Jump to content

Trojan.Vundo.H - MBAM cant remove - Please Help!


Recommended Posts

Afternoon,

Is there anyone who can help me please? I am having trouble getting rid of Trojan.Vundo.H

The only program that seems to even find it is MBAM finding it in C:\Windows\System32\yriqdux.dll and three registry entries that refer to it. Unfortunately even after restart (whether into Safe Mode or normal) the files are still there, I have tried CCleaner, Cyberscrub and MBAMs File Assassin but all to no avail.

Looking on the Symantec website they only have a remaoval tool for Trojan.Vundo and Trojan.Vundo.B but this finds no trace of the 'H' variant.

Looking through previous post I have downloaded latest versions of Firefox, MBAM, SuperAntiSpyware, AVG, AdAware and gotten rid of anything such as uTorrent etc prior to running MABM and Hijack This. In anticipation I have also readied

Here are the logs and BIG BIG thanks in advance for any helpand/or advice.

Cheers

Dave

MBAM Log (Quick Scan but a full scan about an hour earlier showe same four results)

Malwarebytes' Anti-Malware 1.34

Database version: 1851

Windows 5.1.2600 Service Pack 3

15/03/2009 13:46:56

mbam-log-2009-03-15 (13-46-56).txt

Scan type: Quick Scan

Objects scanned: 66835

Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\yriqdux.dll (Trojan.Vundo.H) -> Delete on reboot.

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:15:19, on 15/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 6829 bytes

Link to post
Share on other sites

Hello Dave and welcome to the Malwarebytes forums. B)

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a new HijackThis log.

Link to post
Share on other sites

Thanks for replying, much appreciated.

Here are the ComboFix and HJT logs as requested.....

COMBO FIX

ComboFix 09-03-18.01 - D&A 2009-03-18 22:46:14.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2919 [GMT 0:00]

Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe

FW: Online Armor Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

I:\AutoRun.inf

.

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))

.

2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro

2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu

2009-03-15 13:52 . 2009-03-18 22:44 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor

2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor

2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys

2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys

2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys

2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb

2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools

2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip

2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe

2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java

2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi

2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut

2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes

2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi

2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi

2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp

2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner

2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub

2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator

2009-03-07 21:40 . 2009-03-07 21:40 2 --a------ C:\-1058818287

2009-03-07 21:40 . 2009-03-09 09:50 0 --a------ c:\windows\system32\drivers\c8485a2.sys

2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com

2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-02-21 19:48 . 2009-02-21 19:48 <DIR> d-------- c:\windows\Downloaded Installations

2009-02-21 19:40 . 2008-04-14 00:12 159,232 --a------ c:\windows\system32\ptpusd.dll

2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-02-21 19:40 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-18 22:39 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData

2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe

2009-03-15 01:36 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent

2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft

2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition

2009-02-02 16:13 --------- d-----w c:\program files\Bonjour

2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX

2009-01-23 12:55 --------- d-----w c:\program files\Valve

2009-01-18 15:02 --------- d-----w c:\documents and settings\D&A\Application Data\Ahead

2009-01-18 14:53 --------- d-----w c:\documents and settings\D&A\Application Data\Vso

2009-01-18 14:21 --------- d-----w c:\program files\Common Files\Ahead

2009-01-18 14:21 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead

2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys

2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-18 22:07 3,532 ----a-w C:\drmHeader.bin

2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe

2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]

2004-08-04 12:00 104448 --a------ c:\windows\system32\yriqdux.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]

2004-08-04 12:00 104448 c:\windows\system32\yriqdux.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk]

path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk

backup=c:\windows\pss\Kremlin Sentry.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

--a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor]

--a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

-ra------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

-ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160]

R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-08-04 23424]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568]

R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480]

S1 c8485a2;c8485a2;c:\windows\system32\drivers\c8485a2.sys [2009-03-07 0]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032]

S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ceagovhn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517c1dcf-c9da-11dd-b64c-0016017de508}]

\Shell\AutoRun\command - I:\RavMon.exe

\Shell\explore\Command - I:\RavMon.exe -e

\Shell\open\Command - I:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52885827-db46-11dd-b677-0016017de508}]

\Shell\AutoRun\command - I:\RavMon.exe

\Shell\explore\Command - I:\RavMon.exe -e

\Shell\open\Command - I:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a072178c-b686-11dd-b612-00173fd36e63}]

\Shell\AutoRun\command - I:\RavMon.exe

\Shell\explore\Command - I:\RavMon.exe -e

\Shell\open\Command - I:\RavMon.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48]

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-14 c:\windows\Tasks\At1.job

- c:\windows\system32\yriqdux.dll [2004-08-04 12:00]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-18 22:48:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-03-18 22:49:15

ComboFix-quarantined-files.txt 2009-03-18 22:49:10

ComboFix2.txt 2009-03-14 23:24:38

Pre-Run: 48,306,036,736 bytes free

Post-Run: 50,547,736,576 bytes free

226 --- E O F --- 2009-02-25 07:31:55

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:52:32, on 18/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 6190 bytes

Link to post
Share on other sites

In your first log you had AVG, now you don't seem to have any antivirus installed. If you have none installed I suggest you install one of the free for home use AV's like Avast or AntiVir immediately:

Step 1:

Please go to Virus Total or VirSCAN and upload c:\windows\system32\drivers\lffycjtc.sys for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\inetcomm.dll in the text box next to the Browse button.
  2. Click on Send File.

