Jump to content

Recommended Posts

Here's my HT log..with the suspect item in bold. I've run MBAM on it, it finds it ans say it will delete it on next boot but does not. Also tried Combofix, and it still pops up. No odd behavior per se, but still would like to get rid of it.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:21:01 PM, on 3/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\MemTurbo30\MemTurbo.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Wolf\Desktop\Apps\RootRepeal.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [sSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kfobibux] rundll32.exe "C:\WINDOWS\adoresiq.dll",e

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe

O4 - Global Startup: Net Send GUI.lnk = C:\Program Files\Fomine Net Send GUI\NetSendGUI.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: SEAGULL J Walk Java Client 3_3C12 - http://kronos/jwalk/jwalk_ie.cab

O16 - DPF: SEAGULL J Walk Java Client 4_0C10 - http://kronos/jwalk/jwalk_ie.cab

O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://magic/magic/wspell.cab

O16 - DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} (MGCSpellCheckAM.MDictionaryAM) - http://magic/magic/wspellAM.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O16 - DPF: {F651630F-2847-4A80-8701-AD96312C9237} (IBTransferCtl Control) - https://imagedirect.dell.com/ImageDirect/Ca.../IBTransfer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1

O17 - HKLM\System\CS3\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

Here is my MBAM log.

Malwarebytes' Anti-Malware 1.34

Database version: 1881

Windows 5.1.2600 Service Pack 3

3/21/2009 6:34:51 PM

mbam-log-2009-03-21 (18-34-51).txt

Scan type: Quick Scan

Objects scanned: 69560

Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfobibux (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\adoresiq.dll (Trojan.Agent) -> Delete on reboot.

On reboot, it reappears..sometimes with a different .dll name.

Link to post
Share on other sites

Annnd here's a Combofix log

ComboFix 09-03-19.02 - Wolf 2009-03-21 20:56:48.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]

Running from: c:\documents and settings\Wolf\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))

.

2009-03-21 18:20 . 2009-03-21 18:20 <DIR> d-------- c:\program files\Trend Micro

2009-03-21 10:59 . 2009-03-21 10:59 <DIR> d-------- C:\VundoFix Backups

2009-03-15 14:41 . 2009-03-15 14:41 29,942,840 --a------ c:\windows\Disneyland 0o18.bmp

2009-03-15 14:35 . 2009-03-15 14:35 23,970,872 --a------ c:\windows\Disneyland 018.bmp

2009-03-01 11:41 . 2009-03-02 00:52 <DIR> d-------- c:\documents and settings\Wolf\Application Data\vlc

2009-02-26 18:44 . 2009-02-26 18:46 <DIR> d-------- C:\DS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-21 22:05 --------- d-----w c:\program files\Mozilla Thunderbird

2009-03-21 15:52 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-21 15:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-21 14:32 --------- d-----w c:\documents and settings\Wolf\Application Data\uTorrent

2009-03-21 14:25 --------- d-----w c:\program files\uTorrent

2009-03-03 00:19 --------- d-----w c:\program files\Trillian

2009-02-11 14:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 14:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-08 15:48 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-07 23:17 --------- d-----w c:\documents and settings\Wolf\Application Data\Thunderbird

2009-02-03 12:09 --------- d-----w c:\documents and settings\Wolf\Application Data\Vso

2007-05-25 23:57 92,064 ----a-w c:\documents and settings\Wolf\mqdmmdm.sys

2007-05-25 23:57 9,232 ----a-w c:\documents and settings\Wolf\mqdmmdfl.sys

2007-05-25 23:57 79,328 ----a-w c:\documents and settings\Wolf\mqdmserd.sys

2007-05-25 23:57 66,656 ----a-w c:\documents and settings\Wolf\mqdmbus.sys

2007-05-25 23:57 6,208 ----a-w c:\documents and settings\Wolf\mqdmcmnt.sys

2007-05-25 23:57 5,936 ----a-w c:\documents and settings\Wolf\mqdmwhnt.sys

2007-05-25 23:57 4,048 ----a-w c:\documents and settings\Wolf\mqdmcr.sys

2007-05-25 23:57 25,600 ----a-w c:\documents and settings\Wolf\usbsermptxp.sys

2007-05-25 23:57 22,768 ----a-w c:\documents and settings\Wolf\usbsermpt.sys

2007-04-29 23:55 76 ---ha-w c:\program files\Desktop.ini

2006-10-16 23:02 81,920 ----a-w c:\documents and settings\Wolf\Application Data\ezpinst.exe

2006-10-16 23:02 47,360 ----a-w c:\documents and settings\Wolf\Application Data\pcouffin.sys

