Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am not sure what I am infected with


  • Please log in to reply
11 replies to this topic

#1 StanleyDan

StanleyDan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 18 November 2010 - 06:10 PM

On boot-up Windows Explorer "Documents" screen opens (empty) and hangs there until I close it. Everything else freezes until I close it.

For the first two days I also kept getting a desktop icon titled rnrvcxzodu.tmp, but it doesn't happen anymore (I kept sending to the Recycle bin).

Everything is running extremely slow so I opened Windows Task Manager and checked to see what processes were running. I saw a list of processes that I didn't recognize (and which had never been there before) and so I deleted the following:

cmdial3232.exe
jgdw400wow.exe
KBDBLRwow.exe
MSRDO20wow.exe
MSXML4awow.exe
OLE2DISPwow.exe

I also attempted to shutdown the following two programs but they won't allow me to close them (or they automatically reopen:

KBDNEPR32.exe
MSR2CENU32.exe

I have run CCleaner, Spybot Search and Destroy (Spybot Teatimer runs in the background all the time), Stopzilla and Symantec Security Check, but none of them have helped with this problem. And every time I reboot all of the above items reopen.

I'll be ever so grateful for any help you can give me.

Dan



DDS (Ver_10-11-10.01) - NTFSx86
Run by Dan Lapensee at 20:01:13.70 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.264 [GMT -5:00]

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\kbdnepr32.exe
C:\WINDOWS\system32\MSR2CENU32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Dan Lapensee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
BHO: {042e2980-fc47-4f30-870c-191ffc3c85be} - c:\windows\system32\audiosrv32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: 10f4be0a: {1756818a-dac6-ca69-2d61-dc92a9aa073e} - c:\windows\system32\MPRMSG32.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.0\AOL.EXE" -b
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HostManager] c:\program files\common files\aol\1228011823\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [<NO NAME>]
mRun: [MSXML4awow.exe] c:\windows\MSXML4awow.exe
mRun: [OLE2DISPwow.exe] c:\windows\OLE2DISPwow.exe
mRun: [MSRDO20wow.exe] c:\windows\MSRDO20wow.exe
mExplorerRun: [RTHDBPL] c:\documents and settings\dan lapensee\application data\syswin\lsass.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232586027187
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232586016984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD39/JSCDL/jre/6u5-b15/jinstall-6u5-windows-i586-jc.cab?AuthParam=1208291877_42e7d9b3b2e5a449ca57056491325fa6&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jre/6u5-b15/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\MPRMSG32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SubSystems: Windows = basendep32

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-4-17 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-3-18 394952]
R2 hkmsvc32;Health Key and Certificate Management Service ;c:\windows\system32\kbdnepr32.exe [2010-11-15 1454080]
RUnknown szkg5;szkg5; [x]
RUnknown szkgfs;szkgfs; [x]
S2 seclogon32;Secondary Logon ;c:\windows\system32\cmdial3232.exe [2010-11-13 1454080]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [2001-10-19 16969]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
UnknownUnknown is3srv;is3srv; [x]

=============== Created Last 30 ================

2010-11-17 23:26:35 175616 ----a-w- c:\windows\system32\mmcfxcommon32.exe
2010-11-17 14:59:12 498688 --sh--w- c:\windows\MSRDO20wow.exe
2010-11-16 23:46:26 498688 --sh--w- c:\windows\OLE2DISPwow.exe
2010-11-16 15:42:23 -------- d-----w- c:\program files\Cobian Backup 8
2010-11-16 15:34:28 498688 --sh--w- c:\windows\MSXML4awow.exe
2010-11-16 15:25:13 8499200 ------w- c:\program files\cbSetup8.exe
2010-11-16 01:20:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-11-15 12:02:16 427520 ------w- c:\windows\system32\audiosrv32.dll
2010-11-15 11:58:25 1454080 ------w- c:\windows\system32\kbdnepr32.exe
2010-11-15 00:03:18 1454080 ------w- c:\windows\system32\msrd3x4032.exe
2010-11-14 10:28:03 1125888 --sh--w- c:\windows\system32\301.tmp
2010-11-14 10:27:54 122880 --sh--w- c:\windows\system32\300.tmp
2010-11-14 10:17:38 1454080 ------w- c:\windows\system32\MPRMSG3232.exe
2010-11-13 18:19:19 1454080 ------w- c:\windows\system32\audiosrv32.exe
2010-11-13 17:50:57 0 ---h--w- c:\documents and settings\dan lapensee\rnrvcxzodu.tmp
2010-11-13 17:49:12 175616 ------w- c:\windows\system32\mprdim32.exe
2010-11-13 17:44:43 -------- d-sh--w- c:\windows\system32\15B3CF4F3D27A1B4C74AD27D5D001F0F
2010-11-13 17:44:39 203776 --sh--w- c:\windows\system32\unrar.exe
2010-11-13 17:44:39 -------- d-----w- c:\windows\system32\1387628856
2010-11-13 17:44:19 1125888 --sh--w- c:\windows\system32\2F4.tmp
2010-11-13 17:43:30 1454080 ------w- c:\windows\system32\MSR2CENU32.exe
2010-11-13 17:43:28 266752 ------w- c:\windows\system32\MPRMSG32.dll
2010-11-13 17:43:21 -------- d-sh--w- c:\docume~1\danlap~1\applic~1\SysWin
2010-11-13 17:43:19 1454080 ------w- c:\windows\system32\cmdial3232.exe
2010-10-25 11:16:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-25 11:16:10 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-25 02:16:02 499712 ------w- c:\windows\system32\msvcp71.dll
2010-10-25 01:45:53 -------- d-----w- c:\program files\Defraggler