For VirScan

  1. Copy and paste C:\file.exe into the text box next to the Browse... button.
  2. Click on Upload.
  3. The file will be uploaded and scanned. This will take some time. Please be patient.
  4. When done, the page will be refreshed.
  5. Please copy and paste the scan results of this file in your next reply.

Step 2:

You have a flash infection, please insert any external drive device you have for the next steps:

  1. Please download Flash_Disinfector and save it to your desktop.
  2. Double click to run it.
  3. You will be prompted to plug in your flash drive. Plug it in.
  4. Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  5. When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  6. Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Step 3:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\-1058818287

c:\windows\system32\drivers\c8485a2.sys

c:\windows\system32\yriqdux.dll

c:\windows\Tasks\At1.job

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517c1dcf-c9da-11dd-b64c-0016017de508}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52885827-db46-11dd-b677-0016017de508}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a072178c-b686-11dd-b612-00173fd36e63}]

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

Driver::

c8485a2

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with a new HijackThis log and the Virustotal/virscasn results.

Link to post
Share on other sites

Thanks again for the help, just to avoid confusion I was finding that Combofix kept detecting AVG running even though I thought I had it off so only way I had round that was to uninstall it. However Avast is now on as per your recommendation.

The requested scan reports are listed below but quick summary is VirusTotal found nothing in either file and ComboFix was denied access to yriqdux.dll

Thanks again and will be keeping an eye out for your reply

Cheers

Dave

COMBO FIX RESULT

Combofix did not leave a result at C:\combofix.txt

all I could find was at C:\combofix\combofix.txt posted below (properties showed it created today at 1907 hours (12 mins ago by my clock)

ComboFix 09-03-18.01 - D&A 2009-03-19 19:06:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2876 [GMT 0:00]

Running from: C:\Documents and Settings\D&A\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\D&A\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated)

FW: Online Armor Firewall *disabled*

* Created a new restore point

FILE ::

C:\-1058818287

c:\windows\system32\drivers\c8485a2.sys

c:\windows\system32\yriqdux.dll

c:\windows\Tasks\At1.job

.

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:20, on 2009-03-19

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 7348 bytes

VIRUSTOTAL RESULT FOR inetcomm.dll

File inetcomm.dll_ received on 03.19.2009 19:44:18 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/39 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 42 and 60 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.03.19 -

AhnLab-V3 5.0.0.2 2009.03.19 -

AntiVir 7.9.0.120 2009.03.19 -

Authentium 5.1.2.4 2009.03.19 -

Avast 4.8.1335.0 2009.03.19 -

AVG 8.5.0.283 2009.03.19 -

BitDefender 7.2 2009.03.19 -

CAT-QuickHeal 10.00 2009.03.19 -

ClamAV 0.94.1 2009.03.19 -

Comodo 1066 2009.03.18 -

DrWeb 4.44.0.09170 2009.03.19 -

eSafe 7.0.17.0 2009.03.19 -

eTrust-Vet 31.6.6388 2009.03.09 -

F-Prot 4.4.4.56 2009.03.19 -

F-Secure 8.0.14470.0 2009.03.19 -

Fortinet 3.117.0.0 2009.03.19 -

GData 19 2009.03.19 -

Ikarus T3.1.1.48.0 2009.03.19 -

K7AntiVirus 7.10.676 2009.03.19 -

Kaspersky 7.0.0.125 2009.03.19 -

McAfee 5558 2009.03.19 -

McAfee+Artemis 5558 2009.03.19 -

McAfee-GW-Edition 6.7.6 2009.03.19 -

Microsoft 1.4502 2009.03.19 -

NOD32 3948 2009.03.19 -

Norman 6.00.06 2009.03.19 -

nProtect 2009.1.8.0 2009.03.19 -

Panda 10.0.0.10 2009.03.19 -

PCTools 4.4.2.0 2009.03.19 -

Prevx1 V2 2009.03.19 -

Rising 21.21.32.00 2009.03.19 -

Sophos 4.39.0 2009.03.19 -

Sunbelt 3.2.1858.2 2009.03.19 -

Symantec 1.4.4.12 2009.03.19 -

TheHacker 6.3.3.0.285 2009.03.19 -

TrendMicro 8.700.0.1004 2009.03.19 -

VBA32 3.12.10.1 2009.03.18 -

ViRobot 2009.3.19.1656 2009.03.19 -

VirusBuster 4.6.5.0 2009.03.19 -

Additional information

File size: 691712 bytes

MD5...: 1853ef92e14e84ea982abe9156ce14ef

SHA1..: 9d63827db26c82fc8d52f6a48b255adc2b25dd95

SHA256: d3cfe197a7748cea5fa8f62daa038c7abe6a2cabd891c8d439431cb79fddf941

SHA512: 0566d7f5b9a3b5e4ad5cfc349511c1d6f9e59217f5ff52f6b525a2dc20d66383

02d2fca6404ced8927a7eb9e1a398a30a49f5a43d224f0a7fc2cbe946e971855

ssdeep: 12288:cYdboQWdzQiFlkSyEivQX7mQDMbvfCi8pagSx9H++cu:XIdzQGlkSyEEmm

QojfCi8pagmHF

PEiD..: -

TrID..: File type identification

DirectShow filter (43.0%)

