Jump to content

JohnQPublic

Members
 View Profile  See their activity

  • Posts

    10

  • Joined

  • Last visited

 Content Type 

Everything posted by JohnQPublic

  1. JohnQPublic
    Left one line out of the AVG scan: Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Moved to Virus Vault";"8/24/2009, 11:14:00 AM";"file";"C:\WINDOWS\system32\svchost.exe"
  2. JohnQPublic
    Got it all. ASnother Trojan showed up (AVG caught it): Resident Shield detection Infection;"Object";"Result";"Detection time";"Object Type";"Process" Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 8:06:25 PM";"file";"C:\WINDOWS\system32\svchost.exe" Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 5:04:58 PM";"file";"C:\WINDOWS\system32\svchost.exe" Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 4:21:12 PM";"file";"C:\WINDOWS\system32\svchost.exe" Other than that, everything is running pretty good. I did a quick scan with malwarebytes and it did not catch anything.
  3. JohnQPublic
    BTW, I turned AVG resident shiels back on. I had turned off earlier to see if ti was part of the problem.
  4. JohnQPublic
    After Combofix things worked pretty well. I could run coffee cup, and the phantom dll message disappeared. Are you Chris? Thanks! Any iother suggestions?
  5. JohnQPublic
    Security Check: Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 8.5 Antivirus up to date! (On Access scanning disabled!) `````````````````````````````` Anti-malware/Other Utilities Check: Spybot - Search & Destroy Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner (remove only) Java 6 Update 3 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe AVG avgemc.exe Mark LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe Mark LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe Mark LOCALS~1 Temp fsonlinescanner.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
  6. JohnQPublic
    F-Secure output (i'll do Security Check seperately): Scanning Report Sunday, August 23, 2009 21:33:38 - 22:31:30 Computer name: WYATT_SERVER Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ -------------------------------------------------------------------------------- 16 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.Adinterax (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) Trojan:INI/Vundo.gen!F (spyware) System (Disinfected) Trojan.Boaxxe.P (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Specificclick (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Xiti (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 72438 System: 4890 Not scanned: 9 Actions: Disinfected: 16 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\HIBERFIL.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2164232128_12779520_10995 C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AVG SECURITY TOOLBAR\IETOOLBAR.DLL -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics
  7. JohnQPublic
    Ok. Last time I ran from the link. I guess it never completeld. This time I downloaded the software and ran it. It took 20-30 minutes because every time Combofix ran a new process, the error message with the phantom dll popped up. Apparently it found something in one of the windows temp. internet files (I thought I hade deleted, but guess not). Here it the logfile: ComboFix 09-08-22.06 - Mark 08/23/2009 20:18.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1321 [GMT -7:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Melva\Local Settings\Temporary Internet Files\tywisy.lib c:\documents and settings\Melva\Local Settings\Temporary Internet Files\ubepepi.dat c:\documents and settings\Melva\Local Settings\Temporary Internet Files\vizapil.bat c:\windows\kb913800.exe c:\windows\system32\drivers\zcaaqdvn.sys c:\windows\system32\drivers\zvrinrtq.sys c:\windows\system32\kinvgnp.dll c:\windows\system32\npziqvd.dll c:\windows\system32\winmm64.dll c:\windows\Tasks\At1.job c:\windows\Tasks\obbzhigi.job Infected copy of c:\windows\system32\imm32.dll was found and disinfected Restored copy from - c:\system volume information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP204\A0020273.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TOBVGBIH -------\Legacy_ZVRINRTQ -------\Service_tobvgbih -------\Service_zvrinrtq ((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 ))))))))))))))))))))))))))))))) . 2009-08-22 15:46 . 2009-08-02 16:36 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-08-22 15:46 . 2009-08-02 16:36 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-08-22 03:52 . 