==================== Find3M ====================

2008-03-01 16:02:32 3982064 -c----w- c:\program files\roguefix_2.136.bat
2007-11-20 04:06:00 4606976 -c----w- c:\program files\mirc_demo.msi
2006-06-28 14:56:54 774144 -c----w- c:\program files\RngInterstitial.dll
2009-03-23 20:26:26 374272 --sh--w- c:\windows\system32\9D.tmp

============= FINISH: 20:03:31.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 27 November 2010 - 08:12 AM

hi StanleyDan,

Sorry for the delay, no shortage of posters. If you still need help reply back.

How Can I Reduce My Risk to Malware?


#3 StanleyDan

StanleyDan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 27 November 2010 - 12:34 PM

Hi Shelf Life

Yes, I still could use some assistance. Since posting my original post I was able to eliminate most of the processes that kept running on start-up, including KBDNEPR32.exe and MSR2CENU32.exe, but now every time I open Internet Explorer a temp file, rnrvcxzodu.tmp, opens up and it also appears that something has hijacked my search engines. Other than that I can't see anything happening, though my system appears to be slower than usual and AOL is very very slow opening (so I have switched to IE).

Dan

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 27 November 2010 - 03:12 PM

ok We will get a download to use. Its called combofix. There is a guide you need to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 StanleyDan

StanleyDan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 27 November 2010 - 06:44 PM

ComboFix 10-11-27.01 - Dan Lapensee 11/27/2010 18:08:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.273 [GMT -5:00]
Running from: c:\documents and settings\Dan Lapensee\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{96c429cc-f8dd-43d2-bb92-2f6a0867e0da}
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{96c429cc-f8dd-43d2-bb92-2f6a0867e0da}\chrome.manifest
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{96c429cc-f8dd-43d2-bb92-2f6a0867e0da}\chrome\xulcache.jar
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{96c429cc-f8dd-43d2-bb92-2f6a0867e0da}\defaults\preferences\xulcache.js
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{96c429cc-f8dd-43d2-bb92-2f6a0867e0da}\install.rdf
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{bc637b2e-aaf2-4f00-99fc-6f753296d0f5}
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{bc637b2e-aaf2-4f00-99fc-6f753296d0f5}\chrome.manifest
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{bc637b2e-aaf2-4f00-99fc-6f753296d0f5}\chrome\xulcache.jar
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{bc637b2e-aaf2-4f00-99fc-6f753296d0f5}\defaults\preferences\xulcache.js
c:\documents and settings\Dan Lapensee\Application Data\Mozilla\Firefox\Profiles\jakfhcty.default\extensions\{bc637b2e-aaf2-4f00-99fc-6f753296d0f5}\install.rdf
c:\documents and settings\Dan Lapensee\Application Data\syswin
c:\documents and settings\LocalService\Application Data\020000008bc978d61069C.manifest
c:\documents and settings\LocalService\Application Data\020000008bc978d61069O.manifest
c:\documents and settings\LocalService\Application Data\020000008bc978d61069P.manifest
c:\documents and settings\LocalService\Application Data\020000008bc978d61069S.manifest
c:\program files\Downloaded Installers
c:\windows\system32\1387628856
c:\windows\system32\1387628856\new.i0
c:\windows\system32\audiosrv32.dll
c:\windows\system32\basendep32.dll
c:\windows\system32\DMDSKMGR32.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BITS32


