Jump to content

Recommended Posts

Here we go-

Got a trojan via a WRC torrent DL with IE7. I first noticed that my McAfee had dis-enabled itself. Immedately, went to system restore but all the restore points previous to infection were deleted/hidden. I already had malwarebytes installed, and ran it straight away. It returned several results which were deleted. My comp also had installed AdAware and SpyBot (newest versions) which I ran as well. Both detected small malware, which were deleted.

After restart, McAfee initialized in dis-enabled state. Firefox is working, but IE7 returns exponential numbers of popups. After startup, if I run anti-spyware, a trojan is usually detected. If I delete the trojan, there is no significant change for a few minutes, then randomly a prompt "Generic Host Process for Win32 services has encountered a problem and needs to close..." If i try to initialize a app after that message, the OS sorta crashes, where nothing will load: no task manager will pop up, no shut down window, etc.

I've got my MWB and HJT logs here. I'll post my McAfee log at the end, if it helps. If you need, I can take a screenshot of active processes and post.

Please help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:57:22 PM, on 2/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: {e50ee11a-c2b8-2708-f7b4-323b11df1dc9} - {9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} - C:\WINDOWS\system32\mvoqas.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O20 - AppInit_DLLs: mvoqas.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--

End of file - 8679 bytes

Malwarebytes' Anti-Malware 1.31

Database version: 1525

Windows 5.1.2600 Service Pack 3

2/20/2009 5:46:28 PM

mbam-log-2009-02-20 (17-46-28).txt

Scan type: Quick Scan

Objects scanned: 55712

Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\Documents and Settings\Marcus\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marcus\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.

McAfee:

2/12/2009 2:21:35 AM Statistics:

2/12/2009 2:21:35 AM Files scanned: 19329

2/12/2009 2:21:35 AM Files detected: 1

2/12/2009 2:21:35 AM Files cleaned: 0

2/12/2009 2:21:35 AM Files deleted: 1

2/12/2009 2:21:35 AM Files moved: 0

2/12/2009 12:09:23 PM Engine version = 5.3.00

2/12/2009 12:09:23 PM DAT version = 5514

2/12/2009 12:09:23 PM Number of virus signatures in EXTRA.DAT = None

2/12/2009 12:09:23 PM Names of viruses that EXTRA.DAT can detect = None

2/12/2009 12:09:53 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RuntimeTypeInfoSet.class (Virus)

2/12/2009 12:21:53 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\TypeInfoImpl.class (Virus)

2/12/2009 8:55:30 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)

2/12/2009 9:03:38 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\WINDOWS\Driver Cache\i386\driver.cab\CTABCEP2.GPD (Virus)

2/12/2009 9:12:28 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Program Files\Activision\Call of Duty 2\main\iw_13.iwd\mtl_metal_chimney (Virus)

2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts.zip

2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts1.zip

2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WarezPP.zip

2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip

2/12/2009 9:45:08 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\commonfilesinstaller\Data1.cab\SING.DLL (Virus)

2/12/2009 9:45:23 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\Data1.cab\VERSIONCUEUI.DLL (Virus)

2/12/2009 9:48:57 PM Engine version = 5.3.00

2/12/2009 9:48:57 PM DAT version = 5524

2/12/2009 9:48:57 PM Number of virus signatures in EXTRA.DAT = None

2/12/2009 9:48:57 PM Names of viruses that EXTRA.DAT can detect = None

2/12/2009 9:50:19 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\Init$1.class (Virus)

2/12/2009 10:09:31 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\DTMNodeList.class (Virus)

2/13/2009 1:40:44 AM Engine version = 5.3.00

2/13/2009 1:40:44 AM DAT version = 5524

2/13/2009 1:40:44 AM Number of virus signatures in EXTRA.DAT = None

2/13/2009 1:40:44 AM Names of viruses that EXTRA.DAT can detect = None

2/13/2009 1:41:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\SerializerFactory.class (Virus)

2/13/2009 11:43:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RegistrationDocument.class (Virus)

2/14/2009 3:05:56 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\motif_sv.class (Virus)

2/14/2009 7:11:44 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)

2/15/2009 4:54:57 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)

2/15/2009 8:33:53 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)

2/15/2009 9:15:40 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)

2/15/2009 9:24:06 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)

2/17/2009 10:31:28 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\DigestMD5Base.class (Virus)