2009-08-22 03:52 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\program files\MSBuild 2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\program files\Reference Assemblies 2009-08-16 14:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-16 14:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-16 14:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-16 14:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-16 14:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-16 14:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-16 14:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-16 02:59 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 02:44 . 2009-08-04 02:44 -------- d--h--w- c:\windows\system32\GroupPolicy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-24 01:11 . 2006-10-31 04:17 -------- d-----w- c:\program files\Trend Micro 2009-08-23 23:40 . 2008-02-07 04:51 -------- d-----w- c:\program files\CoffeeCup Software 2009-08-22 15:46 . 2009-01-19 07:18 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-22 15:46 . 2009-01-19 07:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-22 15:46 . 2009-01-19 07:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-22 05:35 . 2009-01-20 03:58 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-22 05:31 . 2009-01-20 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-22 03:52 . 2009-01-21 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-18 04:43 . 2006-10-30 05:40 107184 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-06 04:07 . 2006-12-01 05:05 -------- d-----w- c:\documents and settings\Mark\Application Data\ZoomBrowser EX 2009-08-06 04:03 . 2007-12-28 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-08-05 09:01 . 2004-08-10 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 20:36 . 2009-01-21 03:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 20:36 . 2009-01-21 03:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-31 04:26 . 2007-12-27 04:00 -------- d-----w- c:\documents and settings\Mark\Application Data\gtk-2.0 2009-07-17 19:01 . 2004-08-10 20:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 17:08 . 2004-08-10 20:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-11 03:01 . 2009-07-11 02:59 -------- d-----w- c:\documents and settings\Melva\Application Data\gtk-2.0 2009-06-29 16:12 . 2005-10-21 03:39 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-10 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2004-08-10 20:00 17408 ------w- c:\windows\system32\corpol.dll 2009-06-26 02:48 . 2009-06-26 02:48 -------- d-----w- c:\documents and settings\Melva\Application Data\HotSync 2009-06-26 02:36 . 2007-02-18 22:22 -------- d-----w- c:\documents and settings\Mark\Application Data\Arcsoft 2009-06-26 02:34 . 2009-06-26 02:21 -------- d-----w- c:\program files\palmOne 2009-06-26 02:28 . 2009-06-26 02:28 -------- d-----w- c:\documents and settings\Mark\Application Data\Leadertech 2009-06-26 02:22 . 2009-06-26 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HotSync 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\PalmDesktopShortcut.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut6.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut5.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut4.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut2.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\ARPPRODUCTICON.exe 2009-06-26 02:22 . 2009-06-26 02:22 49152 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut3.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe 2009-06-26 02:20 . 2009-06-26 02:20 -------- d-----w- c:\documents and settings\Mark\Application Data\HotSync 2009-06-26 02:20 . 2009-06-26 02:22 53248 ----a-w- c:\windows\PalmDevC.dll 2009-06-26 02:20 . 2004-06-09 20:37 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys 2009-06-26 01:41 . 2009-06-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-25 08:25 . 2005-06-15 17:49 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-10-28 01:21 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-10 20:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-10 20:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-10 20:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-10 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-10 20:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2004-08-10 20:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-10 20:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-14 23:07 . 2009-06-22 19:23 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-12 12:31 . 2004-08-10 20:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2005-05-10 23:45 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 16:19 . 2004-08-10 20:00 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-10 20:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2004-08-10 20:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2005-08-30 04:13 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-02 14:03 . 