Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viral Infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 godzhilla

godzhilla

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 04 December 2010 - 09:00 PM

While on the internet today, I was fortunate to chance upon a virus of some sort. I ran Hijackthis (I do this periodically) and noticed a couple .dll files that I've never seen before along with some processes. I could remove most of them, but two of them are not going away, and so, the processes keep coming back. I caught most of it rather quickly, so, I'm not sure of the damage these can cause. My computer just slowed to a stand still basically. I've lost the ability to view my folder options also. I tried to fix this in regedit, but it didn't work for some reason. So here are the logs that this site suggested I post.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Owner at 20:37:54.78 on Sat 12/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.39 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\gmer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mSearch Page =
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: UIHost=c:\program files\tgtsoft\stylexp\logon\CurrentLogon.EXE
uWinlogon: Shell=c:\documents and settings\owner\application data\hotfix.exe
BHO: c:\windows\system32\a059c4dejs.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\a059c4dejs.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
Trusted Zone: aol.com\free
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\a059c4dejs.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\a059c4dejs.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gv4bs3vp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gv4bs3vp.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-17 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2006-6-18 13696]
S4 0112531228971802mcinstcleanup;McAfee Application Installer Cleanup (0112531228971802);c:\docume~1\owner\locals~1\temp\011253~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\owner\locals~1\temp\011253~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1375992]

=============== Created Last 30 ================

2010-12-05 00:50:52 55300 ---h--w- c:\windows\services.exe
2010-12-05 00:50:52 55300 ---h--w- c:\windows\avp.exe
2010-12-05 00:50:51 55300 ---h--w- c:\windows\win.exe
2010-12-05 00:13:21 55300 ---h--w- c:\windows\avp32.exe
2010-12-05 00:13:19 55300 ---h--w- c:\windows\setup.exe
2010-12-05 00:03:17 55300 ---h--w- c:\windows\user.exe
2010-12-05 00:00:38 60000 ----a-w- c:\windows\login.exe
2010-12-05 00:00:20 55296 ----a-w- c:\windows\install.exe
2010-12-04 23:59:57 60004 ---h--w- c:\windows\mdm.exe
2010-12-04 23:59:15 46080 ---ha-w- c:\windows\dmrelnet.dll
2010-12-04 23:58:39 30000 ----a-w- c:\windows\system32\hfy0n6o0s.dll
2010-12-04 23:58:15 30000 ------w- c:\windows\system32\a059c4dejs.dll
2010-12-04 23:58:11 418816 ----a-w- c:\windows\system32\htrp.exe
2010-12-04 23:58:03 418816 ----a-w- c:\windows\system32\fwnaj.exe
2010-12-04 23:58:01 418816 ----a-w- c:\windows\system32\zkgh.exe
2010-12-04 23:57:48 46080 ---ha-w- c:\windows\system32\dmrelnet.dll
2010-12-04 23:57:39 30000 ----a-w- c:\windows\system32\c4sadn29.dll
2010-12-04 23:57:32 30000 ----a-w- c:\windows\system32\vsm0h.dll
2010-12-04 23:57:32 30000 ----a-w- c:\windows\system32\ddtgo1n65.dll
2010-12-04 23:55:51 -------- d-----w- c:\docume~1\owner\applic~1\AF0445F1821DBC90882EEE98546908E2
2010-11-26 23:15:30 -------- d-----w- c:\program files\BitTorrent
2010-11-26 23:15:00 -------- d-----w- c:\docume~1\owner\applic~1\BitTorrent
2010-11-26 08:37:13 -------- d-----w- c:\program files\TGTSoft
2010-11-26 06:01:02 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Adobe
2010-11-26 03:10:35 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-11-26 03:10:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-26 03:10:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-26 03:10:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-26 03:10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-26 01:25:59 -------- d-----w- c:\program files\AskBardis
2010-11-08 01:11:31 -------- d--h--w- C:\$AVG
2010-11-08 00:54:57 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-11-08 00:50:57 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-08 00:47:17 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-08 00:47:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-08 00:37:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-11-26 08:19:34 218624 ----a-w- c:\windows\system32\uxtheme.ubx

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_4R080L0 rev.RAMC1TU0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-1b

