Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antimalwaredoctor not completely removed


  • This topic is locked This topic is locked
10 replies to this topic

#1 nelson23

nelson23

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 22 July 2010 - 02:39 PM

Okay,

Got antimalware doctor virus on Jul 14. found and deleted the 'enemies-names.txt' file as well as disabling something called udosesuzu on startup using configsys.

A file called 27U6r18.exe keeps opening along with iexplore.exe in the background. Multiple instances - sometimes 25-30 of the aforementioned 27U file. Also hki files with 4-string digits after them. They are in Temp and in Prefetch.. which I keep deleting but they keep coming back.

Symptoms are pop ups - sometimes just sound bytes: "I'm starving" or "Coors Light" things like that. the odd pop up window from all kinds of companies - even Apple.

Here are the logs as requested:

DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by Drew at 14:33:33.18 on Thu 07/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Drew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CAHeadless] c:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
mRun: [MCCInstall] e:\intro\aa\mccinstall\english\MCCInstall.exe -Step=9 -Settings
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [notepad]
mRunOnce: [RebootAfterUninstallingFreedom] c:\windows\system32\runonce.exe
dRun: [Ysedinagog] rundll32.exe "c:\windows\xtwsjt.dll",Startup
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

============= SERVICES / DRIVERS ===============

S0 sbkmxgrb;sbkmxgrb;c:\windows\system32\drivers\sbkmxgrb.sys [2010-7-15 0]
S0 uyaywv;uyaywv;c:\windows\system32\drivers\rukgo.sys --> c:\windows\system32\drivers\rukgo.sys [?]
S2 gupdate1ca708191b933aa;Google Update Service (gupdate1ca708191b933aa);c:\program files\google\update\GoogleUpdate.exe [2009-11-28 133104]

=============== Created Last 30 ================

2010-07-22 18:32:47 0 ----a-w- c:\documents and settings\drew\defogger_reenable
2010-07-22 18:31:26 0 d--h--w- c:\windows\PIF
2010-07-19 13:32:10 14392 ----a-w- c:\windows\freedom.backup.dat
2010-07-19 13:07:28 70 ----a-w- c:\windows\C6544BDE.ini
2010-07-19 13:06:26 0 d-----w- c:\docume~1\drew\applic~1\Zero Knowledge
2010-07-19 13:02:49 29440 ----a-r- c:\windows\system32\drivers\OLD43.tmp
2010-07-19 13:02:48 29440 ----a-r- c:\windows\system32\drivers\OLD41.tmp
2010-07-19 13:02:46 29440 ----a-r- c:\windows\system32\drivers\OLD3F.tmp
2010-07-19 13:02:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Zero Knowledge
2010-07-15 23:09:44 0 d-----w- c:\docume~1\drew\applic~1\Malwarebytes
2010-07-15 23:09:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 23:09:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 23:09:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 23:09:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-15 15:01:41 144 ----a-w- c:\documents and settings\drew\108500.BAT
2010-07-15 15:01:38 36865 ----a-w- c:\windows\system32\msmxjchn.dll
2010-07-15 14:43:24 0 d-----w- c:\windows\pss
2010-07-15 14:26:46 120 ----a-w- c:\windows\Jyiyikagupis.dat
2010-07-15 14:26:46 0 ----a-w- c:\windows\Yzitofam.bin
2010-07-15 14:24:53 150 ----a-w- C:\zrpt.xml
2010-07-15 14:24:43 0 ----a-w- c:\windows\system32\drivers\sbkmxgrb.sys
2010-07-14 10:27:25 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 01:40:18 246272 ----a-w- c:\windows\system32\eutip.dll
2010-07-01 17:32:03 0 d-----w- c:\docume~1\drew\applic~1\OverDrive
2010-07-01 17:31:44 0 d-----w- c:\program files\OverDrive Media Console

==================== Find3M ====================

2010-05-26 16:06:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-26 16:06:44 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-26 00:20:28 38488 ----a-w- c:\windows\fonts\kberry.ttf
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-10-10 03:21:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009100920091010\index.dat

============= FINISH: 14:34:16.93 ===============


GMER - kept hanging after 3 attempts, so this time I stopped part way through. sorry - no other choice really.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-22 15:28:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Drew\LOCALS~1\Temp\kxtdypob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xB80C4114]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xB8281A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5DB1380, 0x5414D5, 0xE8000020]
? System32\Drivers\FreeTdi.sys The system cannot find the path specified. !
? system32\DRIVERS\FREEDOM.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1756] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[1756] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00ED000A
.text C:\WINDOWS\explorer.exe[2412] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[2412] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[2412] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A7DAEC5

---- Threads - GMER 1.0.15 ----

Thread System [4:1192] 888FB6A3

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

thanks (I feel like I'm forgetting something though.)