2/17/2009 4:19:51 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\WindowsIconFactory$CheckBoxIcon.class (Virus)

2/18/2009 10:32:13 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\NamespaceMappings.class (Virus)

2/18/2009 6:00:43 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\FuncHere.class (Virus)

2/18/2009 7:33:44 PM Statistics:

2/18/2009 7:33:44 PM Files scanned: 30376

2/18/2009 7:33:44 PM Files detected: 0

2/18/2009 7:33:44 PM Files cleaned: 0

2/18/2009 7:33:44 PM Files deleted: 0

2/18/2009 7:33:44 PM Files moved: 0

2/18/2009 9:41:44 PM Engine version = 5.3.00

2/18/2009 9:41:44 PM DAT version = 5524

2/18/2009 9:41:44 PM Number of virus signatures in EXTRA.DAT = None

2/18/2009 9:41:44 PM Names of viruses that EXTRA.DAT can detect = None

2/18/2009 9:42:17 PM Not scanned (scan timed out) GENERALLEE\Marcus WgaTray.exe C:\Program Files\Java\jre6\lib\rt.jar\XSSimpleTypeDecl$2.class (Virus)

2/18/2009 9:50:45 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\BootstrapResolver.class (Virus)

2/19/2009 12:17:23 AM Statistics:

2/19/2009 12:17:23 AM Files scanned: 2185

2/19/2009 12:17:23 AM Files detected: 0

2/19/2009 12:17:23 AM Files cleaned: 0

2/19/2009 12:17:23 AM Files deleted: 0

2/19/2009 12:17:23 AM Files moved: 0

2/19/2009 12:25:35 AM Engine version = 5.3.00

2/19/2009 12:25:35 AM DAT version = 5524

2/19/2009 12:25:35 AM Number of virus signatures in EXTRA.DAT = None

2/19/2009 12:25:35 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 12:25:50 AM Cleaned C:\WINDOWS\system32\prunnet.exe Generic.dx (Trojan)

2/19/2009 12:29:53 AM Statistics:

2/19/2009 12:29:53 AM Files scanned: 0

2/19/2009 12:29:53 AM Files detected: 1

2/19/2009 12:29:53 AM Files cleaned: 0

2/19/2009 12:29:53 AM Files deleted: 0

2/19/2009 12:29:53 AM Files moved: 0

2/19/2009 12:31:51 AM Engine version = 5.3.00

2/19/2009 12:31:51 AM DAT version = 5524

2/19/2009 12:31:51 AM Number of virus signatures in EXTRA.DAT = None

2/19/2009 12:31:51 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 1:51:31 AM Engine version = 5.3.00

2/19/2009 1:51:31 AM DAT version = 5524

2/19/2009 1:51:31 AM Number of virus signatures in EXTRA.DAT = None

2/19/2009 1:51:31 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 10:04:24 AM Engine version = 5.3.00

2/19/2009 10:04:24 AM DAT version = 5524

2/19/2009 10:04:24 AM Number of virus signatures in EXTRA.DAT = None

2/19/2009 10:04:24 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 10:08:04 AM Statistics:

2/19/2009 10:08:04 AM Files scanned: 0

2/19/2009 10:08:04 AM Files detected: 0

2/19/2009 10:08:04 AM Files cleaned: 0

2/19/2009 10:08:04 AM Files deleted: 0

2/19/2009 10:08:04 AM Files moved: 0

2/19/2009 10:10:32 AM Engine version = 5.3.00

2/19/2009 10:10:32 AM DAT version = 5524

2/19/2009 10:10:32 AM Number of virus signatures in EXTRA.DAT = None

2/19/2009 10:10:32 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 4:33:38 PM Engine version = 5.3.00

2/19/2009 4:33:38 PM DAT version = 5524

2/19/2009 4:33:38 PM Number of virus signatures in EXTRA.DAT = None

2/19/2009 4:33:38 PM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 4:49:17 PM Statistics:

2/19/2009 4:49:17 PM Files scanned: 1

2/19/2009 4:49:17 PM Files detected: 0

2/19/2009 4:49:17 PM Files cleaned: 0

2/19/2009 4:49:17 PM Files deleted: 0

2/19/2009 4:49:17 PM Files moved: 0

2/19/2009 4:52:57 PM Engine version = 5.3.00

2/19/2009 4:52:57 PM DAT version = 5524

2/19/2009 4:52:57 PM Number of virus signatures in EXTRA.DAT = None

2/19/2009 4:52:57 PM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 12:45:25 AM Engine version = 5.3.00