((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-25 17:24 . 2010-11-25 17:24 -------- d-----w- c:\documents and settings\Dan Lapensee\Application Data\Uniblue
2010-11-25 17:20 . 2010-11-25 17:20 -------- d-----w- c:\documents and settings\Dan Lapensee\Local Settings\Application Data\PackageAware
2010-11-24 15:29 . 2010-11-24 15:29 0 ---ha-w- c:\documents and settings\Dan Lapensee\rnrvcxzodu.tmp
2010-11-22 14:18 . 2010-11-22 14:36 -------- d-----w- c:\documents and settings\Dan Lapensee\Application Data\FixCleaner
2010-11-22 14:17 . 2010-11-22 14:53 -------- d-----w- c:\program files\FixCleaner
2010-11-21 21:33 . 2010-11-21 21:33 1118720 --sha-w- c:\windows\system32\3.tmp
2010-11-21 21:28 . 2010-11-21 21:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2010-11-21 21:28 . 2010-11-21 21:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-11-21 21:26 . 2010-11-21 21:26 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-11-21 21:25 . 2010-11-21 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-21 21:18 . 2010-11-21 21:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-21 15:27 . 2010-11-21 15:25 500224 --sh--w- c:\windows\s3gnbwow.exe
2010-11-21 15:27 . 2010-11-21 15:25 500224 --sh--w- c:\windows\racpldlgwow.exe
2010-11-21 15:25 . 2010-11-21 15:25 1118720 --sha-w- c:\windows\system32\4.tmp
2010-11-18 21:46 . 2010-11-18 21:46 1118720 --sha-w- c:\windows\system32\5.tmp
2010-11-17 23:26 . 2010-11-17 23:26 175616 ----a-w- c:\windows\system32\mmcfxcommon32.exe
2010-11-16 15:42 . 2010-11-16 15:43 -------- d-----w- c:\program files\Cobian Backup 8
2010-11-16 15:25 . 2010-11-16 15:25 8499200 ------w- c:\program files\cbSetup8.exe
2010-11-16 01:20 . 2010-11-18 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-11-15 00:03 . 2010-11-13 17:43 1454080 ------w- c:\windows\system32\msrd3x4032.exe
2010-11-14 10:28 . 2010-11-14 10:28 1125888 --sh--w- c:\windows\system32\301.tmp
2010-11-14 10:27 . 2010-11-14 10:27 122880 --sh--w- c:\windows\system32\300.tmp
2010-11-13 18:19 . 2010-11-13 17:43 1454080 ------w- c:\windows\system32\audiosrv32.exe
2010-11-13 17:49 . 2010-11-13 17:49 175616 ------w- c:\windows\system32\mprdim32.exe
2010-11-13 17:44 . 2010-11-21 15:27 -------- d-sh--w- c:\windows\system32\15B3CF4F3D27A1B4C74AD27D5D001F0F
2010-11-13 17:44 . 2010-11-13 17:44 203776 --sh--w- c:\windows\system32\unrar.exe
2010-11-13 17:44 . 2010-11-13 17:44 1125888 --sh--w- c:\windows\system32\2F4.tmp
2010-11-13 17:43 . 2010-11-13 17:43 1454080 ------w- c:\windows\system32\MSR2CENU32.exe
2010-11-13 17:43 . 2010-11-13 17:43 266752 ------w- c:\windows\system32\MPRMSG32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-24 16:59 . 2003-12-03 06:52 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2008-03-01 16:02 . 2008-03-01 16:02 3982064 -c----w- c:\program files\roguefix_2.136.bat
2007-11-20 04:06 . 2007-11-20 04:05 4606976 -c----w- c:\program files\mirc_demo.msi
2006-06-28 14:56 . 2006-06-28 14:57 774144 -c----w- c:\program files\RngInterstitial.dll
2009-03-23 20:26 374272 --sh--w- c:\windows\SYSTEM32\9D.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{760B97D5-1113-F44A-2574-900E52C07452}]
2010-11-13 17:43 266752 ------w- c:\windows\SYSTEM32\MPRMSG32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2007-04-18 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-12-17 63696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\MPRMSG32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Dan Lapensee^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Dan Lapensee\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-26 14:38 49968 ------w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 -c----w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ------w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
2003-06-24 16:46 245760 ------w- c:\program files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 15:24 49152 ------w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 06:19 155648 ------w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
2008-04-14 00:12 208896 ------w- c:\windows\INF\unregmp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\aol\\1228011823\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\racpldlgwow.exe"=
"c:\\WINDOWS\\s3gnbwow.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

