmp2.exe . . . is infected!!

c:\windows\pchealth\helpctr\binaries\HelpHost.exe . . . is infected!!

c:\windows\system32\calc.exe . . . is infected!!

c:\windows\system32\drwtsn32.exe . . . is infected!!

c:\windows\system32\lodctr.exe . . . is infected!!

c:\windows\system32\logagent.exe . . . is infected!!

c:\windows\system32\mpnotify.exe . . . is infected!!

c:\windows\system32\mshearts.exe . . . is infected!!

c:\windows\system32\rsvp.exe . . . is infected!!

c:\windows\system32\sndvol32.exe . . . is infected!!

c:\windows\system32\tourstart.exe . . . is infected!!

c:\windows\system32\wbem\unsecapp.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 02:37 . 2010-06-10 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Gosu
2010-06-09 04:08 . 2010-06-10 02:30 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ehcialm
2010-06-09 03:34 . 2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-06-09 03:34 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-05-30 21:53 . 2010-05-30 21:53 -------- d-----w- C:\HJT
2010-05-28 02:48 . 2010-05-28 02:48 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-05-28 02:33 . 2010-05-31 21:27 -------- d-----w- c:\program files\Spyware Doctor
2010-05-28 02:32 . 2010-05-30 22:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 14:16 . 2010-05-26 14:16 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcp71.dll
2010-05-26 14:16 . 2010-05-26 14:16 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\jmc.dll
2010-05-26 14:16 . 2010-05-26 14:16 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-20d74ab1-n\msvcr71.dll
2010-05-26 02:09 . 2010-05-26 02:09 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-05-26 01:45 . 2010-05-30 22:04 -------- d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13 . 2010-05-26 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-26 01:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 00:03 . 2010-05-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-05-25 23:53 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2010-05-25 23:41 . 2010-05-25 23:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-05-25 23:14 . 2010-05-25 23:14 87424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 23:13 . 2010-05-26 00:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-25 22:54 . 2010-05-25 22:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:36 . 2010-05-25 22:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-05-25 22:11 . 2010-05-25 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-25 22:10 . 2010-05-25 22:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-25 03:43 . 2010-05-25 03:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-25 03:07 . 2010-05-25 03:07 -------- d-----w- c:\program files\MSSOAP
2010-05-25 03:06 . 2010-05-25 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\program files\Webroot
2010-05-25 03:06 . 2010-05-25 03:06 -------- d-----w- c:\documents and settings\User\Application Data\Webroot
2010-05-25 03:06 . 2009-08-31 15:16 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 01:27 . 2010-05-26 22:43 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\cbuncqspw
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2010-05-16 07:27 . 2010-05-16 07:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-15 02:27 . 2010-05-15 02:27 -------- d-----w- c:\program files\iPod
2010-05-15 02:27 . 2010-05-15 02:28 -------- d-----w- c:\program files\iTunes
2010-05-15 02:23 . 2010-05-15 02:23 -------- d-----w- c:\program files\Bonjour
2010-05-15 02:18 . 2010-05-15 02:18 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 15:35 . 2009-12-20 18:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 13:16 . 2010-02-24 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-06-04 06:11 . 2010-05-30 21:55 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 22:07 . 2009-12-05 00:25 -------- d-----w- c:\program files\Orb Networks
2010-05-30 22:05 . 2010-04-27 01:14 -------- d-----w- c:\program files\Interbank FX Trader 4
2010-05-30 22:05 . 2010-01-25 16:00 -------- d-----w- c:\program files\Citrix
2010-05-30 22:04 . 2009-05-04 13:55 -------- d-----w- c:\program files\Google
2010-05-30 17:25 . 2010-01-14 18:40 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-26 22:43 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43 . 2004-08-04 10:00 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:43 . 2009-05-03 17:15 119808 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2010-05-26 22:37 . 2004-08-04 10:00 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37 . 2008-04-14 00:12 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37 . 2004-08-04 10:00 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 1646592 ----a-w- c:\windows\system32\nwiz.exe
2010-05-26 22:36 . 2004-08-04 10:00 65536 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-05-26 22:36 . 2009-05-03 15:50 176128 ----a-w- c:\windows\system32\nvsvc32.exe
2010-05-26 22:36 . 2004-08-04 10:00 152576 ----a-w- c:\windows\system32\rsvp.exe
2010-05-26 22:36 . 2009-05-03 17:13 134656 ----a-w- c:\windows\system32\calc.exe