2009-06-02 14:03 390664 ----a-w- c:\documents and settings\Mark\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2008-11-18 01:26 . 2008-11-18 01:26 19046 ----a-w- c:\program files\Common Files\izidyja.sys 2008-11-18 01:26 . 2008-11-18 01:26 15208 ----a-w- c:\program files\Common Files\orud.lib 2008-11-18 01:26 . 2008-11-18 01:26 10440 ----a-w- c:\program files\Common Files\daguh.scr 2006-11-13 02:41 . 2006-11-13 02:41 251 ----a-w- c:\program files\wt3d.ini 2006-10-11 08:04 . 2008-02-10 04:57 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2006-10-11 08:04 . 2008-02-10 04:57 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2006-10-11 08:05 . 2008-02-10 04:57 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2006-10-11 08:05 . 2008-02-10 04:57 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2006-10-11 08:04 . 2008-02-10 04:57 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll 2009-01-19 00:33 . 2009-01-19 00:33 1354509 --sh--w- c:\windows\system32\afayojel.tmp 2009-01-21 03:16 . 2009-01-21 03:16 4546 --sh--w- c:\windows\system32\ropenoya.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 397312] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-18 282624] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984] "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-14 1052672] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 185896] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832] "SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-31 16269312] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-21 218496] c:\documents and settings\Mark\Start Menu\Programs\Startup\ palmOne Registration.lnk.disabled [2009-8-19 755] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472] HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624] Wireless 802.11g USB Adapter.lnk - c:\program files\Wireless 802.11g USB Adapter\ZDWlan.exe [2004-11-19 425984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-22 15:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 12:18 AM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 12:18 AM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2009 12:18 AM 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 12:18 AM 297752] R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 7:04 PM 9728] S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [9/22/2007 10:49 PM 24576] --- Other Services/Drivers In Memory --- *NewlyCreated* - ZVRINRTQ *Deregistered* - zvrinrtq . Contents of the 'Scheduled Tasks' folder 2009-08-23 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job - c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2007-03-23 02:04] . - - - - ORPHANS REMOVED - - - - Toolbar-ID - (no file) SSODL-WinCheck-{EAD8F454-EC03-4B47-A5B7-6534DA513FA5} - winmm64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\a3j2hjjg.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-23 20:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,9f,82,be,4b,99, 69,0a,cc,e2,63,26,f1,3f,c8,ff,68,a1,2e,d3,5f,c9,b6,4f,3b,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,b5,cc,f8,84,25, 46,a2,21,6a,9c,d6,61,af,45,84,18,a3,2c,cb,70,2f,70,db,82,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,44,83,89,9d,8a, db,d2,74,ff,7c,85,e0,43,d4,0e,fe,54,f3,ab,5a,a8,b9,c2,7b,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,bf,dd,ef,9d, db,b5,af,86,8c,21,01,be,91,eb,e7,63,68,f1,a3,47,ec,e4,10,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,2e,4e,a5,0c,17, b9,ba,75,f5,1d,4d,73,a8,13,5c,05,a9,7b,e2,bc,fd,8e,b9,59,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b8,85,9c,50,03, 6f,36,af,df,20,58,62,78,6b,cf,c8,98,bd,1d,71,2f,a6,dd,e8,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,19,14,28,0d,13, 27,b7,7c,fb,a7,78,e6,12,2f,9a,ea,72,a6,c3,51,a6,7e,c7,0d,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,72,8b,be,65,88, 44,55,92,01,3a,48,fc,e8,04,4a,f1,11,7d,73,c9,8c,c4,36,d2,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,1b,3f,52,79,7a, 64,9b,bb,f6,0f,4e,58,98,5b,89,c9,d6,c8,11,12,0b,f3,eb,1f,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,21,10,a6,2b,49, d2,0a,9f,3d,ce,ea,26,2d,45,aa,78,40,3b,26,ef,24,04,60,3e,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,34,b5,2b,96,e7, fd,e0,e3,2a,b7,cc,b5,b9,7f,41,e7,e5,17,53,83,5a,0f,c4,8a,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,ce,e6,ed,e3,3a, 3b,2d,18,6c,43,2d,1e,aa,22,2f,9c,2d,6a,52,a6,02,98,1b,13,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1564) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\progra~1\SPYBOT~1\SDHelper.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\dllhost.exe c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe c:\program files\Internet Explorer\iexplore.exe . ************************************************************************** . Completion time: 2009-08-24 20:45 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-24 03:45 Pre-Run: 50,300,743,680 bytes free Post-Run: 51,007,373,312 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 325 --- E O F --- 2009-08-17 13:26