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8443DEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83f36872; SUB DWORD [EBP-0x4], 0x83f3612e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8454B030]
3 CLASSPNP[0xF766D05B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\0000005e[0x845D1A40]
5 ACPI[0xF74F3620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x845D1B58]
[0x84331AE8] -> IRP_MJ_CREATE -> 0x8443DEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-1b -> \??\IDE#DiskMaxtor_4R080L0__________________________RAMC1TU0#3252375346344535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8443DAEA
user & kernel MBR OK
sectors 160086526 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 20:47:41.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:06 PM

Posted 04 December 2010 - 10:59 PM

Hello godzhilla ,

Posted Image

On top of everything else, you have a rootkit.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If AVG gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with AVG. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to godzhilla.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 godzhilla

godzhilla
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 05 December 2010 - 12:17 AM

ComboFix 10-12-04.01 - Owner 12/04/2010 23:53:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.268 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\cmd.exe
c:\docume~1\Owner\LOCALS~1\Temp\install.exe
c:\docume~1\Owner\LOCALS~1\Temp\mdm.exe
c:\docume~1\Owner\LOCALS~1\Temp\smss.exe
c:\docume~1\Owner\LOCALS~1\Temp\spoolsv.exe
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\Owner\Application Data\AF0445F1821DBC90882EEE98546908E2
c:\documents and settings\Owner\Application Data\AF0445F1821DBC90882EEE98546908E2\boxtechsetup700.exe
c:\documents and settings\Owner\Application Data\AF0445F1821DBC90882EEE98546908E2\enemies-names.txt
c:\documents and settings\Owner\Application Data\AF0445F1821DBC90882EEE98546908E2\local.ini
c:\documents and settings\Owner\Recent\Thumbs.db
c:\documents and settings\Owner\Start Menu\Programs\Quick Defragmenter
c:\documents and settings\Owner\Start Menu\Programs\Quick Defragmenter\Quick Defragmenter.lnk
c:\documents and settings\Owner\Start Menu\Programs\Quick Defragmenter\Uninstall Quick Defragmenter.lnk
c:\windows\avp.exe
c:\windows\avp32.exe
c:\windows\dmrelnet.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\drweb.exe
c:\windows\install.exe
c:\windows\services.exe
c:\windows\setup.exe
c:\windows\system32\a059c4dejs.dll
c:\windows\system32\c4sadn29.dll
c:\windows\system32\ddtgo1n65.dll
c:\windows\system32\dmrelnet.dll
c:\windows\system32\hfy0n6o0s.dll
c:\windows\system32\vsm0h.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\user.exe
c:\windows\win.exe
c:\windows\win32.exe

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-05 00:00 . 2010-12-04 23:57 60000 ----a-w- c:\windows\login.exe
2010-12-04 23:59 . 2010-12-05 00:00 60004 ---h--w- c:\windows\mdm.exe
2010-12-04 23:58 . 2010-12-04 23:58 418816 ----a-w- c:\windows\system32\htrp.exe
2010-12-04 23:58 . 2010-12-04 23:58 418816 ----a-w- c:\windows\system32\fwnaj.exe
2010-12-04 23:58 . 2010-12-04 23:58 418816 ----a-w- c:\windows\system32\zkgh.exe
2010-11-26 23:15 . 2010-11-26 23:15 -------- d-----w- c:\program files\BitTorrent
2010-11-26 23:15 . 2010-11-29 05:21 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-11-26 08:37 . 2010-11-26 08:37 -------- d-----w- c:\program files\TGTSoft
2010-11-26 06:01 . 2010-11-26 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-11-26 03:10 . 2010-11-26 03:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-11-26 03:10 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-26 03:10 . 2010-11-26 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-26 03:10 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-26 03:10 . 2010-11-26 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-26 01:25 . 2010-11-26 01:25 -------- d-----w- c:\program files\AskBardis
2010-11-17 06:10 . 2010-11-17 06:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-11-08 01:11 . 2010-11-08 01:11 -------- d-----w- C:\$AVG
2010-11-08 00:54 . 2010-11-08 00:54 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
2010-11-08 00:50 . 2010-11-08 00:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-08 00:47 . 2010-12-05 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-08 00:47 . 2010-12-05 04:31 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-08 00:37 . 2010-11-08 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-26 08:19 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.ubx
2010-11-13 06:04 . 2010-09-18 05:04 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 20:35 67112 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
2006-05-24 18:31 1372160 ----a-w- c:\program files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 10:13 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-08 07:33 53248 ----a-w- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2005-03-11 21:33 147456 ----a-w- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2007-04-10 21:46 709992 ----a-w- c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35 20480 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSCamSvc"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"0112531228971802mcinstcleanup"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"lxcj_device"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"getPlus® Helper"=3 (0x3)
"GameConsoleService"=3 (0x3)
"aspnet_state"=3 (0x3)
"xmlprov"=3 (0x3)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"TrkWks"=2 (0x2)
"SysmonLog"=3 (0x3)
"Spooler"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=3 (0x3)
"avgwd"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=2 (0x2)
"AudioSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/17/2010 11:59 PM 64288]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [6/18/2006 3:26 PM 13696]
S4 0112531228971802mcinstcleanup;McAfee Application Installer Cleanup (0112531228971802);c:\docume~1\Owner\LOCALS~1\Temp\011253~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Owner\LOCALS~1\Temp\011253~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1375992]
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 06:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gv4bs3vp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gv4bs3vp.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}