2/20/2009 12:45:25 AM DAT version = 5524

2/20/2009 12:45:25 AM Number of virus signatures in EXTRA.DAT = None

2/20/2009 12:45:25 AM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 8:45:35 AM Engine version = 5.3.00

2/20/2009 8:45:35 AM DAT version = 5524

2/20/2009 8:45:35 AM Number of virus signatures in EXTRA.DAT = None

2/20/2009 8:45:35 AM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 5:18:32 PM Engine version = 5.3.00

2/20/2009 5:18:32 PM DAT version = 5524

2/20/2009 5:18:32 PM Number of virus signatures in EXTRA.DAT = None

2/20/2009 5:18:32 PM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 5:41:00 PM Engine version = 5.3.00

2/20/2009 5:41:00 PM DAT version = 5524

2/20/2009 5:41:00 PM Number of virus signatures in EXTRA.DAT = None

2/20/2009 5:41:00 PM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 5:47:08 PM Statistics:

2/20/2009 5:47:08 PM Files scanned: 0

2/20/2009 5:47:08 PM Files detected: 0

2/20/2009 5:47:08 PM Files cleaned: 0

2/20/2009 5:47:08 PM Files deleted: 0

2/20/2009 5:47:08 PM Files moved: 0

2/20/2009 5:49:35 PM Engine version = 5.3.00

2/20/2009 5:49:35 PM DAT version = 5524

2/20/2009 5:49:35 PM Number of virus signatures in EXTRA.DAT = None

2/20/2009 5:49:35 PM Names of viruses that EXTRA.DAT can detect = None

Thanks Again!

Link to post
Share on other sites

Thanks for the Help. I did as you asked. As a heads up: when I ran the updated MWB, spyware SD resident came up with an alert saying "Browser helper object value added" with a long serial number for the process that started (9cd1fd11-b323-4d7f- ......) I don't think it was a MWB process, might be related to the trojan.

Not to sound ungreatful (I'm anything but)- this LOP S&D software is a little sketchy. Small and french? Please don't ask me to DL any additional tools unless absolutely necessary. I already listed my armada of installed tools, and it doesn't seem like I should need any more. Unless that's the only way.

Thanks again!

Updated MWB log:

Malwarebytes' Anti-Malware 1.34

Database version: 1782

Windows 5.1.2600 Service Pack 3

2/20/2009 6:56:59 PM

mbam-log-2009-02-20 (18-56-59).txt

Scan type: Quick Scan

Objects scanned: 68998

Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ungrdxwa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\senekakxmifuxf.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\senekaobwgwsrn.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\ddcYqOgh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\senekawqdutehb.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\senekabgiteqot.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\senekamliltabd.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\senekaqatxthsm.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Here is the LOP SD log

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01

USER : Marcus ( Administrator )

BOOT : Normal boot

C:\ (Local Disk) - NTFS - Total:144 Go (Free:11 Go)

D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Fri 02/20/2009|19:07 )

--------------------\\ Listing folders in APPLIC~1

[09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative

[08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc

[09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems

[09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL

[01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software

[03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell

[04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek

[10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP

[09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield

[09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit

[12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft

[12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates

[09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime

[08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI

[12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec

[05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative

[08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities

[09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc

[08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe

[02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM

[03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer

[05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper

[03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative

[09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink

[12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google

[04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek

[12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help

[06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP

[08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities

[05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield

[09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc

[12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft

[10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech

[03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia

[12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes

[02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft

[12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla

[04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera

[04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real

[10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic

[09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec

[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback

[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird

[02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent

[08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/20/2009 07:01 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job

[02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/23/2009|08:09] C:\Program Files\<DIR> Activision