  8. JohnQPublic
    I think it is bug.txt? 32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg 32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\ MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfxxe 32788R22FWJFW\PV.cfxxe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe cmd.exe Killing '*.pif' Killing 'nircmd.*' Killing 'ANDRE.EXE' Killing 'TOLO.exe' Killing 'Merlin.scr' Killing 'jalang.exe' Killing 'jalangkung.exe' Killing 'jantungan.exe' Killing 'DOSEN.exe' Killing 'C3W3K4MPUS.exe' Killing 'cmd.exe' pv: No matching processes found PUSHD "C:\32788R22FWJFW" IF NOT EXIST pev.cfxxe COPY /Y pev.exe pev.cfxxe 1 file(s) copied. IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe 1 file(s) copied. SET "Comspec=C:\WINDOWS\system32\cmd.execf" IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT IF EXIST OsVer EXIT VER 1>OsVer GREP.cfxxe -F "5.2." OsVer IF 1 == 0 GOTO Not_NT GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac IF 0 == 0 GOTO NT GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT SED.cfxxe "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00 PEV.EXE -rtf -s+901 .\OriPath00 && ( SED.cfxxe -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01 FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G" ) IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G" SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter" Killing 'runonce.exe' Killing 'grpconv.exe' Killing 'procmon.exe' Killing 'ANDRE.EXE' Killing 'TOLO.exe' Killing 'Merlin.scr' Killing 'jalang.exe' Killing 'jalangkung.exe' Killing 'jantungan.exe' Killing 'DOSEN.exe' Killing 'C3W3K4MPUS.exe' pv: No matching processes found PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && ( PV -o%f * 1>temp01 PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02 GREP -Fif temp00 temp02 1>temp03 SED "/.* /!d; s///" temp03 1>temp04 SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05 FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G ) CALL :MDCheck Could Not Find C:\32788R22FWJFW\md5sum00.pif PEV -rtf -md5126C7AECC7661C72C07A152473315731 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail .\md5sum.pif PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL GOTO :EOF ============================================= ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Mark\Application Data cfExt=cfxxe CFLDR=32788R22FWJFW Chksum=126C7AECC7661C72C07A152473315731 CLASSPATH=.;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=WYATT_SERVER ComSpec=C:\WINDOWS\system32\cmd.execf FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Mark KMD=CF13024.exe LOGONSERVER=\\WYATT_SERVER NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0602 ProgramFiles=C:\Program Files PROMPT=$ Qrntn=C:\Qoobox\Quarantine QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip RKEY_=hklm\software\microsoft\windows nt\currentversion\windows RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog SESSIONNAME=Console sfxcmd="C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe" sfxname=C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe SYSTEM=C:\WINDOWS\system32 SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Mark\LOCALS~1\Temp TMP=C:\DOCUME~1\Mark\LOCALS~1\Temp USERDOMAIN=WYATT_SERVER USERNAME=Mark USERPROFILE=C:\Documents and Settings\Mark windir=C:\WINDOWS ============================================= IF NOT DEFINED sfxname GOTO END GREP -F \ temp01 && CALL :Aux GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," ) Userinit REG_SZ C:\WINDOWS\system32\userinit.exe, CALL LANG.bat Active code page: 1252 SET SfxCmd 1>SET00 SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Mark\\Local Settings\\Temporary Internet Files\\Content.IE5\\SHTIP1GP\\ComboFix[1].exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd DEL /A/F SET00 ATTRIB +R "C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe" @SET SfxCmd="C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe" CALL sfx.cmd CALL AV.cmd SET /a AVCount+=1 CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && ( SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01 FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G" CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs ) GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && ( SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB NIRCMD LOOP 2 80 BEEP 3000 