2006-01-10 00:31 2,539 ----a-w c:\documents and settings\Wolf\settings.dat

2004-09-05 23:31 507 ----a-w c:\program files\WS_FTP.LOG

2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot_2009-03-21_16.33.02.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-04-14 00:12:08 156,160 ----a-w c:\windows\uyacuficawa.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]

"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-24 266497]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"Kfobibux"="c:\windows\uyacuficawa.dll" [2008-04-13 156160]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\Wolf\Start Menu\Programs\Startup\

MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2004-12-25 424448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-04-08 221247]

HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 241664]

HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.AP41"= APmpg4v1.dll

"VIDC.MPG4"= APmpg4v1.dll

"VIDC.MP42"= APmpg4v1.dll

"VIDC.DIV3"= APmpg4v1.dll

"VIDC.DIV4"= APmpg4v1.dll

"VIDC.MP43"= APmpg4v1.dll

"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli kbagkbe.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Net Send GUI.lnk

backup=c:\windows\pss\Net Send GUI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kfobibux]

--a------ 2008-04-13 20:12 156160 c:\windows\uyacuficawa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]

--a------ 2004-09-30 17:12 6144 c:\program files\QuickGamma\QuickGammaLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-10 16:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]

--a------ 2004-09-17 13:32 552960 c:\program files\GigaByte\VGA Utility Manager\G-vga.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2006-10-25 01:37 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\games\\battlefield 2\\BF2.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2007-03-26 13184]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2004-07-12 5152]

S3 cusbohcn;cusbohcn;\??\c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys --> c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys [?]

S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]

S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys --> c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-05-25 17792]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-05-25 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-05-25 21504]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-12-25 11520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{451769a2-1a2a-11dd-a5ee-000c76e49d8a}]

\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae7d85b4-fd2b-11d8-a0a3-806d6172696f}]

\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fafdd1ff-4aad-11dd-a5f5-000c76e49d8a}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-21 c:\windows\Tasks\HP Usg Daily FY04.job

- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 00:53]

.

.

------- Supplementary Scan -------

.

IE: Download ALL with IDA

IE: Download with IDA

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: Documents and Settings

Trusted Zone: ntelos.com\owa

TCP: {37683A15-7486-45B6-A5BD-8847B5777486} = 192.168.1.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: SEAGULL J Walk Java Client 3_3C12 - hxxp://kronos/jwalk/jwalk_ie.cab

DPF: SEAGULL J Walk Java Client 4_0C10 - hxxp://kronos/jwalk/jwalk_ie.cab

DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - hxxp://magic/magic/wspell.cab

DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} - hxxp://magic/magic/wspellAM.cab

DPF: {F651630F-2847-4A80-8701-AD96312C9237} - hxxps://imagedirect.dell.com/ImageDirect/CabFile/IBTransfer.cab

FF - ProfilePath - c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - component: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\{0784CD66-62FE-4cef-ABF4-F8ED9B654ACC}\components\tab_effect_xpcom.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - plugin: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 21:04:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:ca,82,0c,83,a6,79,a7,49,dc,f8,1a,e5,f0,8c,b3,a0,eb,6d,35,11,ee,d0,13,

01,dd,8d,00,26,02,07,93,c1,95,a5,b1,77,13,68,48,81,2f,a6,ea,e7,2c,01,59,f1,\

"??"=hex:32,b7,6b,f2,25,26,85,b5,ee,d7,95,5d,ae,b1,f5,ad

[HKEY_LOCAL_MACHINE\software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:4c,19,6f,01,cf,02,c1,41,b2,1f,f4,05,90,c2,cc,88,17,47,be,f8,9b,ba,5a,

8f,43,a3,62,93,a2,1e,6a,a3,64,b5,c4,4b,de,a3,95,2e,eb,4f,3b,c0,5b,46,e9,1e,\

"??"=hex:83,54,c4,b7,46,d2,38,d5,c4,17,6d,70,83,62,31,6f

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(988)

c:\windows\kbagkbe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Executive Software\Diskeeper\DkService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\system32\UAService7.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\digital imaging\bin\hpqgalry.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\program files\Java\jre1.6.0_07\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-03-21 21:12:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-22 01:12:17

ComboFix2.txt 2009-03-21 20:35:30

ComboFix3.txt 2008-12-06 16:13:02

Pre-Run: 17,324,957,696 bytes free

Post-Run: 17,310,318,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

237 --- E O F --- 2009-03-15 07:04:39

Link to post
Share on other sites

I should clarify the reason for the difference in the suspect .dll name in the logs. In between getting those logs I tried deleting the dll in safe mode, as well as manually removing the registry key, so it showed back up with a different name.

Any and all help will be greatly appreciated, thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.