2010-05-26 22:35 . 2009-05-03 17:13 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35 . 2009-05-03 17:13 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35 . 2004-08-04 10:00 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35 . 2009-05-03 17:13 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 14:52 . 2004-08-04 10:00 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-25 23:14 . 2010-05-25 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2010-05-25 22:38 . 2009-12-14 22:40 -------- d-----w- c:\program files\Alawar
2010-05-25 22:37 . 2010-05-05 01:07 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-25 22:37 . 2010-05-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-25 22:37 . 2010-05-05 01:04 -------- d-----w- c:\program files\DivX
2010-05-15 02:27 . 2010-01-10 03:05 -------- d-----w- c:\program files\Common Files\Apple
2010-05-14 03:10 . 2010-03-22 03:03 -------- d-----w- c:\program files\KompoZer
2010-05-10 23:08 . 2010-04-17 13:06 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2010-05-06 15:36 . 2009-11-01 15:41 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 01:11 . 2010-05-05 01:07 -------- d-----w- c:\documents and settings\User\Application Data\DivX
2010-05-05 01:03 . 2010-05-05 01:07 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-03 23:41 . 2010-05-03 23:41 -------- d-----w- c:\documents and settings\User\Application Data\gtk-2.0
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Zynga
2010-04-30 13:44 . 2010-04-30 13:44 -------- d-----w- c:\program files\Conduit
2010-04-28 00:36 . 2009-05-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-19 22:18 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 14:43 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2010-04-16 07:36 . 2010-02-24 17:05 87424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:49 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\User\Application Data\HP
2010-04-15 14:38 . 2010-04-15 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-15 14:38 . 2010-04-15 14:25 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-15 14:38 . 2010-04-15 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-15 14:38 . 2009-05-12 14:48 87424 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 14:31 . 2010-04-15 14:31 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2010-04-15 14:31 . 2010-04-04 18:33 -------- d-----w- c:\program files\Yahoo!
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\program files\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-04-15 14:30 . 2010-04-15 14:26 -------- d-----w- c:\program files\HP
2010-04-15 14:29 . 2010-04-15 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\HP
2010-04-15 14:28 . 2010-04-15 14:28 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-13 19:33 . 2010-04-07 15:10 256 ----a-w- c:\windows\system32\pool.bin
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-07_07.13.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-10 02:35 . 2010-06-10 02:35 16384 c:\windows\Temp\Perflib_Perfdata_8c0.dat
+ 2008-04-14 00:12 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2009-11-12 03:45 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-11-12 03:45 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2009-05-03 17:22 . 2010-06-06 15:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-03 17:22 . 2010-06-10 02:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-03 17:22 . 2010-06-06 15:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-03 17:22 . 2010-06-10 02:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-07 11:16 . 2010-06-10 02:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-03 17:22 . 2010-06-06 15:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-06-08 15:36 . 2010-06-08 15:36 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-06-08 15:35 . 2010-06-08 15:35 195584 c:\windows\Installer\6f2490b.msi
+ 2010-06-08 15:35 . 2010-06-08 15:35 20242432 c:\windows\Installer\6f24912.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-05-26 415744]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-11 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-05-26 1388544]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-05-26 1212416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2010-05-26 196608]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2010-05-26 425984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2010-05-26 1646592]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-14 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-05-26 442368]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-08-31 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 403968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2002-8-8 53248]
Lotus SmartCenter.lnk - c:\lotus\smartctr\smartctr.exe [2002-7-23 224768]
Lotus SuiteStart.lnk - c:\lotus\smartctr\suitest.exe [2002-7-23 52736]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Digital Surveillance Recorder\\Remote Station\\MDServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29214:TCP"= 29214:TCP:spport
"20486:TCP"= 20486:TCP:spport
"7586:TCP"= 7586:TCP:spport
"10979:TCP"= 10979:TCP:spport
"26151:TCP"= 26151:TCP:spport