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 22 July 2010 - 03:34 PM

Hello nelson23 ,



QUOTE
GMER - kept hanging after 3 attempts, so this time I stopped part way through. sorry - no other choice really.
That's okay! thumbup2.gif You got enough to show the rootkit you have, so thanks for that. smile.gif

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. dry.gif

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to nelson.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 nelson23

nelson23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 23 July 2010 - 10:20 AM

I've been SO busy - I appreciate the reply and am going to try this tonight if possible. I'll respond again no matter what happens...
however, I ran antimalwarebytes again and it caught a file in the root - filename 493 or something.. and except for one strange complete sudden shutdown, my system seems fine today.

but this little bugger is tricky and I'm expecting it to come back out of the blue.

thanks for now!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 23 July 2010 - 10:56 AM

Thanks for letting me know, and no problem. smile.gif

Post when you're ready. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 nelson23

nelson23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 25 July 2010 - 03:58 PM

yep, it came back.

I'm off to try combofix as per your post.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 25 July 2010 - 04:16 PM

Post when you're ready. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 nelson23

nelson23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 25 July 2010 - 08:39 PM

Okay - done. smile.gif
I hope I wasn't supposed to attach this cause I've copied and pasted.. (well, I'm about to anyway) smile.gif Here it is and thanks so very much for your help!



ComboFix 10-07-24.04 - Drew 07/25/2010 17:16:17.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1735 [GMT -4:00]
Running from: c:\documents and settings\Drew\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\27U67r18.exe
c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\dfttuyo.txt
c:\windows\system32\driVERs\sbkmxgrb.sys
c:\windows\system32\eutip.dll
c:\windows\system32\Install.txt
c:\windows\system32\msmxjchn.dll
c:\windows\Tasks\At1.job
c:\windows\xtwsjt.dll

CODE
<pre>
c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer .exe ---^> c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
c:\program files\Common Files\Java\Java Update\jusched .exe ---^> c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched .exe ---^> c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\QuickTime\qttask                 .exe ---^> c:\program files\QuickTime\qttask.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sbkmxgrb
-------\Service_sbkmxgrb


((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-22 20:37 . 2010-07-22 20:37 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 20:34 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 18:31 . 2010-07-22 18:31 -------- d--h--w- c:\windows\PIF
2010-07-19 13:32 . 2010-07-19 13:32 14392 ----a-w- c:\windows\freedom.backup.dat
2010-07-19 13:06 . 2010-07-19 13:06 -------- d-----w- c:\documents and settings\Drew\Application Data\Zero Knowledge
2010-07-19 13:02 . 2010-07-19 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Zero Knowledge
2010-07-18 00:16 . 2010-07-18 00:16 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-17 18:22 . 2010-07-17 18:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-15 14:26 . 2010-07-19 14:55 120 ----a-w- c:\windows\Jyiyikagupis.dat
2010-07-15 14:26 . 2010-07-19 12:55 0 ----a-w- c:\windows\Yzitofam.bin
2010-07-15 14:26 . 2010-07-15 14:26 -------- d-----w- c:\documents and settings\Drew\Local Settings\Application Data\{91FA5E1C-BF5E-42D3-8A85-DCBA394C267C}
2010-07-14 10:27 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-01 17:32 . 2010-07-01 17:32 -------- d-----w- c:\documents and settings\Drew\Application Data\OverDrive
2010-07-01 17:31 . 2010-07-01 17:31 -------- d-----w- c:\program files\OverDrive Media Console

