Jump to content

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:12:09 PM, on 4/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll

O2 - BHO: (no name) - {C089B61A-95BA-4318-9421-8FE4B2883E3E} - c:\windows\system32\gmugksc.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - AppInit_DLLs: karna.dat

O20 - Winlogon Notify: abedhrmn - C:\WINDOWS\SYSTEM32\gmugksc.dll

O20 - Winlogon Notify: sstqq - C:\WINDOWS\

O20 - Winlogon Notify: wvutrss - wvutrss.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Hi. :lol:

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

I was able to download Combo Fix, but unable to run it. Here is my most recent run of HJT.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:49:20 PM, on 4/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Corey\Desktop\ComboFix.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll

O2 - BHO: (no name) - {C089B61A-95BA-4318-9421-8FE4B2883E3E} - c:\windows\system32\gmugksc.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - AppInit_DLLs: karna.dat

O20 - Winlogon Notify: abedhrmn - C:\WINDOWS\SYSTEM32\gmugksc.dll

O20 - Winlogon Notify: sstqq - C:\WINDOWS\

O20 - Winlogon Notify: wvutrss - wvutrss.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

That worked for Combofix. Here is my log.

ComboFix 09-04-04.01 - Corey 2009-04-04 15:41:54.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1772 [GMT -5:00]

Running from: c:\documents and settings\Corey\Desktop\something.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common\_helper.dll

c:\program files\Common\helper.dll

c:\program files\Common\helper.sig

c:\windows\system32\drivers\TDSSmqlt.sys

c:\windows\system32\drivers\UACxpsiysua.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lowsec\user.ds.lll

c:\windows\system32\Memman.vxd

c:\windows\system32\qqtss.bak1

c:\windows\system32\qqtss.bak2

c:\windows\system32\qqtss.ini

c:\windows\system32\sdra64.exe

c:\windows\system32\skinboxer43.dll

c:\windows\system32\TDSSbrsr.dll

c:\windows\system32\TDSSbubx.log

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\TDSSotuh.dll

c:\windows\system32\TDSSrhym.dll

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSsihc.dll

c:\windows\system32\TDSStkdu.log

c:\windows\system32\TDSSxfum.dll

c:\windows\system32\UACeppfmlwo.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkjyojppc.dll

c:\windows\system32\UACklvrilex.dll

c:\windows\system32\UACoeckjttu.dat

c:\windows\system32\UACstjertky.log

c:\windows\system32\UACvbepcpqj.dll

c:\windows\system32\UACxnkfrfld.dll

c:\windows\system32\UACxucybwiw.log

c:\windows\system32\UACyymbvdot.dll

c:\windows\system32\wini10451631.exe

c:\windows\wiaservv.log

c:\windows\system32\gmugksc.dll . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Service_TDSSSERV.SYS

-------\Legacy_TDSSSERV.SYS

-------\Legacy_DOMAINSERVICE

-------\Legacy_XKXJJXJJ

-------\Service_xkxjjxjj

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-04 07:36 . 2009-04-04 07:36 <DIR> d-------- c:\documents and settings\Corey\Application Data\ncvicnzw

2009-04-03 19:28 . 2009-04-03 19:28 <DIR> d-------- c:\program files\Trend Micro

2009-04-03 19:25 . 2009-04-03 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 19:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 19:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 16:53 . 2009-04-02 17:00 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-04-01 15:53 . 2009-04-01 15:53 <DIR> d-------- C:\078f00b6a8e46993cc501383defae9fe

2009-04-01 14:24 . 2009-04-03 18:50 <DIR> d-------- C:\pebuilder3110a

2009-04-01 13:47 . 2009-04-01 13:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ncvicnzw

2009-03-16 18:22 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-03-16 18:22 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-03-16 18:22 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-03-15 09:26 . 2009-03-17 17:08 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-03-15 09:26 . 2009-04-03 20:42 <DIR> d-------- c:\documents and settings\Corey\Tracing

2009-03-15 09:24 . 2009-03-15 09:24 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition

2009-03-15 09:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Microsoft

2009-03-15 09:20 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Windows Live