Windows OCX File (26.3%)

Win64 Executable Generic (18.2%)

Win32 Executable MS Visual C++ (generic) (8.0%)

Win32 Executable Generic (1.8%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x23c56

timedatestamp.....: 0x47ffb63a (Fri Apr 11 19:04:26 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x99510 0x99600 6.61 d75dfdbe8f881c3366129cb2e74be468

.data 0x9b000 0x5e58 0x3000 3.72 0c7884d3962d831eb661eec99b9d029f

.rsrc 0xa1000 0x3900 0x3a00 5.62 45344bbc4597ad4bd17a4eb6253f65ab

.reloc 0xa5000 0x8894 0x8a00 6.26 6ee9bc95f470d43fc62e03f266eccd0f

( 9 imports )

> MSOERT2.dll: SetWindowLongPtrAthW, FBuildTempPathW, WriteStreamToFileW, IUnknownList_CreateInstance, IVoidPtrList_CreateInstance, IsPlatformWinNT, CreateLogFile, StrTokEx, StrToUintA, PszScanToWhiteA, HrCreatePhonebookEntry, HrEditPhonebookEntry, HrFillRasCombo, FIsSpaceA, UpdateRebarBandColors, LoadMappedToolbarBitmap, HrCreateTridentMenu, HrCheckTridentMenu, CreateInfoWindow, HrIStreamWToBSTR, FreeTempFileList, FIsHTMLFileW, HrIsStreamUnicode, GetHtmlCharset, HrBSTRToLPSZ, HrGetElementImpl, HrSetDirtyFlagImpl, GetExePath, AppendTempFileList, fGetBrowserUrlEncoding, WriteStreamToFile, HrGetBodyElement, HrGetStyleSheet, CreateDataObject, CenterDialog, ReplaceCharsW, IsValidFileIfFileUrlW, MessageBoxInstW, HrIStreamToBSTR, FInitializeRichEdit, GetRichEdClassStringW, SetFontOnRichEd, RicheditStreamIn, HrLPSZToBSTR, HrStreamToByte, HrLPSZCPToBSTR, RicheditStreamOut, PszFromANSIStreamA, StrToUintW, ChConvertFromHex, PVGetMsgParam, HrGetMsgParam, HrGetCertificateParam, UnlocStrEqNW, UlStripWhitespace, FIsEmptyA, PszSkipWhiteW, HrCopyStreamToByte, PszToUnicode, PszToANSI, CchFileTimeToDateTimeW, CchFileTimeToDateTimeSz, CreateEnumFormatEtc, StripCRLF, HrCopyLockBytesToStream, HrGetStreamPos, OpenFileStreamW, BrowseForFolderW, OpenFileStream, PszSkipWhiteA, HrRewindStream, PszDupW, PszAllocW, FIsEmptyW, PszAllocA, HrCopyStreamCBEndOnCRLF, CreateTempFileStream, HrStreamSeekSet, HrSafeGetStreamSize, IsDigit, HrCopyStream, HrCopyStreamCB, CleanupFileNameInPlaceA, PszDupA, CleanupFileNameInPlaceW, HrDecodeObject, PVDecodeObject, IsUpper, HrStreamSeekCur, HrIndexOfMonth, HrIndexOfWeek, HrFindInetTimeZone, PszDayFromIndex, PszMonthFromIndex, PszScanToCharA, CryptFreeFunc, CryptAllocFunc, SzGetCertificateEmailAddress, PVGetCertificateParam, FMissingCert, HrGetStreamSize, DeleteTempFileOnShutdownEx, CreateTempFile, WriteStreamToFileHandle, ReplaceChars, OpenFileStreamShareW, MessageBoxInst