200 IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" "" ) DEL /A/F/Q AVChk? AvWhite AvBlack AvBlack0? SET AVCount= IF EXIST vista.mac CALL :Vista GREP -Fx "REGEDIT4" Fin.dat || ( ECHO.1>"C:\DOCUME~1\Mark\LOCALS~1\Temp\tdsstdss" PEV -rtf "C:\DOCUME~1\Mark\LOCALS~1\Temp\tdsstdss" || ( ECHO.1>wtf_tdssserv CALL c.bat GOTO END ) GOTO AbortD ) REGEDIT4 IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort IF EXIST "C:\DOCUME~1\Mark\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" DEL /A/F "C:\DOCUME~1\Mark\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" COPY /Y /B "C:\WINDOWS\system32\cmd.execf" "C:\WINDOWS\system32\CF13024.exe" 1 file(s) copied. SET "COMSPEC=C:\WINDOWS\system32\CF13024.exe" FOR /F "TOKENS=*" %G IN ("C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe") DO ( SET "FileName=%~NG" SET "FilePath=%~DPG" ) ( SET "FileName=ComboFix[1]" SET "FilePath=C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\" ) SET FileName 1>FileName GREP -ix "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB DEL /A/F/Q DirName0? Could Not Find C:\32788R22FWJFW\DirName0? CALL NircmdB.exe INFOBOX "You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters" "" GOTO END IF EXIST "C:\WINDOWS\system32\cmd.execf" MOVE /Y "C:\WINDOWS\system32\cmd.execf" "C:\DOCUME~1\Mark\LOCALS~1\Temp" CD .. IF DEFINED cfldr RD /S/Q "32788R22FWJFW" The system cannot find the path specified. Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:43:24 PM, on 8/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Kodak\printer\center\KodakSvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\palmOne\Hotsync.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Thanks!
  9. JohnQPublic
    I had a Trojan of some type (Trojan horse PSW.Agent.ABTH, msmtqvswmyk.dll). I think I got rid of it between AVG and malwarebytes. I cannot run Coffecup HTML editor. I upgraded from 2007 to 2009, and it will not start. In task manage I see it pop up, but after I get the error message (below), it disappears and does not spawn. Now the remnant problem is that when I boot, or even in normal operation, whenever Windows XP loads an application I get the following error (pop up message window): <xxx>.exe - Unable To Locate Component (where "xxx" is the name of the application) <big red X in circle> This application has failed to start because msmqvswmyk.dll was not found. Re-installing the application may fix this problem. I have searched for the dll in regedit- no luck. (Googling it produces nothing. I ma sure thisn is a trojan dll). My brother (whom does some sys work) had me look in some typical registry locations, but nothing unusual. Thanks! Malware Bytes Log: Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 8/23/2009 6:10:51 PM mbam-log-2009-08-23 (18-10-51).txt Scan type: Quick Scan Objects scanned: 149921 Time elapsed: 17 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:12:05 PM, on 8/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Kodak\printer\center\KodakSvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe C:\Program Files\palmOne\Hotsync.exe C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {1A849F91-7AC3-4C01-BA4E-BEC8417506E3} - c:\windows\system32\npziqvd.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-20\..\Run: [renagiyine] Rundll32.exe "C:\WINDOWS\system32\weruwoge.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user') O4 - Startup: palmOne Registration.lnk.disabled O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: lhhbhc.dll jfrejc.dll avgrsstx.dll c:\windows\system32\kufubabe.dll jbdgjt.dll , O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: mgkiqfwl - C:\WINDOWS\SYSTEM32\npziqvd.dll O20 - Winlogon Notify: Winlogon - C:\WINDOWS\SYSTEM32\winmm64.dll O21 - SSODL: WinCheck - {EAD8F454-EC03-4B47-A5B7-6534DA513FA5} - winmm64.dll (file missing) O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Intel
  10. JohnQPublic
    I had a Trojan of some type (Trojan horse PSW.Agent.ABTH, msmtqvswmyk.dll). I think I got rid of it between AVG and malwarebytes. Now the remnant problem is that when I boot, or even in normal operation, whenever Windows XP loads an application I get the following error (pop up message window): <xxx>.exe - Unable To Locate Component (where "xxx" is the name of the application) <big red X in circle> This application has failed to start because msmqvswmyk.dll was not found. Re-installing the application may fix this problem. I have searched for the dll in regedit- no luck. (Googling it produces nothing. I ma sure thisn is a trojan dll). My brother (whom does some sys work) had me look in some typical registry locations, but nothing unusual. Any tips? Thanks!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.