S2 hkmsvc32;Health Key and Certificate Management Service ; [x]
S2 seclogon32;Secondary Logon ; [x]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\SYSTEM32\DRIVERS\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{042E2980-FC47-4F30-870C-191FFC3C85Be} - c:\windows\system32\audiosrv32.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Dan Lapensee\Application Data\SysWin\lsass.exe
MSConfigStartUp-ComcastAntispyClient - c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Dan Lapensee\Application Data\SysWin\lsass.exe???????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3184819206-795847010-3868689368-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\AOL 9.0\waol.exe
c:\program files\AOL 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2010-11-27 18:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-27 23:40
ComboFix2.txt 2008-03-02 00:42

Pre-Run: 763,183,104 bytes free
Post-Run: 726,282,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 7989882A85B8349879D0057F6E8F28D8

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 27 November 2010 - 08:46 PM

ok thanks for the log. I dont see a resident antivirus application in the log. SpyBot Search and Destroy is not antivirus. You need a AV app. You should download, install update and scan with one ASAP. AV links at bottom:


We will get another download to use as a check for malware. Its not antivirus. You can keep it and use it as a antimalware application. Link and directions:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.


http://free.avg.com/us-en/homepage
http://www.microsoft.com/SECURITY_ESSENTIALS/
http://www.free-av.com/
http://www.avast.com/security-software-home-office

How Can I Reduce My Risk to Malware?


#7 StanleyDan

StanleyDan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 28 November 2010 - 10:39 AM

Below is the Malwarebytes log. I also ran Microsoft Security Essentials after running the Malwarebytes scan and it showed no threats.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5203

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/28/2010 8:59:23 AM
mbam-log-2010-11-28 (08-59-23).txt

Scan type: Full scan (C:\|)
Objects scanned: 221558
Time elapsed: 2 hour(s), 1 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\MPRMSG32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{760b97d5-1113-f44a-2574-900e52c07452} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{760b97d5-1113-f44a-2574-900e52c07452} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{760b97d5-1113-f44a-2574-900e52c07452} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{760b97d5-1113-f44a-2574-900e52c07452} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijacker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Data: c:\windows\system32\mprmsg32.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Data: system32\mprmsg32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MPRMSG32.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20101121-214547-485.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\audiosrv32.dll.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP839\A0090985.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP839\A0093004.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP839\A0093005.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP840\A0093078.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP841\A0094119.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP841\A0094120.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP841\A0094124.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP841\A0094126.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP841\A0094127.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP842\A0094169.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP842\A0094170.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP843\A0094222.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP843\A0094223.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP844\A0095306.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP844\A0095307.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP848\A0095620.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP848\A0095621.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP852\A0096877.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\s3gnbwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\racpldlgwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSR2CENU32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msrd3x4032.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mmcfxcommon32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\audiosrv32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\2F4.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\3.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\300.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\301.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\4.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\5.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\9D.tmp (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mprdim32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\15B3CF4F3D27A1B4C74AD27D5D001F0F\b\bint1 (Trojan.Tracur.S) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\020000008bc978d61069C.manifest (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\020000008bc978d61069O.manifest (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\020000008bc978d61069P.manifest (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\020000008bc978d61069S.manifest (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\GnuHashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 28 November 2010 - 12:28 PM

ok good. Can you run DDS once more and post the new log.

How Can I Reduce My Risk to Malware?


#9 StanleyDan

StanleyDan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 28 November 2010 - 02:07 PM