> KERNEL32.dll: GetWindowsDirectoryA, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, ReleaseSemaphore, CreateSemaphoreA, GetEnvironmentVariableA, VirtualProtect, SetStdHandle, LCMapStringW, LCMapStringA, VirtualQuery, InterlockedExchange, RtlUnwind, GetStringTypeW, GetStringTypeA, SetFilePointer, GetCPInfo, GetOEMCP, UnhandledExceptionFilter, HeapReAlloc, WriteFile, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, TlsAlloc, TlsGetValue, TlsFree, ExitProcess, HeapAlloc, HeapFree, GetCommandLineA, TlsSetValue, DeleteFileW, GetFileSize, FormatMessageA, InterlockedDecrement, InterlockedIncrement, InterlockedCompareExchange, lstrcpynA, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, FreeLibrary, EnterCriticalSection, DisableThreadLibraryCalls, MultiByteToWideChar, GetModuleFileNameA, lstrcmpiA, lstrlenA, IsDBCSLeadByteEx, lstrlenW, lstrcmpA, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetSystemTime, GetLastError, GetTimeZoneInformation, GetLocalTime, FileTimeToSystemTime, FileTimeToLocalFileTime, SetLastError, VirtualFree, VirtualAlloc, WideCharToMultiByte, CloseHandle, GetModuleHandleA, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GetACP, GetTickCount, LocalFree, LocalAlloc, lstrcmpiW, lstrcmpW, IsDBCSLeadByte, GetCurrentThreadId, IsValidCodePage, GetProcAddress, LoadLibraryA, GetSystemInfo, LoadLibraryExA, ExpandEnvironmentStringsA, GetSystemDefaultLCID, RtlMoveMemory, MulDiv, SizeofResource, LockResource, LoadResource, FindResourceA, GetVersionExA, DeleteFileA, CopyFileA, FlushFileBuffers, FreeResource, GlobalAlloc, GetLocaleInfoA, CreateDirectoryA, GetUserDefaultLangID, GetSystemDefaultLangID, SetErrorMode, Sleep, CompareFileTime, SetEvent, ResetEvent, WaitForSingleObject, CreateThread, CreateEventA, TerminateThread

> ole32.dll: CoUninitialize, ReleaseStgMedium, CoTaskMemFree, IIDFromString, OleDestroyMenuDescriptor, OleRun, CoCreateInstance, CreateBindCtx, CreateStreamOnHGlobal, GetHGlobalFromStream, StringFromGUID2, PropVariantClear, CoCreateGuid, CoTaskMemRealloc, CLSIDFromString, CoGetMalloc, CoInitializeEx

> USER32.dll: WinHelpA, GetAsyncKeyState, InsertMenuItemA, GetMenuItemCount, GetMenuItemInfoA, DrawIconEx, DestroyIcon, LoadIconA, CopyIcon, SystemParametersInfoA, PeekMessageA, GetWindowThreadProcessId, DialogBoxParamA, SetForegroundWindow, CreateWindowExA, CharNextExA, CreateDialogParamA, RegisterWindowMessageA, SetDlgItemTextA, IsCharAlphaNumericA, IsCharAlphaA, CharNextA, GetClassInfoA, RegisterClassA, RemovePropA, MoveWindow, SetPropA, MapWindowPoints, GetMenuStringA, SetWindowTextA, CheckMenuRadioItem, GetWindow, TranslateMessage, DispatchMessageA, GetDlgCtrlID, GetPropA, CallWindowProcA, CreatePopupMenu, MessageBeep, InflateRect, IsChild, AppendMenuA, CheckMenuItem, PostMessageA, GetCapture, SetCursor, GetWindowTextLengthA, GetWindowTextA, KillTimer, SetTimer, LoadAcceleratorsA, BeginPaint, GetSystemMetrics, GetSysColor, DrawEdge, EndPaint, LoadStringW, DrawTextExW, GetSysColorBrush, FillRect, ClientToScreen, InvalidateRect, GetFocus, CopyRect, IsWindowVisible, ShowWindow, GetDlgItem, EnableWindow, IsDlgButtonChecked, EndDialog, CheckRadioButton, EnumChildWindows, GetKeyboardLayoutList, LoadMenuA, GetSubMenu, GetClassInfoExA, LoadCursorA, RegisterClassExA, CreateWindowExW, SetWindowLongA, GetWindowLongA, DefWindowProcA, GetDC, ReleaseDC, GetClientRect, SetFocus, SetWindowPos, RemoveMenu, EnableMenuItem, GetWindowRect, GetParent, TrackPopupMenu, DestroyMenu, GetKeyState, SendMessageW, SendMessageA, DestroyWindow, IsWindow, LoadStringA, SendDlgItemMessageA, CharUpperA, CharLowerA, RegisterClipboardFormatA, CharPrevExA

> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, CryptReleaseContext, CryptGetProvParam, CryptAcquireContextA, CryptSetProvParam, RegEnumKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegSetValueExA, RegCreateKeyExA, CryptGenRandom, RegCloseKey

> GDI32.dll: SelectObject, GetObjectA, GetTextMetricsA, DeleteObject, DeleteDC, ExtTextOutA, RestoreDC, BitBlt, SetTextColor, SetBkColor, SetBkMode, CreateCompatibleBitmap, SaveDC, CreateCompatibleDC, GetStockObject, PatBlt, GetTextExtentPoint32A, CreateDIBitmap, GetDeviceCaps, Ellipse, Rectangle, CreateSolidBrush, EnumFontFamiliesExA, CreateFontIndirectA, TranslateCharsetInfo

