Jump to content

Brianzx7

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Well, the file has not returned, so that is a good sign. Thank you again for helping me. On a slightly different note, why would anybody be so bored that they create these things to screw with peoples computers? Do you think the perps should be tracked down and fined and/or imprisoned? I do. ~B
  2. Thank you very much for taking the time to help me! Here is the ComboFix log after I ran it with the CFScript. ComboFix 09-04-04.01 - Brian 2009-04-06 14:22:39.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.583 [GMT -7:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\cpstrl.dll c:\windows\ujoduvakadevi.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\cpstrl.dll c:\windows\ujoduvakadevi.dll . ((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 ))))))))))))))))))))))))))))))) . 2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro 2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner 2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6 2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow 2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest 2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract 2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real 2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll 2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe 2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher 2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher 2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL 2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes 2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod 2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} 2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll 2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-01 03:29 --------- d-----w c:\program files\Java 2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4 2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity 2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0 2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU 2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer 2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple 2009-03-20 00:00 --------- d-----w c:\program files\Bonjour 2009-03-19 23:59 --------- d-----w c:\program files\QuickTime 2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks 2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution 2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools 2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc 2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN 2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater 2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia 2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU 2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU 2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack 2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution 2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter 2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder 2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence 2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio 2009-02-19 04:07 --------- d-----w c:\program files\ImTOO . ((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 ))))))))))))))))))))))))))))))))))))))))) . - 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat + 2009-04-06 20:50:21 64,774 ----a-w c:\windows\system32\perfc009.dat - 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat + 2009-04-06 20:50:21 409,800 ----a-w c:\windows\system32\perfh009.dat + 2009-04-06 21:26:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_374.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160] R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192] S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?] S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152] S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024] S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960] S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064] S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49] 2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm LSP: bmnet.dll Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\ FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-06 14:26:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(1040) c:\windows\system32\bmnet.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\bmwebcfg.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\Crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\ati2evxx.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe c:\program files\iPod\bin\iPodService.exe c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe c:\windows\system32\wbem\wmiadap.exe . ************************************************************************** . Completion time: 2009-04-06 14:30:12 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-06 21:30:10 ComboFix2.txt 2009-04-06 20:49:54 ComboFix3.txt 2009-04-06 19:29:40 Pre-Run: 7,050,506,240 bytes free Post-Run: 7,033,880,576 bytes free 227 --- E O F --- 2009-03-20 10:02:17
  3. Here is the ComboFix log: ComboFix 09-04-04.01 - Brian 2009-04-06 13:40:45.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.642 [GMT -7:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 ))))))))))))))))))))))))))))))) . 2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro 2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner 2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6 2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow 2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest 2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract 2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared 2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real 2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll 2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe 2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher 2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher 2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL 2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes 2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod 2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} 2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll 2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-01 03:29 --------- d-----w c:\program files\Java 2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4 2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity 2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0 2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU 2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer 2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple 2009-03-20 00:00 --------- d-----w c:\program files\Bonjour 2009-03-19 23:59 --------- d-----w c:\program files\QuickTime 2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks 2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution 2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools 2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc 2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN 2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater 2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia 2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU 2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU 2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack 2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution 2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter 2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder 2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence 2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio 2009-02-19 04:07 --------- d-----w c:\program files\ImTOO . ((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 ))))))))))))))))))))))))))))))))))))))))) . - 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat + 2009-04-06 20:05:44 64,774 ----a-w c:\windows\system32\perfc009.dat - 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat + 2009-04-06 20:05:45 409,800 ----a-w c:\windows\system32\perfh009.dat + 2009-04-06 20:45:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1a0.dat + 2008-04-14 00:12:08 157,696 ----a-w c:\windows\ujoduvakadevi.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "Hlipiyupadewiyo"="c:\windows\ujoduvakadevi.dll" [2008-04-13 157696] "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli cpstrl.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160] R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192] S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?] S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152] S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024] S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960] S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064] S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49] 2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm LSP: bmnet.dll Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\ FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-06 13:46:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(988) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(1044) c:\windows\cpstrl.dll c:\windows\system32\bmnet.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\bmwebcfg.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\Crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe c:\program files\iPod\bin\iPodService.exe c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe c:\windows\system32\wbem\wmiadap.exe . ************************************************************************** . Completion time: 2009-04-06 13:49:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-06 20:49:49 ComboFix2.txt 2009-04-06 19:29:40 Pre-Run: 7,063,465,984 bytes free Post-Run: 7,069,171,712 bytes free 221 --- E O F --- 2009-03-20 10:02:17
  4. Hello all, I have a strange malware that keeps coming back. Here is what it says currently in the registry: Hlipiyupadewiyo rundll32.exe "C:\WINDOWS\ujoduvakadevi.dll",e This is located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Here is the ugly part. If I delete this entry, it comes back in a couple of minutes. If I run MalwareBytes, it finds it, deletes it and it will com back. If I log into safe mode and delete the dll file(currently named "ujoduvakadevi.dll, it will come back named something different. However, the main name always stays the same(Hlipiyupadewiyo) I have tried Ad Aware, CCleaner, ComboFix, and of course MalwareBytes. Nothing seems to get rid of it permanently. Below is the HiJackThis log. Thanks for any help ~B Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:14:41 PM, on 4/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\bmwebcfg.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\regedit.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175990021875 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...570/mcfscan.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Executive Software Undelete (UndeleteService) - Unknown owner - C:\Program Files\Executive Software\Undelete\UdServe.exe (file missing) -- End of file - 13582 bytes
  5. Aspirina - What was the point of finding the reg key that you can't see and writing down the name of it? ~B
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.