[04/23/2006|09:51] C:\Program Files\<DIR> Adobe

[09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies

[05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update

[05/03/2008|11:25] C:\Program Files\<DIR> BitZipper

[12/28/2005|08:22] C:\Program Files\<DIR> Canon

[09/16/2007|01:33] C:\Program Files\<DIR> CDex_150

[02/19/2009|01:02] C:\Program Files\<DIR> Common Files

[08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications

[02/19/2009|04:49] C:\Program Files\<DIR> Creative

[12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player

[03/02/2006|01:50] C:\Program Files\<DIR> CureROM

[09/10/2005|11:49] C:\Program Files\<DIR> CyberLink

[12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools

[10/24/2006|08:11] C:\Program Files\<DIR> DC++

[09/10/2005|12:01] C:\Program Files\<DIR> Dell

[09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc

[04/14/2007|02:48] C:\Program Files\<DIR> DellSupport

[10/22/2008|12:23] C:\Program Files\<DIR> DivX

[08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto

[04/20/2006|05:25] C:\Program Files\<DIR> Fargo

[02/19/2009|04:47] C:\Program Files\<DIR> GemMaster

[12/09/2005|06:53] C:\Program Files\<DIR> Google

[12/30/2008|10:33] C:\Program Files\<DIR> GTR2

[10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard

[10/02/2005|07:03] C:\Program Files\<DIR> HP

[02/19/2009|04:49] C:\Program Files\<DIR> InstallShield Installation Information

[09/10/2005|11:48] C:\Program Files\<DIR> Intel

[11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer

[09/10/2005|11:54] C:\Program Files\<DIR> Intuit

[01/24/2007|07:07] C:\Program Files\<DIR> iTunes

[09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc

[02/19/2009|01:04] C:\Program Files\<DIR> Java

[10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack

[12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft

[09/29/2007|01:04] C:\Program Files\<DIR> LucasArts

[02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[11/02/2008|02:24] C:\Program Files\<DIR> Messenger

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync

[08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage

[12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games

[09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office

[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition

[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works

[09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET

[09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper

[09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold

[05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools

[11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker

[02/20/2009|07:02] C:\Program Files\<DIR> Mozilla Firefox

[08/19/2004|01:01] C:\Program Files\<DIR> MSN

[08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone

[11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0

[09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH

[11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR

[11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting

[09/14/2005|08:22] C:\Program Files\<DIR> Network Associates

[08/19/2004|01:02] C:\Program Files\<DIR> Online Services

[11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express

[05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine

[01/24/2007|07:06] C:\Program Files\<DIR> QuickTime

[09/10/2005|11:53] C:\Program Files\<DIR> Real

[08/19/2004|01:20] C:\Program Files\<DIR> RGB

[12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games

[04/14/2008|06:08] C:\Program Files\<DIR> SCi Games

[06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST

[09/10/2005|11:56] C:\Program Files\<DIR> Sonic

[12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy

[09/14/2005|08:18] C:\Program Files\<DIR> Symantec

[02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro

[08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information

[02/19/2009|12:17] C:\Program Files\<DIR> uTorrent

[04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN

[09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player

[11/02/2008|02:15] C:\Program Files\<DIR> Windows NT

[08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus

[08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate

[08/19/2004|01:07] C:\Program Files\<DIR> xerox

[04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft

[09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared

[09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL

[09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems

[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER

[02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX

[10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP

[09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield

[09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit

[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H

[09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared

[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap

[09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates

[09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft

[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC

[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real

[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services

[09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared

[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines

[09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio

[09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared

[11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System

[09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared

[12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 55 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt

C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt

C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt

C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt

C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-20 19:08:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSmtvd.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Acid Pro 5.0.exe

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Fix Registration.reg

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Keygen.exe

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\README.txt

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack\dev-ae33.rar

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.exe

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.ini

[F:97][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp

[F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies

[F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1]

--------------------\\ Scan completed at 19:10:23

Link to post
Share on other sites

Tigger-

Thanks for what help you were able to provide. I didn't intend to insult your diagnostic tools- I'm just a little apprehensive of installing more software at this point. The french-as-a-primary language aspect made me think twice.

I'm sorry that you cannot help me any further.

The cracks and keygens in the My Documents folder I am familiar with and pose no threat- I can uninstall/delete them if that would help things.

If you cannot help me any further with direct instructions, can you:

(A) give me some analysis of the nature of my problem/situation from the diagnostic data provided

(:) suggest an attack approach or plan of addressing my situation (such as removing problematic cracks)

© refer me to a different reputable security/malware forum

Additionally, if any other moderators are able to help/make suggestions that would be appreciated as well.

Link to post
Share on other sites

Please don't be offended by anything I said, I was simply pointing out a few things about that tool. While it may seem a little odd that the tool starts in French, most of our tools have multiple languages, and we would never have you download anything that is not safe.