> SHELL32.dll: ShellExecuteA

> SHLWAPI.dll: -, -, -, -, AssocQueryKeyW, PathQuoteSpacesW, PathFileExistsW, PathIsDirectoryW, PathRemoveFileSpecW, PathIsContentTypeW, PathRemoveFileSpecA, PathAddBackslashA, StrChrIA, SHQueryValueExA, UrlCombineW, PathFileExistsA, StrPBrkW, PathFindFileNameA, StrCpyW, StrCatW, StrChrA, StrChrW, StrToIntW, StrCmpNW, SHRegGetBoolUSValueA, -, StrStrIA, StrDupA, StrDupW, StrFormatByteSizeW, StrCatBuffW, PathStripPathW, PathCompactPathExW, StrCmpNA, StrCpyNW, StrCmpNIW, -, UrlIsW, UrlUnescapeA, StrCmpW, StrCmpIW, StrStrW, StrStrIW, StrStrA, PathFindFileNameW, PathFindExtensionW, wnsprintfW, PathFindExtensionA, StrCmpNIA, wnsprintfA, StrToIntA, StrCatBuffA, UrlGetPartW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, PathCreateFromUrlA, -, PathAppendW, SHAutoComplete, -

> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 107 exports )

CreateIMAPTransport, CreateIMAPTransport2, CreateNNTPTransport, CreatePOP3Transport, CreateRASTransport, CreateRangeList, CreateSMTPTransport, DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, EssContentHintDecodeEx, EssContentHintEncodeEx, EssKeyExchPreferenceDecodeEx, EssKeyExchPreferenceEncodeEx, EssMLHistoryDecodeEx, EssMLHistoryEncodeEx, EssReceiptDecodeEx, EssReceiptEncodeEx, EssReceiptRequestDecodeEx, EssReceiptRequestEncodeEx, EssSecurityLabelDecodeEx, EssSecurityLabelEncodeEx, EssSignCertificateDecodeEx, EssSignCertificateEncodeEx, GetDllMajorVersion, HrAthGetFileName, HrAthGetFileNameW, HrAttachDataFromBodyPart, HrAttachDataFromFile, HrDoAttachmentVerb, HrFreeAttachData, HrGetAttachIcon, HrGetAttachIconByFile, HrGetDisplayNameWithSizeForFile, HrGetLastOpenFileDirectory, HrGetLastOpenFileDirectoryW, HrSaveAttachToFile, HrSaveAttachmentAs, MimeEditCreateMimeDocument, MimeEditDocumentFromStream, MimeEditGetBackgroundImageUrl, MimeEditIsSafeToRun, MimeEditViewSource, MimeGetAddressFormatW, MimeOleAlgNameFromSMimeCap, MimeOleAlgStrengthFromSMimeCap, MimeOleClearDirtyTree, MimeOleConvertEnrichedToHTML, MimeOleCreateBody, MimeOleCreateByteStream, MimeOleCreateHashTable, MimeOleCreateHeaderTable, MimeOleCreateMessage, MimeOleCreateMessageParts, MimeOleCreatePropertySet, MimeOleCreateSecurity, MimeOleCreateVirtualStream, MimeOleDecodeHeader, MimeOleEncodeHeader, MimeOleFileTimeToInetDate, MimeOleFindCharset, MimeOleGenerateCID, MimeOleGenerateFileName, MimeOleGenerateMID, MimeOleGetAllocator, MimeOleGetBodyPropA, MimeOleGetBodyPropW, MimeOleGetCertsFromThumbprints, MimeOleGetCharsetInfo, MimeOleGetCodePageCharset, MimeOleGetCodePageInfo, MimeOleGetContentTypeExt, MimeOleGetDefaultCharset, MimeOleGetExtContentType, MimeOleGetFileExtension, MimeOleGetFileInfo, MimeOleGetFileInfoW, MimeOleGetInternat, MimeOleGetPropA, MimeOleGetPropW, MimeOleGetPropertySchema, MimeOleGetRelatedSection, MimeOleInetDateToFileTime, MimeOleObjectFromMoniker, MimeOleOpenFileStream, MimeOleParseMhtmlUrl, MimeOleParseRfc822Address, MimeOleParseRfc822AddressW, MimeOleSMimeCapAddCert, MimeOleSMimeCapAddSMimeCap, MimeOleSMimeCapGetEncAlg, MimeOleSMimeCapGetHashAlg, MimeOleSMimeCapInit, MimeOleSMimeCapRelease, MimeOleSMimeCapsFromDlg, MimeOleSMimeCapsFull, MimeOleSMimeCapsToDlg, MimeOleSetBodyPropA, MimeOleSetBodyPropW, MimeOleSetCompatMode, MimeOleSetDefaultCharset, MimeOleSetPropA, MimeOleSetPropW, MimeOleStripHeaders, MimeOleUnEscapeStringInPlace, RichMimeEdit_CreateInstance

VIRUSTOTAL RESULT FOR lffycjtc.sys

File lffycjtc.sys received on 03.19.2009 19:38:59 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/38 (0%)

Loading server information...

Your file is queued in position: 4.