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/26/2009 10:07 AM 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 10:09 PM 11032]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/24/2010 10:08 PM 1201640]
S0 uzlasvtu;uzlasvtu; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 14:08]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-764733703-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 00:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:1032
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 16:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-06-10 16:27:25
ComboFix-quarantined-files.txt 2010-06-10 21:27
ComboFix2.txt 2010-06-09 03:46
ComboFix3.txt 2010-06-07 07:18

Pre-Run: 21,298,515,968 bytes free
Post-Run: 21,261,864,960 bytes free

- - End Of File - - 54D3B4902A774D1804EE5DE8B2C78A20


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 11 June 2010 - 04:56 PM

Hello.

Let's get an online scan done.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 riche96

riche96
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 11 June 2010 - 11:55 PM

EB,
Actually most of the problems I was having seem to be repaired. Google chrome is functioning, I am no longer being redirected from search engine selections, and I am not having any error msg's pop up. The only thing concerning me now is reading the log created by combofix and some other scans. I of course am have not been very well educated regarding a lot of these programs, but there still seems to be a lot of infections or other issues found during scans. The term virut scares me because I read somewhere that they cannot be cured.

Below are the Kaspersky scan log and the new DDS log. The attach.txt log is attached.

KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 11, 2010 20:29:37
Records in database: 4260304


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Objects scanned 62579
Threats found 3
Infected objects found 91
Suspicious objects found 0
Scan duration 02:50:42

File name Threat Threats count
C:\lotus\wordpro\ltsstart.exe Infected: Virus.Win32.Virut.ce 1

C:\Program Files\Intel\WiFi\bin\EvtEng.exe Infected: Virus.Win32.Virut.ce 1

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe Infected: Virus.Win32.Virut.ce 1

C:\Program Files\Movie Maker\moviemk.exe Infected: Virus.Win32.Virut.ce 1

C:\Program Files\QuickTime\PictureViewer.exe Infected: Virus.Win32.Virut.ce 1

C:\Program Files\Windows Media Player\wmpnetwk.exe Infected: Virus.Win32.Virut.ce 1

C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\syssvc.exe.vir Infected: Trojan.Win32.KillAV.gnc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\cleanmgr.exe.vir Infected: Virus.Win32.Virut.ce 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\defrag.exe.vir Infected: Virus.Win32.Virut.ce 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\smlogsvc.exe.vir Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\alg.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\cisvc.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\cmstp.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\cscript.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\diantz.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\dmremote.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\dvdupgrd.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\dwwin.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\evcreate.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\forcedos.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\fp98swin.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\fpremadm.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\help.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\icwconn2.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\ie4uinit.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\iexpress.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\irftp.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\logagent.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\lsass.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\mshta.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\msiexec.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\msiregmv.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\msoobe.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\mstsc.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\mtstocom.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\muisetup.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\notepad.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\nppagent.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\ntbackup.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\pinball.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\rasphone.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\rdpclip.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\rsnotify.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\schtasks.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\setup50.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\shutdown.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\smlogsvc.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\ssbezier.scr Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\ssstars.scr Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\stimon.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\systeminfo.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\tlntsvr.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\wmiapsrv.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\wmic.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\wordpad.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\$NtUninstallKB956572$\services.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\ie8updates\KB982381-IE8\ie4uinit.exe.000 Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\Installer\{CD31E63D-47FD-491C-8117-CF201D0AFAB5}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\Installer\{CE86E2F5-850C-4207-94A3-A58D647B1733}\DesktopMgr.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\chkdsk.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\chkntfs.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\cintsetp.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\comp.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\cscript.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\drwtsn32.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\esentutl.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\gpupdate.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\migisol.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\migrate.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\mpnotify.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\mshearts.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\netsh.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\pathping.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\regwiz.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\reset.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\rsmui.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\shadow.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\shvlzm.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\tcmsetup.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\tintsetp.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\tsprof.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\w32tm.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\dllcache\winmine.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\nvsvc32.exe Infected: Virus.Win32.Virut.ce 1

C:\WINDOWS\system32\OLD77F.tmp Infected: Virus.Win32.Virut.ce 1

Selected area has been scanned.


