Jump to content

Recommended Posts

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/30 10:13

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: ABP480N5.SYS

Image Path: ABP480N5.SYS

Address: 0xF774F000 Size: 23552 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: adpu160m.sys

Image Path: adpu160m.sys

Address: 0xBAF47000 Size: 101888 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: aic78xx.sys

Image Path: aic78xx.sys

Address: 0xF7647000 Size: 56960 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: amsint.sys

Image Path: amsint.sys

Address: 0xF78B7000 Size: 12032 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: asc.sys

Image Path: asc.sys

Address: 0xF771F000 Size: 26496 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF7464000 Size: 96512 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: cbidf2k.sys

Image Path: cbidf2k.sys

Address: 0xF78C3000 Size: 13952 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: dac2w2k.sys

Image Path: dac2w2k.sys

Address: 0xBAF1B000 Size: 179584 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: dac960nt.sys

Image Path: dac960nt.sys

Address: 0xF78B3000 Size: 14720 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: dpti2o.sys

Image Path: dpti2o.sys

Address: 0xF775F000 Size: 20192 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xBA5C7000 Size: 786432 File Visible: No Signed: -

Status: -

Name: ini910u.sys

Image Path: ini910u.sys

Address: 0xF78BF000 Size: 16000 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: mraid35x.sys

Image Path: mraid35x.sys

Address: 0xF7727000 Size: 17280 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: ql1080.sys

Image Path: ql1080.sys

Address: 0xF7697000 Size: 40320 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: ql12160.sys

Image Path: ql12160.sys

Address: 0xF76B7000 Size: 45312 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBA8E2000 Size: 49152 File Visible: No Signed: -

Status: -

Name: sparrow.sys

Image Path: sparrow.sys

Address: 0xF7717000 Size: 19072 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: sym_hi.sys

Image Path: sym_hi.sys

Address: 0xF773F000 Size: 28384 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: ultra.sys

Image Path: ultra.sys

Address: 0xF7687000 Size: 36736 File Visible: - Signed: -

Status: Hidden from the Windows API!

==EOF==

Link to post
Share on other sites

This is an issue i am experiencing with a remote computer I have been able to finally get into it to get a MBAM Log as well as a HJT Log

MBAM

Malwarebytes' Anti-Malware 1.39

Database version: 2530

Windows 5.1.2600 Service Pack 3

7/30/2009 1:49:17 PM

mbam-log-2009-07-30 (13-49-10).txt

Scan type: Quick Scan

Objects scanned: 97081

Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

-----------------------------------------------------------

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:17:23 PM, on 7/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

C:\Program Files\CA\eTrustITM\InoRpc.exe

C:\Program Files\CA\eTrustITM\InoRT.exe

C:\Program Files\CA\eTrustITM\InoTask.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kaseya\Agent\AgentMon.exe

C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe

C:\Program Files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\UPS\WSTD\UPSNA1Msgr.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Kaseya\Agent\KaUsrTsk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\UPS\WSTD\WSTDMessaging.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\ktemp\KRlyCLis.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmur.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config

O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')

O4 - HKUS\S-1-5-20\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')

O4 - HKUS\S-1-5-21-1606980848-839522115-725345543-1130\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe

O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} (MyPhotoAlbum Upload Tool Combo Control) - http://kcarmichael1.myphotoalbum.com/MyPho...asyUploader.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://sc.secureworkplace.net/inc/kaxRemote.dll

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jcn.com

O17 - HKLM\Software\..\Telephony: DomainName = jcn.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jcn.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jcn.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jcn.com

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe

O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SecureWorkplace (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

--

End of file - 11957 bytes

Link to post
Share on other sites

Hi True North and welcome to the MBAM forums,

Excuse the delay in attention but we have a massive workload(over 4days backlog at the mo) and can only deal with when we get to them first come,first served basis.

If someone bumps there own post it easy for it to be overlooked as at casual glance at the HJT forums that your session was already being attended too by the number of replies to your topic.

Your Rootrepeal log is only for the Drivers scan and i will need a more complete report to identify the underlying rootkit that is present.