Estimated start time is between 63 and 90 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.0.0.101 2009.03.19 -

AhnLab-V3 5.0.0.2 2009.03.19 -

AntiVir 7.9.0.120 2009.03.19 -

Authentium 5.1.2.4 2009.03.19 -

Avast 4.8.1335.0 2009.03.19 -

AVG 8.5.0.283 2009.03.19 -

BitDefender 7.2 2009.03.19 -

CAT-QuickHeal 10.00 2009.03.19 -

ClamAV 0.94.1 2009.03.19 -

Comodo 1066 2009.03.18 -

DrWeb 4.44.0.09170 2009.03.19 -

eSafe 7.0.17.0 2009.03.19 -

eTrust-Vet 31.6.6388 2009.03.09 -

F-Prot 4.4.4.56 2009.03.19 -

F-Secure 8.0.14470.0 2009.03.19 -

Fortinet 3.117.0.0 2009.03.19 -

GData 19 2009.03.19 -

Ikarus T3.1.1.48.0 2009.03.19 -

K7AntiVirus 7.10.676 2009.03.19 -

Kaspersky 7.0.0.125 2009.03.19 -

McAfee 5558 2009.03.19 -

McAfee+Artemis 5558 2009.03.19 -

McAfee-GW-Edition 6.7.6 2009.03.19 -

Microsoft 1.4502 2009.03.19 -

NOD32 3948 2009.03.19 -

Norman 6.00.06 2009.03.19 -

nProtect 2009.1.8.0 2009.03.19 -

Panda 10.0.0.10 2009.03.19 -

Prevx1 V2 2009.03.19 -

Rising 21.21.32.00 2009.03.19 -

Sophos 4.39.0 2009.03.19 -

Sunbelt 3.2.1858.2 2009.03.19 -

Symantec 1.4.4.12 2009.03.19 -

TheHacker 6.3.3.0.285 2009.03.19 -

TrendMicro 8.700.0.1004 2009.03.19 -

VBA32 3.12.10.1 2009.03.18 -

ViRobot 2009.3.19.1656 2009.03.19 -

VirusBuster 4.6.5.0 2009.03.19 -

Additional information

File size: 23424 bytes

MD5...: 5118a24a6af29642c72ae14c58772775

SHA1..: 3221d4a23992bf001fc96e646f419d180c6f1b29

SHA256: 1c841036d2513c789185e3550e1786834c2e5771d497d9f6300e45ee1524b865

SHA512: 8718f4b59741010480552c3aa191168a32f354566070b3ea302f340d601f33d4

f5cea0541472d33e8bae943cfac6038cff205b969abb012eec7f4ff4d6c40271

ssdeep: 384:c8Lb5xdIswCKA98X43QtuCZVNbIcP3WJcwWjcAdyEmnmWaODX5rcJ9naUBDv

6ILj:5pNSoADTjOelmnmWRDSJ9aUN62aZfKf

PEiD..: -

TrID..: File type identification

Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x27c7

timedatestamp.....: 0x48025771 (Sun Apr 13 18:56:49 2008)

machinetype.......: 0x14c (I386)

( 7 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0x2300 0x2300 6.89 b547eafda0719b700355c348c9850988

.rdata 0x2600 0xe1 0x100 3.33 1ce6ee7b8767a76a9725a4d7609b2c12

.data 0x2700 0x20 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc

INIT 0x2780 0x45c 0x480 5.26 9b29b76abd6b8499ea13f475a3b7ceb4

.byfo 0x2c00 0x2980 0x2980 7.74 a7e7f0dbadc4ddc94bc8af9ea0a89d36

.rsrc 0x5580 0x3e8 0x400 3.39 57e24e21fe9a929280d91b3e81c1a23c

.reloc 0x5980 0x1ce 0x200 5.04 709f3b9076f654b5acd6a8e26de7b74e

( 4 imports )

> ntoskrnl.exe: InterlockedDecrement, InterlockedIncrement, ExFreePool, IoFreeMdl, IoAllocateMdl, IoCancelIrp, memmove, ExAllocatePoolWithTag, KeSetEvent, IoAllocateIrp, MmBuildMdlForNonPagedPool, MmMapLockedPages, KeTickCount, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, KeSetTimer, IoQueueWorkItem, IoAllocateWorkItem, IofCallDriver, KeWaitForSingleObject, IoFreeIrp, IoFreeWorkItem, KeInitializeSpinLock

> HAL.dll: KfRaiseIrql, KfAcquireSpinLock, KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql

> USBD.SYS: USBD_CreateConfigurationRequestEx, USBD_ParseConfigurationDescriptor

> RNDISMPX.SYS: RndisMInitializeWrapperEx, RndisMSendCompleteEx, RndisMIndicateReceiveEx

( 0 exports )

Link to post
Share on other sites

Hi Dave,

I was in a hurry posting last night and gave you extra files to scan, you did get the one I wanted to see though. Sorry about the extra work but there was no harm done. Anyway it looks like something is protecting that vundo file, we can have a deeper look.

Step 1:

Download at your desktop DDS from one of the links below:

Link 1

Link 2

  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open 2 reports.
  • Copy/paste both reports back here and remove DDS from your desktop.