DDS (Ver_10-11-10.01) - NTFSx86
Run by Dan Lapensee at 13:51:02.37 on Sun 11/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dan Lapensee\Desktop\dds.scr
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - No File
BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AOL Fast Start] "c:\program files\aol 9.0\AOL.EXE" -b
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232586027187
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232586016984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD39/JSCDL/jre/6u5-b15/jinstall-6u5-windows-i586-jc.cab?AuthParam=1208291877_42e7d9b3b2e5a449ca57056491325fa6&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jre/6u5-b15/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-4-17 127768]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-3-18 394952]
S2 hkmsvc32;Health Key and Certificate Management Service ; [x]
S2 seclogon32;Secondary Logon ; [x]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [2001-10-19 16969]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-11-28 17:23:18 -------- d-----w- c:\windows\ie8updates
2010-11-28 17:11:51 -------- d-----w- c:\program files\MSXML 4.0
2010-11-28 15:21:45 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-11-28 15:21:44 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-28 15:21:42 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-11-28 15:20:51 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-11-28 15:19:47 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-28 15:19:35 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-11-28 15:18:10 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-28 15:17:06 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-28 15:16:57 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-28 15:16:51 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-28 15:16:43 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-28 15:14:48 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-28 15:14:47 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-11-28 15:14:43 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-28 15:10:14 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-11-28 15:10:14 5120 ------w- c:\windows\system32\xpsp4res.dll
2010-11-28 15:05:05 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-11-28 15:03:55 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-11-28 15:03:55 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-11-28 15:03:05 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-11-28 15:03:04 35328 ------w- c:\windows\system32\dllcache\sc.exe
2010-11-28 15:03:03 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-11-28 15:03:02 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-11-28 15:03:01 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-11-28 15:03:00 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-11-28 15:02:58 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-11-28 15:02:53 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-11-28 15:02:48 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-11-28 15:01:28 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-11-28 14:32:41 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-11-28 14:28:31 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c6218da-8977-4011-bb35-3c5575047a86}\mpengine.dll
2010-11-28 14:26:32 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-11-28 14:23:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-28 14:16:02 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-28 14:10:48 13063352 ----a-w- c:\program files\mssefullinstall-x86fre-en-us-xp.exe
2010-11-28 03:19:05 -------- d-----w- c:\docume~1\danlap~1\applic~1\Malwarebytes
2010-11-28 03:17:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-28 03:17:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-28 03:17:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 03:17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-27 22:08:25 -------- d-sha-r- C:\cmdcons
2010-11-27 22:02:54 98816 ----a-w- c:\windows\sed.exe
2010-11-27 22:02:54 89088 ----a-w- c:\windows\MBR.exe
2010-11-27 22:02:54 256512 ----a-w- c:\windows\PEV.exe
2010-11-27 22:02:54 161792 ----a-w- c:\windows\SWREG.exe
2010-11-25 17:24:52 -------- d-----w- c:\docume~1\danlap~1\applic~1\Uniblue
2010-11-25 17:20:51 -------- d-----w- c:\docume~1\danlap~1\locals~1\applic~1\PackageAware
2010-11-24 15:29:48 0 ---ha-w- c:\documents and settings\dan lapensee\rnrvcxzodu.tmp
2010-11-22 14:18:11 -------- d-----w- c:\docume~1\danlap~1\applic~1\FixCleaner
2010-11-22 14:17:24 -------- d-----w- c:\program files\FixCleaner
2010-11-16 15:42:23 -------- d-----w- c:\program files\Cobian Backup 8
2010-11-16 15:25:13 8499200 ------w- c:\program files\cbSetup8.exe
2010-11-16 01:20:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-11-13 17:44:43 -------- d-sh--w- c:\windows\system32\15B3CF4F3D27A1B4C74AD27D5D001F0F
2010-11-13 17:44:39 203776 --sh--w- c:\windows\system32\unrar.exe

==================== Find3M ====================

2010-09-18 17:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ------w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\win32k.sys
2008-03-01 16:02:32 3982064 -c----w- c:\program files\roguefix_2.136.bat
2007-11-20 04:06:00 4606976 -c----w- c:\program files\mirc_demo.msi
2006-06-28 14:56:54 774144 -c----w- c:\program files\RngInterstitial.dll

============= FINISH: 13:53:42.03 ===============

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 28 November 2010 - 04:31 PM

that all looks good. Hows it all looking on your end now?

How Can I Reduce My Risk to Malware?


#11 StanleyDan

StanleyDan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 28 November 2010 - 06:13 PM

Everything appears to be working normal again. Thank you very much.

Dan

#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 PM

Posted 28 November 2010 - 06:56 PM

ok good and your welcome. Note that the free version of malwarebytes must be updated manually and a scan started manually. The paid version offers auto-updates and a real time protection feature. Its good practice to keep it updated even if you dont do a scan with it at that time. I consider scanning really to be a function of your computer habits.

Last are some tips to help you remain malware free:



10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep Windows, your browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users