2009-03-15 09:14 . 2009-03-15 09:14 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-09 17:13 . 2009-03-10 20:21 <DIR> d-------- c:\program files\Cheney Media, Inc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-04 20:45 --------- d-----w c:\program files\Common

2009-04-04 16:30 --------- d-----w c:\documents and settings\Corey\Application Data\BitTorrent

2009-03-15 14:20 21,370 ----a-w c:\documents and settings\Corey\Application Data\wklnhst.dat

2009-02-27 05:24 --------- d-----w c:\program files\EphPod

2009-02-24 03:06 --------- d-----w c:\program files\iTunes

2009-02-24 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-02-24 03:05 --------- d-----w c:\program files\iPod

2009-02-24 03:05 --------- d-----w c:\program files\Common Files\Apple

2009-02-24 03:04 --------- d-----w c:\program files\QuickTime

2009-02-24 02:55 --------- d-----w c:\program files\Bonjour

2009-02-19 23:08 --------- d-----w c:\documents and settings\PT\Application Data\BitTorrent

2009-02-15 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-14 23:41 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 22:06 --------- d-----w c:\program files\Common Files\supportsoft

2009-02-14 22:03 --------- d-----w c:\program files\Common Files\Intuit

2009-02-14 21:53 --------- d-----w c:\program files\Intuit

2009-02-14 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\COMMON FILES

2009-02-14 19:07 --------- d-----w c:\documents and settings\Corey\Application Data\Intuit

2009-02-14 16:46 --------- d-----w c:\program files\Common Files\Adobe

2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR

2008-10-12 03:22 306 -c--a-w c:\documents and settings\PT\Application Data\wklnhst.dat

2005-11-11 02:46 65,680 ----a-w c:\documents and settings\Corey\Application Data\GDIPFONTCACHEV1.DAT

2008-10-12 13:27 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C089B61A-95BA-4318-9421-8FE4B2883E3E}]

2009-04-04 15:45 105984 --a------ c:\windows\system32\gmugksc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 49152]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-04 24576]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-18 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI1"= diomidi.dll

"wave1"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Namo\\WebCanvas\\bin\\WebCanvas.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-01 20480]

R0 nhvklfue;nhvklfue;c:\windows\system32\drivers\nhvklfue.sys [2004-08-10 23424]

S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-11-01 74240]

S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-09-27 27328]

.

Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (APELIS-Corey).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Common\_helper.dll

Notify-sstqq - (no file)

Notify-wvutrss - wvutrss.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 15:50:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC5EC8EA-F03A-7E76-6FCF50BA2694CCE9}\{13CB29A0-AAF4-495B-CD9D16CF8052283A}\{B6B6C4AE-9CB1-C034-3E7F909216A0BA21}*]

"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,

fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\gmugksc.dll

c:\windows\system32\drivers\nhvklfue.sys

Folder::

C:\078f00b6a8e46993cc501383defae9fe

c:\documents and settings\Administrator\Application Data\ncvicnzw

Driver::

nhvklfue

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C089B61A-95BA-4318-9421-8FE4B2883E3E}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

ComboFix 09-04-04.01 - Corey 2009-04-04 16:17:04.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1700 [GMT -5:00]

Running from: c:\documents and settings\Corey\Desktop\something.exe

Command switches used :: c:\documents and settings\Corey\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\system32\drivers\nhvklfue.sys

c:\windows\system32\gmugksc.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\078f00b6a8e46993cc501383defae9fe

c:\078f00b6a8e46993cc501383defae9fe\$shtdwn$.req

c:\078f00b6a8e46993cc501383defae9fe\mrt.exe

c:\078f00b6a8e46993cc501383defae9fe\mrtstub.exe

c:\documents and settings\Administrator\Application Data\ncvicnzw

c:\documents and settings\Administrator\Application Data\ncvicnzw\profiles.ini

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\cert8.db

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\compatibility.ini

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\compreg.dat

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\cookies.sqlite

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\formhistory.sqlite

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\key3.db

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\localstore.rdf

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\permissions.sqlite

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\places.sqlite-journal

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\places.sqlite

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\pluginreg.dat

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\prefs.js

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\secmod.db

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\webappsstore.sqlite

c:\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\xpti.dat

c:\windows\system32\drivers\nhvklfue.sys

c:\windows\system32\gmugksc.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NHVKLFUE