And the DDS log....


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 23:44:39.76 on Fri 06/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1150 [GMT -5:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\smartctr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Surveillance Recorder\Remote Station\MDServer.exe
C:\Program Files\Digital Surveillance Recorder\Remote Station\SHKSchedule.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:1032
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [SigmatelSysTrayApp] "%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BlackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~2.lnk - c:\lotus\smartctr\smartctr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\smartctr\suitest.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-8-26 29808]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-2-16 3106672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-8-26 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-5-24 1201640]
S0 uzlasvtu;uzlasvtu; [x]

=============== Created Last 30 ================

2010-06-12 00:21:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-12 00:21:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 09:05:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Gosu
2010-06-11 02:28:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 21:12:47 0 d-----w- C:\ComboFix
2010-06-09 03:34:08 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-06-09 03:34:08 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-06-07 06:55:38 0 d-sha-r- C:\cmdcons
2010-06-07 06:51:04 98816 ----a-w- c:\windows\sed.exe
2010-06-07 06:51:04 77312 ----a-w- c:\windows\MBR.exe
2010-06-07 06:51:04 256512 ----a-w- c:\windows\PEV.exe
2010-06-07 06:51:04 161792 ----a-w- c:\windows\SWREG.exe
2010-05-31 00:39:30 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-05-30 21:55:14 161280 ----a-w- c:\windows\system32\OLD77F.tmp
2010-05-30 21:53:06 0 d-----w- C:\HJT
2010-05-28 02:40:22 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-05-28 02:40:20 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-05-28 02:33:35 0 d-----w- c:\program files\Spyware Doctor
2010-05-26 02:09:11 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-26 01:45:24 0 d-----w- c:\program files\Free Window Registry Repair
2010-05-26 01:13:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 01:13:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 01:13:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 01:13:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-25 22:54:46 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-25 22:33:55 0 d-----w- c:\windows\pss
2010-05-25 03:07:28 0 d-----w- c:\program files\MSSOAP
2010-05-25 03:06:53 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-25 03:06:53 0 d-----w- c:\program files\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\user\applic~1\Webroot
2010-05-25 03:06:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-05-15 02:27:24 0 d-----w- c:\program files\iPod
2010-05-15 02:27:10 0 d-----w- c:\program files\iTunes
2010-05-15 02:23:00 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-26 22:43:29 25088 ----a-w- c:\windows\system32\lodctr.exe
2010-05-26 22:43:28 120832 ----a-w- c:\windows\system32\logagent.exe
2010-05-26 22:43:25 65536 ----a-w- c:\windows\system32\drwtsn32.exe
2010-05-26 22:37:21 41984 ----a-w- c:\windows\system32\mpnotify.exe
2010-05-26 22:37:16 48640 ------w- c:\windows\system32\verclsid.exe
2010-05-26 22:37:12 28160 ----a-w- c:\windows\system32\control.exe.tmp
2010-05-26 22:36:56 1646592 ----a-w- c:\windows\system32\nwiz.exe
2010-05-26 22:36:17 65536 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-05-26 22:36:13 176128 ----a-w- c:\windows\system32\nvsvc32.exe
2010-05-26 22:36:09 152576 ----a-w- c:\windows\system32\rsvp.exe
2010-05-26 22:36:02 134656 ----a-w- c:\windows\system32\calc.exe
2010-05-26 22:35:57 158720 ----a-w- c:\windows\system32\sndvol32.exe
2010-05-26 22:35:34 146944 ----a-w- c:\windows\system32\mshearts.exe
2010-05-26 22:35:33 367104 ----a-w- c:\windows\system32\tourstart.exe
2010-05-26 22:35:16 36864 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2010-05-26 14:52:48 240640 ----a-w- c:\windows\system32\logon.scr
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:36:27 919040 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 14:38:24 208245 ----a-w- c:\windows\hpoins43.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 23:45:02.90 ===============

Thanks again.
Rich

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 14 June 2010 - 09:24 PM

Hello.

Unfortunately that has been the case. Sorry, I couldn't help you much to resolve such infection. Some information on it below, let me know.

Virut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users