While the cracks you have may not pose a threat, cracks are a way of getting infected, and when people have cracks on the computer and we find them, that's usually where they got the infection from. You also must remember cracks are illegal.

I will be able to continue helping you if you remove the cracks. Let me know. :)

Link to post
Share on other sites

Tigger-

Thanks for sticking it out with me. :) I removed the "crack" files that had been on my hard drive. The three files that LOP S&D is still identifying are all actual .mp3s that I uploaded from CD and actively listen to. The files which LOP had previously identified under "cracks and keygens" I had acquired over two ago. Also, they were acquired directly in 1st person from a friend via USB key, not through any p2p service. Therefore, I'd be surprised if they were related to my recent infection. Unless its a really crafty infection.

Note for MBAM community: Any "crack" files previously displayed in diagnostic results were NOT related to the infringement of copyrighted or trademarked data. Piracy is illegal and should not be practiced by MBAM users. It is an easy way to contract malware. Don't do it!

Here's the new Lop log. Other than deleting the indicated files, I have preformed no other actions since last post.

Thanks, cheers, and hope your weekend is starting off better than mine.

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01

USER : Marcus ( Administrator )

BOOT : Normal boot

C:\ (Local Disk) - NTFS - Total:144 Go (Free:18 Go)

D:\ (CD or DVD)

I:\ (Local Disk) - NTFS - Total:372 Go (Free:174 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Fri 02/20/2009|21:23 )

--------------------\\ Listing folders in APPLIC~1

[09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative

[08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc

[09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems

[09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL

[01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software

[03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell

[04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek

[10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP

[09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield

[09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit

[12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft

[12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates

[09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime

[08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI

[12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec

[05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative

[08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities

[09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc

[08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe

[02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM

[03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer

[05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper

[03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative

[09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink

[12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google

[04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek

[12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help

[06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP

[08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities

[05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield

[09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc

[12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft

[10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech

[03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia

[12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes

[02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft

[12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla

[04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera

[04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real

[10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic

[09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun

[09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec

[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback

[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird

[02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent

[08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/20/2009 08:00 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job

[02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/23/2009|08:09] C:\Program Files\<DIR> Activision

[04/23/2006|09:51] C:\Program Files\<DIR> Adobe

[09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies

[05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update

[05/03/2008|11:25] C:\Program Files\<DIR> BitZipper

[12/28/2005|08:22] C:\Program Files\<DIR> Canon

[09/16/2007|01:33] C:\Program Files\<DIR> CDex_150

[02/19/2009|01:02] C:\Program Files\<DIR> Common Files

[08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications

[02/19/2009|04:49] C:\Program Files\<DIR> Creative

[12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player

[03/02/2006|01:50] C:\Program Files\<DIR> CureROM

[09/10/2005|11:49] C:\Program Files\<DIR> CyberLink

[12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools

[10/24/2006|08:11] C:\Program Files\<DIR> DC++

[09/10/2005|12:01] C:\Program Files\<DIR> Dell

[09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc

[04/14/2007|02:48] C:\Program Files\<DIR> DellSupport

[10/22/2008|12:23] C:\Program Files\<DIR> DivX

[08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto

[04/20/2006|05:25] C:\Program Files\<DIR> Fargo

[02/19/2009|04:47] C:\Program Files\<DIR> GemMaster

[12/09/2005|06:53] C:\Program Files\<DIR> Google

[12/30/2008|10:33] C:\Program Files\<DIR> GTR2

[10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard

[10/02/2005|07:03] C:\Program Files\<DIR> HP

[02/20/2009|09:20] C:\Program Files\<DIR> InstallShield Installation Information

[09/10/2005|11:48] C:\Program Files\<DIR> Intel

[11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer

[09/10/2005|11:54] C:\Program Files\<DIR> Intuit

[01/24/2007|07:07] C:\Program Files\<DIR> iTunes

[09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc

[02/19/2009|01:04] C:\Program Files\<DIR> Java

[10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack

[12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft

[02/20/2009|09:20] C:\Program Files\<DIR> LucasArts

[02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[11/02/2008|02:24] C:\Program Files\<DIR> Messenger