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 21:28 . 2009-12-25 22:02 -------- d-----w- c:\program files\QuickTime
2010-07-25 20:49 . 2009-10-09 16:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 13:56 . 2010-07-22 19:32 112 ----a-w- c:\documents and settings\All Users\Application Data\3UdxFIF2y.dat
2010-07-24 02:11 . 2009-10-09 16:44 -------- d-----w- c:\documents and settings\Drew\Application Data\LimeWire
2010-07-22 20:34 . 2010-07-22 20:34 503808 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-701fe6df-n\msvcp71.dll
2010-07-22 20:34 . 2010-07-22 20:34 499712 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-701fe6df-n\jmc.dll
2010-07-22 20:34 . 2010-07-22 20:34 348160 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-701fe6df-n\msvcr71.dll
2010-07-22 20:34 . 2010-07-22 20:34 61440 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-310a99d4-n\decora-sse.dll
2010-07-22 20:34 . 2010-07-22 20:34 12800 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-310a99d4-n\decora-d3d.dll
2010-07-22 20:33 . 2009-10-09 16:21 -------- d-----w- c:\program files\Java
2010-07-22 18:09 . 2009-12-25 18:21 -------- d-----w- c:\program files\InstallShield Installation Information
2010-07-15 23:09 . 2010-07-15 23:09 -------- d-----w- c:\documents and settings\Drew\Application Data\Malwarebytes
2010-07-15 23:09 . 2010-07-15 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 23:09 . 2010-07-15 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-15 15:01 . 2010-07-15 15:01 144 ----a-w- c:\documents and settings\Drew\108500.BAT
2010-06-14 14:31 . 2008-08-27 00:12 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-26 16:07 . 2010-05-26 16:07 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-26 16:07 . 2010-05-26 16:07 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-26 16:07 . 2010-05-26 16:07 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-26 16:07 . 2010-05-26 16:07 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-26 16:07 . 2010-05-26 16:07 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-26 16:07 . 2010-05-26 16:07 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-26 16:07 . 2010-05-26 16:07 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-26 16:07 . 2010-05-26 16:07 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-26 16:07 . 2010-02-20 15:43 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-26 16:06 . 2010-02-20 15:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-26 16:06 . 2010-02-20 15:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-26 02:16 . 2010-05-26 02:16 503808 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3fda0193-n\msvcp71.dll
2010-05-26 02:16 . 2010-05-26 02:16 499712 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3fda0193-n\jmc.dll
2010-05-26 02:16 . 2010-05-26 02:16 348160 ----a-w- c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3fda0193-n\msvcr71.dll
2010-05-26 00:28 . 2008-10-03 20:29 70296 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 14:32 . 2010-05-24 14:32 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-06 10:41 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-07-15 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-07-15 23:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
CODE
<pre>
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\windows\system32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAHeadless"="c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-06 615808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"MCCInstall"="e:\intro\AA\MCCInstall\English\MCCInstall.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"nwiz"="nwiz.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-26 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ysedinagog"="c:\windows\xtwsjt.dll" [N/A]

[HKLM\~\startupfolder\C:^Documents and Settings^Drew^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Drew\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freedom]
c:\program files\Zero Knowledge\Freedom\Freedom.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hlebegif]
c:\windows\udosesuzu.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sta]
iutip.dll [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

S0 uyaywv;uyaywv;c:\windows\system32\drivers\rukgo.sys --> c:\windows\system32\drivers\rukgo.sys [?]
S2 gupdate1ca708191b933aa;Google Update Service (gupdate1ca708191b933aa);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2009 7:21 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 23:21]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 23:21]

2010-07-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1202660629-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1202660629-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 17:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,3f,07,6d,83,a0,b6,46,9e,2f,e3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,3f,07,6d,83,a0,b6,46,9e,2f,e3,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-07-25 17:35:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 21:35

Pre-Run: 93,945,339,904 bytes free
Post-Run: 105,227,190,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 3E7D70CB91014A6905D2963B1901D79A


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 27 July 2010 - 03:06 PM

Hello,

I actually prefer the reports to be pasted anyway, so you did just fine. thumbup2.gif

Apologies for the delay. How is it running after some time has passed?

I see you have Malwarebytes on the system. Could you please have a run with it and post anything it might report smile.gif

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 nelson23

nelson23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 28 July 2010 - 12:36 PM

it's running well now. fingers crossed!! no pop-ups, no random shutdown of audio, no files running that shouldn't be (not in task mgr anyway)

I'll run malwarebytes again and let you know.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 28 July 2010 - 03:17 PM

Excellent. thumbup2.gif Post when you're ready.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:48 PM

Posted 09 August 2010 - 11:19 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users