Step 2:

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

Logs to Post:

Post the following logs, if you need to use multiple replies to post the logs please do so:

The 2 DDS logs

Gmer.txt

Link to post
Share on other sites

Morning

Had a chance to try some of this before work so here are the 2 DDS logs, the second said to zip up instead of posting so I have posted it AND attached as a rar (couldnt find zip....)

If gmer takes more than 2 mins I will have to wait till later/tomorrow due to work but really appreciate the work and help.

hanks again

Dave

DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86

Run by D&A at 6:55:35.07 on 2009-03-20

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2887 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning enabled* (Updated)

FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\D&A\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2008-11-17 11:31:50

System Uptime: 2009-03-20 06:31:15 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-VM

Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 46.912 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

Description: Photosmart C4380 series

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: HP Photosmart C4380

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}

Description: Photosmart C4380 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Link to post
Share on other sites

Wow! gmer ran way quicker than expected!

here is the log...

Thanks again

GMER 1.0.15.14939 - http://www.gmer.net

Rootkit scan 2009-03-20 07:02:43

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xA818EE20]

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xA818EE50]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Just re run DDS and here are the logs

DDS.TXT

DDS (Ver_09-03-16.01) - NTFSx86

Run by D&A at 22:46:05.31 on 2009-03-20

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2810 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning enabled* (Updated)

FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\D&A\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227040515671

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230643681234

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: hmbdkint - yriqdux.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d&a\applic~1\mozilla\firefox\profiles\phaju8ts.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]

R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-8-4 23424]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-19 114768]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-15 178376]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-15 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-15 28872]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-19 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-19 138680]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-15 1402568]

R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-15 3321032]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-19 254040]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-19 352920]

R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-1 372480]

S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-19 19:05 389,120 a------- c:\windows\system32\CF6364.exe

2009-03-19 19:05 <DIR> --d----- C:\ComboFix

2009-03-19 18:55 <DIR> a-dshr-- C:\autorun.inf

2009-03-19 06:31 1,060,864 a------- c:\windows\system32\MFC71.dll

2009-03-15 14:14 <DIR> --d----- c:\program files\Trend Micro

2009-03-15 13:52 <DIR> --d----- c:\docume~1\d&a\applic~1\OnlineArmor

2009-03-15 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor

2009-03-15 13:52 178,376 a------- c:\windows\system32\drivers\OADriver.sys

2009-03-15 13:52 30,920 a------- c:\windows\system32\drivers\OAmon.sys

2009-03-15 13:52 28,872 a------- c:\windows\system32\drivers\OAnet.sys

2009-03-15 13:52 <DIR> --d----- c:\program files\Tall Emu

2009-03-15 03:00 <DIR> --d----- c:\documents and settings\d&a\DoctorWeb

2009-03-15 01:52 51,060 a------- C:\MGlogs.zip

2009-03-15 01:52 <DIR> --d----- C:\MGtools

2009-03-15 01:45 1,339,834 a------- C:\MGtools.exe

2009-03-15 01:18 410,984 a------- c:\windows\system32\deploytk.dll

2009-03-15 01:18 73,728 a------- c:\windows\system32\javacpl.cpl

2009-03-14 23:32 <DIR> --d----- c:\docume~1\d&a\applic~1\aAvgApi

2009-03-14 23:18 <DIR> a-dshr-- C:\cmdcons

2009-03-14 23:16 161,792 a------- c:\windows\SWREG.exe

2009-03-14 23:16 98,816 a------- c:\windows\sed.exe

2009-03-14 08:28 15,688 a------- c:\windows\system32\lsdelete.exe

2009-03-14 07:55 <DIR> --d----- c:\program files\mp3DirectCut

2009-03-13 11:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-03-13 11:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-03-12 09:52 <DIR> --d----- c:\docume~1\d&a\applic~1\Malwarebytes

2009-03-11 11:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-03-11 10:54 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-11 10:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-11 10:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 07:53 <DIR> --d----- c:\docume~1\d&a\applic~1\dcumwcsi

2009-03-09 15:23 22,540 a------- c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp

2009-03-09 15:19 <DIR> --d----- c:\program files\CCleaner

2009-03-09 12:49 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-03-09 12:46 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-27 07:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-02-27 07:23 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-02-27 07:23 <DIR> --d----- c:\docume~1\d&a\applic~1\SUPERAntiSpyware.com

2009-02-25 07:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-02-21 19:48 <DIR> --d----- c:\windows\Downloaded Installations

2009-02-21 19:40 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys

2009-02-21 19:40 15,104 a------- c:\windows\system32\drivers\usbscan.sys

2009-02-21 19:40 5,632 a------- c:\windows\system32\ptpusb.dll

2009-02-21 19:40 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-01-17 17:40 47,360 a------- c:\docume~1\d&a\applic~1\pcouffin.sys

2009-01-06 21:35 26,072 a------- c:\docume~1\d&a\applic~1\GDIPFONTCACHEV1.DAT

2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll

2006-06-23 14:48 32,768 a------- c:\windows\inf\UpdateUSB.exe

2008-11-20 17:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat

============= FINISH: 22:47:54.87 ===============

ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2008-11-17 11:31:50

System Uptime: 2009-03-20 22:11:17 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-VM

Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 46.909 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\ATK0110\1010110

Manufacturer:

Name:

PNP Device ID: ACPI\ATK0110\1010110

Service:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

Description: Photosmart C4380 series

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: HP Photosmart C4380

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}

Description: Photosmart C4380 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Photosmart C4380 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

==== System Restore Points ===================

RP1: 2009-03-14 22:43:41 - System Checkpoint

RP2: 2009-03-14 22:45:42 - Removed AVG 8.0

RP3: 2009-03-14 22:50:17 - Removed AVG 8.0

RP4: 2009-03-14 23:16:59 - ComboFix created restore point

RP5: 2009-03-14 23:28:41 - Installed AVG Free 8.0

RP6: 2009-03-15 01:18:33 - Installed Java 6 Update 12

RP7: 2009-03-15 11:13:06 - Avg8 Update

RP8: 2009-03-16 18:04:37 - System Checkpoint

RP9: 2009-03-17 20:36:08 - System Checkpoint

RP10: 2009-03-18 21:24:09 - System Checkpoint

RP11: 2009-03-18 22:40:13 - Removed AVG Free 8.5

RP12: 2009-03-18 22:40:53 - Installed AVG Free 8.5

RP13: 2009-03-18 22:45:56 - ComboFix created restore point

RP14: 2009-03-19 19:05:42 - ComboFix created restore point

==== Installed Programs ======================

32 Bit HP CIO Components Installer

Acrobat.com

Ad-Aware

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.1

Apple Mobile Device Support

Apple Software Update

AutoUpdate

avast! Antivirus

Avi2Dvd 0.4.5 beta

AviSynth 2.5

Bonjour

CCleaner (remove only)

ConvertXtoDVD 2.2.3.258h

Counter-Strike: Source

CyberScrub

Link to post
Share on other sites

Hi, sorry for the delay, I was away.

Step 1:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\windows\system32\yriqdux.dll

c:\windows\system32\drivers\lffycjtc.sys

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]

DDS::

TB: {A057A204-BACC-4D26-9990-79A187E2698E} -

Driver::

lffycjtc

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with a new HijackThis log.

Link to post
Share on other sites

Evening and thanks again, here are the Combofix and HJT logs.

ComboFix 09-03-22.01 - D&A 2009-03-22 21:25:09.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2859 [GMT 0:00]

Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\D&A\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning disabled* (Updated)

FW: Online Armor Firewall *disabled*

* Created a new restore point

FILE ::

c:\windows\system32\drivers\lffycjtc.sys

c:\windows\system32\yriqdux.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\D&A\Cookies\OFLMC.PEG

c:\documents and settings\D&A\Cookies\OUOIA.IPV

c:\windows\system32\drivers\lffycjtc.sys

c:\windows\system32\yriqdux.dll

.

---- Previous Run -------

.

C:\-1058818287

c:\windows\system32\drivers\c8485a2.sys

c:\windows\Tasks\At1.job

c:\windows\system32\yriqdux.dll . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_c8485a2

-------\Legacy_lffycjtc

-------\Service_lffycjtc

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))

.

2009-03-19 06:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2009-03-19 06:30 . 2009-03-19 06:30 <DIR> d-------- c:\program files\Alwil Software

2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro

2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu

2009-03-15 13:52 . 2009-03-22 21:34 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor

2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor

2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys

2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys

2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys

2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb

2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools

2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip

2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe

2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java

2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi

2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut

2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes

2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi

2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi

2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp

2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner

2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub

2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator

2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com

2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-22 21:10 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent

2009-03-22 14:42 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData

2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe

2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft

2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition

2009-02-02 16:13 --------- d-----w c:\program files\Bonjour

2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX

2009-01-23 12:55 --------- d-----w c:\program files\Valve

2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys

2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT

2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-18_22.48.37.93 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe

+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr

+ 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys

+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys

+ 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys

+ 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys

+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys

+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys

+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys

+ 2009-03-22 21:29:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4e0.dat

+ 2009-03-22 21:29:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk]

path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk

backup=c:\windows\pss\Kremlin Sentry.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

--a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor]

--a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

-ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

-ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-19 114768]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-19 20560]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568]

R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032]

S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ceagovhn

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48]

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-22 21:34:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-22 21:37:12 - machine was rebooted [D&A]

ComboFix-quarantined-files.txt 2009-03-22 21:37:10

ComboFix2.txt 2009-03-18 22:49:16

ComboFix3.txt 2009-03-14 23:24:38

Pre-Run: 48,711,852,032 bytes free

Post-Run: 48,712,216,576 bytes free

249 --- E O F --- 2009-02-25 07:31:55

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:40:09, on 22/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 7137 bytes

Link to post
Share on other sites

Excellent, looks like we got it. I would like to see one more scan just to make sure there is nothing leftover. Also let me know how your computer is running.

Run Eset NOD32 Online AntiVirus

http://www.eset.eu/online-scanner

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post along with a new HijackThis log.
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.