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync

[08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage

[12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games

[09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office

[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition

[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio

[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works

[09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET

[09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper

[09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold

[05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools

[11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker

[02/20/2009|08:50] C:\Program Files\<DIR> Mozilla Firefox

[08/19/2004|01:01] C:\Program Files\<DIR> MSN

[08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone

[11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0

[09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH

[11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR

[11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting

[09/14/2005|08:22] C:\Program Files\<DIR> Network Associates

[08/19/2004|01:02] C:\Program Files\<DIR> Online Services

[11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express

[05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine

[01/24/2007|07:06] C:\Program Files\<DIR> QuickTime

[09/10/2005|11:53] C:\Program Files\<DIR> Real

[08/19/2004|01:20] C:\Program Files\<DIR> RGB

[12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games

[04/14/2008|06:08] C:\Program Files\<DIR> SCi Games

[06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST

[09/10/2005|11:56] C:\Program Files\<DIR> Sonic

[12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy

[09/14/2005|08:18] C:\Program Files\<DIR> Symantec

[02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro

[08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information

[02/19/2009|12:17] C:\Program Files\<DIR> uTorrent

[04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN

[09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player

[11/02/2008|02:15] C:\Program Files\<DIR> Windows NT

[08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus

[08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate

[08/19/2004|01:07] C:\Program Files\<DIR> xerox

[04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft

[09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared

[09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL

[09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems

[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER

[02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX

[10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP

[09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield

[09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit

[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H

[09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared

[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap

[09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates

[09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft

[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC

[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real

[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services

[09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared

[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines

[09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio

[09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared

[11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System

[09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared

[12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 56 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt

C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt

C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt

C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt

C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-20 21:24:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSmtvd.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3

[F:99][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp

[F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies

[F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1]

2 - "C:\Lop SD\LopR_2.txt" - Fri 02/20/2009|21:25 - Option : [1]

--------------------\\ Scan completed at 21:25:46

Link to post
Share on other sites

I'll try to keep the tools to a minimum, but we are going to need this tool to replace your infected userinit.exe and to remove the TDSS rookit.

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Alright! Sorry I've been slow in responding- I had to go into work early this morning and was away from my (home) PC.

I ran ComboFix with no major issues. While it was running, Spybot SD resident (initialized on bootup) alerted me that my homepage and websearch setting were being changed... but I don't think spybot interfered with the scan.

Also, after the scan a windows security alert has popped up in the tray saying that my windows firewall was disabled (probably part of combofix)

Strangely, during the scan my clock changed to military time, then reverted after the reboot. weird.

Again- Thanks for your ongoing support.

ComboFix 09-02-19.01 - Marcus 2009-02-21 19:44:45.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1859 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

.

ADS - explorer.exe: deleted 7454 bytes in 4 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Marcus\Cookies\wolehyf.ban

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\avezubu.db

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\dibil.pif

c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\epyfigug.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\998.exe

c:\windows\system32\init32.exe

c:\windows\system32\TDSSmtvd.dat

c:\windows\system32\uniq.tll

c:\windows\system32\win32hlp.cnf

c:\windows\Tasks\mfwpraie.job

c:\windows\wiaserviv.log

c:\windows\wiaservv.log

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_seneka

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))

.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-31 06:33 --------- d-----w c:\program files\GTR2

2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com

2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg

2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat

2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl

2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban

2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com

2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:53:50 PM, on 2/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O20 - AppInit_DLLs: mvoqas.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--

End of file - 8532 bytes

Link to post
Share on other sites

Oops- thought I grabbed the whole thing last time. Sorry. Must have gotten impatient with my copy-paste. Here ya go. Thanks!

ComboFix 09-02-19.01 - Marcus 2009-02-22 11:49:05.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1915 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))

.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-31 06:33 --------- d-----w c:\program files\GTR2

2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com

2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg

2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat

2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl

2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban

2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com

2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys

2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-22 19:47:07 54,280 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-22 19:47:07 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-22 19:43:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=mvoqas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]

S0 skbgfqnd;skbgfqnd;c:\windows\system32\drivers\zkiefzrs.sys --> c:\windows\system32\drivers\zkiefzrs.sys [?]

S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-22 11:52:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)

c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(920)

c:\windows\system32\EntApi.dll

.