---- FIREFOX POLICIES ----

.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-MKasc - c:\windows\drweb.exe
HKLM-Run-MKasc - c:\windows\drweb.exe
MSConfigStartUp-25281578 - c:\docume~1\Owner\LOCALS~1\Temp\25281578.exe
MSConfigStartUp-Antivirus - c:\program files\Antivirus2008\Antvrs.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-Creative WebCam Tray - c:\program files\Creative\Shared Files\CAMTRAY.EXE
MSConfigStartUp-ddoctorv2 - c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
MSConfigStartUp-EzPrint - c:\program files\Lexmark 8300 Series\ezprint.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-534 - c:\docume~1\Owner\LOCALS~1\Temp\smss.exe
MSConfigStartUp-JTLgdHcECl - c:\docume~1\Owner\LOCALS~1\Temp\JTLgdHcECl.exe
MSConfigStartUp-lxcjmon - c:\program files\Lexmark 8300 Series\lxcjmon.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\5.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL
MSConfigStartUp-suhshmon - c:\documents and settings\NetworkService\Local Settings\Application Data\karlwocvy\rpftnixshdw.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-uPc+MV0NacaXms - c:\windows\system32\s9ahis.dll
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
AddRemove-3DGreetings Personal Edition 1.0 - c:\progra~1\BRODER~1\3DGREE~1\DeIsL1.isu
AddRemove-Adobe Acrobat Reader 3.01 - c:\acrobat3\Reader\DeIsL2.isu
AddRemove-Amazon MP3 Downloader - c:\program files\Amazon\MP3 Downloader\Uninstall.exe
AddRemove-Creative WebCam NX Pro User's Guide English - c:\program files\Creative\Creative WebCam NX Pro\Creative WebCam NX Pro User's Guide\English\CTManual.isu
AddRemove-Digsby - c:\program files\Digsby\uninstall.exe
AddRemove-DittoSideBar - c:\program files\DittoSideBar\Uninstall.exe
AddRemove-DrawPlus 3.0 - c:\progra~1\BRODER~1\DrawPlus\DeIsL1.isu
AddRemove-Farm Frenzy 2 - c:\progra~1\SHOCKW~1.COM\FARMFR~1\UNWISE.EXE
AddRemove-Google Desktop - c:\program files\Google\Google Desktop Search\GoogleDesktopSetup.exe
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-Lexmark 8300 Series - c:\program files\Lexmark 8300 Series\Install\x86\Uninst.exe
AddRemove-Masque Slots - c:\masque\Slots\UNWISE.EXE
AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
AddRemove-MySpace Views Increaser - c:\progra~1\MYSPAC~1\UNWISE.EXE
AddRemove-Neopets - c:\program files\Neopets\uninst.exe
AddRemove-Photo Organizer 1.8 - c:\progra~1\BRODER~1\PHOTOO~1.8\DeIsL1.isu
AddRemove-Smart Guardian - c:\program files\ITE\Smart Guardian\Uninst.isu
AddRemove-Server2003 Display - c:\progra~1\S3\UChromeP\s3minset.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_223E2B8E7BAD9544.exe
AddRemove-BitTorrent - c:\program files\BitTorrent\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 00:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\cdm.dll.wusetup.199921.bak 92696 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.216546.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.221140.bak 1809944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-12-05 00:14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-05 05:14

Pre-Run: 47,257,427,968 bytes free
Post-Run: 48,021,291,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 200454F587CF087C6036CA5B0105AFDB

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:06 PM

Posted 05 December 2010 - 12:43 AM

Hi there,

I see you have Malwarebytes.....please be sure it's updated and have a scan with it. Post the report in your reply, and please let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:06 PM

Posted 13 December 2010 - 03:43 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users