-------\Service_nhvklfue

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-04 07:36 . 2009-04-04 07:36 <DIR> d-------- c:\documents and settings\Corey\Application Data\ncvicnzw

2009-04-03 19:28 . 2009-04-03 19:28 <DIR> d-------- c:\program files\Trend Micro

2009-04-03 19:25 . 2009-04-03 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 19:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 19:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 16:53 . 2009-04-02 17:00 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-04-01 14:24 . 2009-04-03 18:50 <DIR> d-------- C:\pebuilder3110a

2009-03-16 18:22 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-03-16 18:22 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-03-16 18:22 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-03-15 09:26 . 2009-03-17 17:08 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-03-15 09:26 . 2009-04-03 20:42 <DIR> d-------- c:\documents and settings\Corey\Tracing

2009-03-15 09:24 . 2009-03-15 09:24 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition

2009-03-15 09:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Microsoft

2009-03-15 09:20 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Windows Live

2009-03-15 09:14 . 2009-03-15 09:14 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-09 17:13 . 2009-03-10 20:21 <DIR> d-------- c:\program files\Cheney Media, Inc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-04 21:17 23,424 ----a-w c:\windows\system32\drivers\fxgiwoyl.sys

2009-04-04 20:45 --------- d-----w c:\program files\Common

2009-04-04 16:30 --------- d-----w c:\documents and settings\Corey\Application Data\BitTorrent

2009-03-15 14:20 21,370 ----a-w c:\documents and settings\Corey\Application Data\wklnhst.dat

2009-02-27 05:24 --------- d-----w c:\program files\EphPod

2009-02-24 03:06 --------- d-----w c:\program files\iTunes

2009-02-24 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-02-24 03:05 --------- d-----w c:\program files\iPod

2009-02-24 03:05 --------- d-----w c:\program files\Common Files\Apple

2009-02-24 03:04 --------- d-----w c:\program files\QuickTime

2009-02-24 02:55 --------- d-----w c:\program files\Bonjour

2009-02-19 23:08 --------- d-----w c:\documents and settings\PT\Application Data\BitTorrent

2009-02-15 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-14 23:41 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 22:06 --------- d-----w c:\program files\Common Files\supportsoft

2009-02-14 22:03 --------- d-----w c:\program files\Common Files\Intuit

2009-02-14 21:53 --------- d-----w c:\program files\Intuit

2009-02-14 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\COMMON FILES

2009-02-14 19:07 --------- d-----w c:\documents and settings\Corey\Application Data\Intuit

2009-02-14 16:46 --------- d-----w c:\program files\Common Files\Adobe

2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR

2008-10-12 03:22 306 -c--a-w c:\documents and settings\PT\Application Data\wklnhst.dat

2005-11-11 02:46 65,680 ----a-w c:\documents and settings\Corey\Application Data\GDIPFONTCACHEV1.DAT

2008-10-12 13:27 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 49152]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-04 24576]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-18 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI1"= diomidi.dll

"wave1"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Namo\\WebCanvas\\bin\\WebCanvas.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-01 20480]

S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-11-01 74240]

S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-09-27 27328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NHVKLFUE

.

Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (APELIS-Corey).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 16:21:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC5EC8EA-F03A-7E76-6FCF50BA2694CCE9}\{13CB29A0-AAF4-495B-CD9D16CF8052283A}\{B6B6C4AE-9CB1-C034-3E7F909216A0BA21}*]

"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,

fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

Looking better.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DeQuarantine::

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\profiles.ini

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\cert8.db

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\compatibility.ini

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\compreg.dat

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\cookies.sqlite

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\formhistory.sqlite

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\key3.db

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\localstore.rdf

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\permissions.sqlite

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\places.sqlite-journal

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\places.sqlite

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\pluginreg.dat

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\prefs.js

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\secmod.db

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\webappsstore.sqlite

C:\Qoobox\Quarantine\c\documents and settings\Administrator\Application Data\ncvicnzw\Profiles\zup52jwz.default\xpti.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

ComboFix 09-04-04.01 - Corey 2009-04-04 17:01:47.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1678 [GMT -5:00]

Running from: c:\documents and settings\Corey\Desktop\something.exe

Command switches used :: c:\documents and settings\Corey\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-04 07:36 . 2009-04-04 07:36 <DIR> d-------- c:\documents and settings\Corey\Application Data\ncvicnzw

2009-04-03 19:28 . 2009-04-03 19:28 <DIR> d-------- c:\program files\Trend Micro

2009-04-03 19:25 . 2009-04-03 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 19:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 19:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 16:53 . 2009-04-02 17:00 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-04-01 14:24 . 2009-04-03 18:50 <DIR> d-------- C:\pebuilder3110a

2009-03-16 18:22 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-03-16 18:22 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-03-16 18:22 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-03-15 09:26 . 2009-03-17 17:08 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-03-15 09:26 . 2009-04-03 20:42 <DIR> d-------- c:\documents and settings\Corey\Tracing

2009-03-15 09:24 . 2009-03-15 09:24 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition

2009-03-15 09:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Microsoft

2009-03-15 09:20 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Windows Live

2009-03-15 09:14 . 2009-03-15 09:14 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-09 17:13 . 2009-03-10 20:21 <DIR> d-------- c:\program files\Cheney Media, Inc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-04 21:17 23,424 ----a-w c:\windows\system32\drivers\fxgiwoyl.sys

2009-04-04 20:45 105,984 ----a-w c:\windows\system32\qlbwqkh.dll

2009-04-04 20:45 --------- d-----w c:\program files\Common

2009-04-04 16:30 --------- d-----w c:\documents and settings\Corey\Application Data\BitTorrent

2009-03-15 14:20 21,370 ----a-w c:\documents and settings\Corey\Application Data\wklnhst.dat

2009-02-27 05:24 --------- d-----w c:\program files\EphPod

2009-02-24 03:06 --------- d-----w c:\program files\iTunes

2009-02-24 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-02-24 03:05 --------- d-----w c:\program files\iPod

2009-02-24 03:05 --------- d-----w c:\program files\Common Files\Apple

2009-02-24 03:04 --------- d-----w c:\program files\QuickTime

2009-02-24 02:55 --------- d-----w c:\program files\Bonjour

2009-02-19 23:08 --------- d-----w c:\documents and settings\PT\Application Data\BitTorrent

2009-02-15 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-14 23:41 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 22:06 --------- d-----w c:\program files\Common Files\supportsoft

2009-02-14 22:03 --------- d-----w c:\program files\Common Files\Intuit

2009-02-14 21:53 --------- d-----w c:\program files\Intuit

2009-02-14 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\COMMON FILES

2009-02-14 19:07 --------- d-----w c:\documents and settings\Corey\Application Data\Intuit

2009-02-14 16:46 --------- d-----w c:\program files\Common Files\Adobe

2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys

2009-02-09 10:19 1,846,272 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR

2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll

2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2008-10-12 03:22 306 -c--a-w c:\documents and settings\PT\Application Data\wklnhst.dat

2005-11-11 02:46 65,680 ----a-w c:\documents and settings\Corey\Application Data\GDIPFONTCACHEV1.DAT

2008-10-12 13:27 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 49152]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-04 24576]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-18 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI1"= diomidi.dll

"wave1"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Namo\\WebCanvas\\bin\\WebCanvas.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-01 20480]

S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-11-01 74240]

S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-09-27 27328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NHVKLFUE

.

Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (APELIS-Corey).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 17:03:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC5EC8EA-F03A-7E76-6FCF50BA2694CCE9}\{13CB29A0-AAF4-495B-CD9D16CF8052283A}\{B6B6C4AE-9CB1-C034-3E7F909216A0BA21}*]

"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,

fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

Darn, two came back.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Collect::

c:\windows\system32\drivers\fxgiwoyl.sys

c:\windows\system32\qlbwqkh.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

ComboFix 09-04-04.01 - Corey 2009-04-04 18:54:58.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1669 [GMT -5:00]

Running from: c:\documents and settings\Corey\Desktop\something.exe

Command switches used :: c:\documents and settings\Corey\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\fxgiwoyl.sys

c:\windows\system32\qlbwqkh.dll

.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-04 07:36 . 2009-04-04 07:36 <DIR> d-------- c:\documents and settings\Corey\Application Data\ncvicnzw

2009-04-03 19:28 . 2009-04-03 19:28 <DIR> d-------- c:\program files\Trend Micro

2009-04-03 19:25 . 2009-04-03 19:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-03 19:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-03 19:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-02 16:53 . 2009-04-02 17:00 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-04-01 14:24 . 2009-04-03 18:50 <DIR> d-------- C:\pebuilder3110a

2009-03-16 18:22 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-03-16 18:22 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-03-16 18:22 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-03-15 09:26 . 2009-03-17 17:08 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-03-15 09:26 . 2009-04-04 18:15 <DIR> d-------- c:\documents and settings\Corey\Tracing

2009-03-15 09:24 . 2009-03-15 09:24 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition

2009-03-15 09:24 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-15 09:21 . 2009-03-15 09:21 <DIR> d-------- c:\program files\Microsoft

2009-03-15 09:20 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Windows Live

2009-03-15 09:14 . 2009-03-15 09:14 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-09 17:13 . 2009-03-10 20:21 <DIR> d-------- c:\program files\Cheney Media, Inc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-04 20:45 --------- d-----w c:\program files\Common

2009-04-04 16:30 --------- d-----w c:\documents and settings\Corey\Application Data\BitTorrent

2009-03-15 14:20 21,370 ----a-w c:\documents and settings\Corey\Application Data\wklnhst.dat

2009-02-27 05:24 --------- d-----w c:\program files\EphPod

2009-02-24 03:06 --------- d-----w c:\program files\iTunes

2009-02-24 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-02-24 03:05 --------- d-----w c:\program files\iPod

2009-02-24 03:05 --------- d-----w c:\program files\Common Files\Apple

2009-02-24 03:04 --------- d-----w c:\program files\QuickTime

2009-02-24 02:55 --------- d-----w c:\program files\Bonjour

2009-02-19 23:08 --------- d-----w c:\documents and settings\PT\Application Data\BitTorrent

2009-02-15 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-14 23:41 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 22:06 --------- d-----w c:\program files\Common Files\supportsoft

2009-02-14 22:03 --------- d-----w c:\program files\Common Files\Intuit

2009-02-14 21:53 --------- d-----w c:\program files\Intuit

2009-02-14 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\COMMON FILES

2009-02-14 19:07 --------- d-----w c:\documents and settings\Corey\Application Data\Intuit

2009-02-14 16:46 --------- d-----w c:\program files\Common Files\Adobe

2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys

2009-02-09 10:19 1,846,272 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-07 00:03 307,576 ----a-w c:\windows\WLXPGSS.SCR

2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll

2009-01-17 03:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2008-10-12 03:22 306 -c--a-w c:\documents and settings\PT\Application Data\wklnhst.dat

2005-11-11 02:46 65,680 ----a-w c:\documents and settings\Corey\Application Data\GDIPFONTCACHEV1.DAT

2008-10-12 13:27 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2004-10-08 49152]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-04 24576]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-18 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI1"= diomidi.dll

"wave1"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Namo\\WebCanvas\\bin\\WebCanvas.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-01 20480]

S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-11-01 74240]

S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-09-27 27328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NHVKLFUE

.

Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (APELIS-Corey).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 18:55:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC5EC8EA-F03A-7E76-6FCF50BA2694CCE9}\{13CB29A0-AAF4-495B-CD9D16CF8052283A}\{B6B6C4AE-9CB1-C034-3E7F909216A0BA21}*]

"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,

fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.