Completion time: 2009-02-22 11:54:08

ComboFix-quarantined-files.txt 2009-02-22 19:54:05

ComboFix2.txt 2009-02-22 03:53:00

Pre-Run: 19,710,701,568 bytes free

Post-Run: 19,695,915,008 bytes free

149 --- E O F --- 2009-02-11 11:02:51

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\program files\Common Files\melo.com

c:\documents and settings\Marcus\Application Data\ycexim.reg

c:\program files\Common Files\mudohoc.bat

c:\program files\Common Files\ahupebykiw.dl

c:\program files\Common Files\efucu.ban

c:\documents and settings\Marcus\Application Data\ubywuxy.com

c:\documents and settings\Marcus\Application Data\axepub.bin

c:\windows\system32\drivers\zkiefzrs.sys

Folder::

c:\windows\ccddawrp

Driver::

skbgfqnd

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Alright. Ran the combofix script. It asked to reboot. I did, and signs of infection are still present (McAfee disabled on startup.)

What's next? And thanks again.

ComboFix 09-02-19.01 - Marcus 2009-02-22 17:53:44.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2029 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\documents and settings\Marcus\Application Data\axepub.bin

c:\documents and settings\Marcus\Application Data\ubywuxy.com

c:\documents and settings\Marcus\Application Data\ycexim.reg

c:\program files\Common Files\ahupebykiw.dl

c:\program files\Common Files\efucu.ban

c:\program files\Common Files\melo.com

c:\program files\Common Files\mudohoc.bat

c:\windows\system32\drivers\zkiefzrs.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Marcus\Application Data\axepub.bin

c:\documents and settings\Marcus\Application Data\ubywuxy.com

c:\documents and settings\Marcus\Application Data\ycexim.reg

c:\program files\Common Files\ahupebykiw.dl

c:\program files\Common Files\efucu.ban

c:\program files\Common Files\melo.com

c:\program files\Common Files\mudohoc.bat

c:\windows\ccddawrp\

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_skbgfqnd

((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))

.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-31 06:33 --------- d-----w c:\program files\GTR2

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-23 01:52:53 54,280 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-23 01:52:53 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-23 01:58:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_790.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]

S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.dell4me.com/myway

mDefault_Page_URL = hxxp://www.dell4me.com/myway

mStart Page = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-22 17:59:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\windows\system32\MrvGINA.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\ehome\ehRecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\dllhost.exe

c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\ehome\ehmsas.exe

c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe

c:\documents and settings\Marcus\Desktop\iPod\bin\iPodService.exe

c:\program files\NETGEAR\WG311v3\wlancfg5.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

.

**************************************************************************

.

Completion time: 2009-02-22 18:02:39 - machine was rebooted [Marcus]

ComboFix-quarantined-files.txt 2009-02-23 02:02:36

ComboFix2.txt 2009-02-22 19:54:11

ComboFix3.txt 2009-02-22 03:53:00

Pre-Run: 19,675,172,864 bytes free

Post-Run: 19,662,004,224 bytes free

187 --- E O F --- 2009-02-11 11:02:51

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:05:53 PM, on 2/22/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE

C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--

End of file - 8499 bytes

Link to post
Share on other sites

Okay-

Things seem to be improved, but not perfect. McAfee antivirus is still disabled on startup initialization, even though the "enable on startup" option is selected.

There are no more IE popups, but seemingly random searches on firefox redirect to strange sites which instigate popups claiming that my PC is infected and I need to click.. etc

I doesn't seem to be any huge"parasitic load" on my PC performance from malware, but you could convince me that my system was compromised and only running at 80%-90%

I'm running scans with all my malware software. MWBAM returned zero results. Ad-Aware running now, then SpyBot. I'll let you know if they return anything.

Do you know what is causing the antivirus disenable and firefox redirects?

Cheers- progress has been made. Things are improving.

Link to post
Share on other sites

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\drivers\TDSSrvdc.sys C:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log  C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllC:\WINDOWS\SYSTEM32\qoMfefde.dll
    Drivers to delete:tdssserv
    Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssservHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Bummer. It seems that the Avenger process was unsuccessful. I executed the script as asked.. there was a confirmation screen (not included in instructions) asking me if I was sure I wanted to run despite the "delete services" command.. I think.

Anyways, nothing appears to have changed upon reboot.. infection signs still present. No second reboot was necessary.

Here's the log. I'll try running the Avenger script again, see if it returns the same result. I'll post if it does.

What's next?

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Link to post
Share on other sites

Ran avenger a second time. Here is the "services" prompt that popped up between the "sure you want to execute.." and "reboot.." prompts.

"It is dangerous to edit services registry keys directly, if...." sorry, that's all I jotted down..

It's probably irrelevant, but after the 1st run and reboot, the internal speaker in my tower bleeped at me. It's never done that before.

Strangely, after the second running of avenger, there was no .txt log report that popped up. maybe it knew that the log would be redundant and identical to the last it produced. I don't know.

So I generated another Combofix log... thought it might be more helpful than the avenger log.

What's the next plan of attack?

ComboFix 09-02-19.01 - Marcus 2009-02-23 23:13:13.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2091 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))

.

2009-02-23 22:59 . 2009-02-23 22:59 135,168 --a------ C:\zip.exe

2009-02-23 22:59 . 2009-02-23 22:59 19,286 --a------ C:\cleanup.exe

2009-02-23 22:59 . 2009-02-23 22:59 574 --a------ C:\cleanup.bat

2009-02-23 22:59 . 2009-02-23 22:59 0 --a------ C:\backup.reg

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-31 06:33 --------- d-----w c:\program files\GTR2

2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys

2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-24 07:06:55 54,280 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-24 07:06:55 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-24 07:02:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]

S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-23 23:16:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\MrvGINA.dll

.

Completion time: 2009-02-23 23:17:50

ComboFix-quarantined-files.txt 2009-02-24 07:17:48

ComboFix2.txt 2009-02-23 02:02:40

ComboFix3.txt 2009-02-22 19:54:11

ComboFix4.txt 2009-02-22 03:53:00

Pre-Run: 19,319,517,184 bytes free

Post-Run: 19,302,203,392 bytes free

139 --- E O F --- 2009-02-11 11:02:51

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\zip.exe

C:\cleanup.exe

C:\cleanup.bat

C:\backup.reg

c:\windows\ccddawrp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Okay. Combofix ran the script without event. No reboot necessary. Can't tell if any infection signs have left.. I will post back after reboot/further PC use to tell you if any have been dealt with.

ComboFix 09-02-19.01 - Marcus 2009-02-24 12:30:06.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2036 [GMT -8:00]

Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\backup.reg

C:\cleanup.bat

C:\cleanup.exe

c:\windows\ccddawrp

C:\zip.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\backup.reg

C:\cleanup.bat

C:\cleanup.exe

c:\windows\ccddawrp

C:\zip.exe

.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))

.

2009-02-24 12:23 . 2009-02-24 12:23 <DIR> d-------- c:\windows\LastGood

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD

2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-24 07:36 --------- d-----w c:\program files\HP

2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 05:20 --------- d-----w c:\program files\LucasArts

2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-20 00:49 --------- d-----w c:\program files\Creative

2009-02-20 00:47 --------- d-----w c:\program files\GemMaster

2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-19 09:04 --------- d-----w c:\program files\Java

2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent

2009-02-19 08:17 --------- d-----w c:\program files\uTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe

2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-24 04:09 --------- d-----w c:\program files\Activision

2008-12-31 06:33 --------- d-----w c:\program files\GTR2

2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys

2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys

2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys

2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe

2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-24 20:25:55 46,924 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-24 20:25:55 367,980 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-24 20:21:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]

"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]

NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]

S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell4me.com/myway

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-24 12:32:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(924)

c:\windows\system32\EntApi.dll

.

Completion time: 2009-02-24 12:34:32

ComboFix-quarantined-files.txt 2009-02-24 20:34:30

ComboFix2.txt 2009-02-24 07:17:52

ComboFix3.txt 2009-02-23 02:02:40

ComboFix4.txt 2009-02-22 19:54:11

ComboFix5.txt 2009-02-24 20:29:31

Pre-Run: 19,575,681,024 bytes free

Post-Run: 19,568,209,920 bytes free

154 --- E O F --- 2009-02-11 11:02:51

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:35:29 PM, on 2/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--

End of file - 7774 bytes

Link to post
Share on other sites

Things are looking good.

I'm still getting some signs of infection. IE is running fine, but google searches on firefox result in random (not consistent) redirects.

McAfee is also still disabled on startup, which doesn't seem right.

MWBAM scan still coming up with nothing.

Any ideas what is causing the firefox bug? should I try uninstalling/reinstalling it?

Again, thanks for all your help tigger. +1 to your karma stash.

Link to post
Share on other sites

Let's run an online scan and see if it finds anything. Also, any restore points from before this infection would be infected, so they would have just reinfected you.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.