Download the most recent Rootrepeal>>>

http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

Thanks in advance :)

Link to post
Share on other sites

Thanks Fatdcuk,

Here is the root repeal scan with everything checked except SSDT

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/05 17:13

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: 0000087F

Image Path: 0000087F

Address: 0x896F7000 Size: 41214 File Visible: No Signed: -

Status: -

Name: 0000087F

Image Path: 0000087F

Address: 0xA37A9000 Size: 73216 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xA592C000 Size: 786432 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA274B000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys

Status: Invisible to the Windows API!

Hidden Services

-------------------

Service Name: lywnfsqgwgl

Image Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys

==EOF==

Link to post
Share on other sites

Out pop the culprit :)

Please rerun Rootrepeal file scan only.

Highlight the following line then right click on it and select *wipe* file then immediately reboot.

Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys

Status: Invisible to the Windows API!

Please update and run MBAM quick scan and allow it to delete what it finds then reboot once again.

Rerun MBAM to confirm but the file should no longer be detected as the rootkit has been killed.

HJT is showing clear of infections but i would like 1 more log just to check all is well.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please copy and paste the contents of
    C:\ComboFix.txt
    in your next reply

Thanks in advance :)

Link to post
Share on other sites

Here are thlogs of everything i ran in order.

First MBAM Scan After Wipe/Restart Action action With Root Repeal

Malwarebytes' Anti-Malware 1.40

Database version: 2568

Windows 5.1.2600 Service Pack 3

8/6/2009 9:21:04 AM

mbam-log-2009-08-06 (09-21-04).txt

Scan type: Quick Scan

Objects scanned: 115606

Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\doitjnthfqy.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.

================================================================================

======================

Second MBAM Scan After Removal of str.sys and doitjnthfqy.sys

Malwarebytes' Anti-Malware 1.40

Database version: 2568

Windows 5.1.2600 Service Pack 3

8/6/2009 9:31:06 AM

mbam-log-2009-08-06 (09-31-06).txt

Scan type: Quick Scan

Objects scanned: 115650

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

================================================================================

===========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:31:50 AM, on 8/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

C:\Program Files\CA\eTrustITM\InoRpc.exe

C:\Program Files\CA\eTrustITM\InoRT.exe

C:\Program Files\CA\eTrustITM\InoTask.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kaseya\Agent\AgentMon.exe

C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe

C:\Program Files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\UPS\WSTD\UPSNA1Msgr.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Kaseya\Agent\KaUsrTsk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\UPS\WSTD\WSTDMessaging.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

c:\ktemp\KRlyCLis.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmur.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config

O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')

O4 - HKUS\S-1-5-20\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')

O4 - HKUS\S-1-5-21-1606980848-839522115-725345543-1130\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe

O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} (MyPhotoAlbum Upload Tool Combo Control) - http://kcarmichael1.myphotoalbum.com/MyPho...asyUploader.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://sc.secureworkplace.net/inc/kaxRemote.dll

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jcn.com

O17 - HKLM\Software\..\Telephony: DomainName = jcn.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jcn.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jcn.com

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe

O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SecureWorkplace (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

--

End of file - 11889 bytes

================================================================================

====================================

And Finally the Combo Fix Log

ComboFix 09-08-04.04 - kbennett 08/06/2009 9:39.1.2 - NTFSx86

Running from: c:\documents and settings\Kbennett\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\msimg32.dll

c:\recycler\S-1-5-21-1268040478-1514594852-1095485430-500

c:\windows\system32\Drivers\xjydiu.sys

D:\Autorun.inf

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))

.

2009-08-06 13:41 . 2008-04-14 09:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-08-06 13:41 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe

2009-07-30 17:17 . 2009-07-30 17:17 -------- d-----w- c:\program files\Trend Micro

2009-07-30 14:12 . 2009-07-30 14:12 0 ----a-w- c:\documents and settings\Kbennett\settings.dat

2009-07-20 19:54 . 2009-07-20 19:54 -------- d-----w- c:\documents and settings\Kbennett\Local Settings\Application Data\PCHealth

2009-07-15 17:46 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2009-07-15 17:46 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2009-07-15 12:39 . 2009-08-05 19:48 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-14 16:54 . 2009-07-14 16:54 19613 ----a-w- c:\program files\Common Files\imite.reg

2009-07-14 16:54 . 2009-07-14 16:54 18747 ----a-w- c:\windows\system32\ysuza.exe

2009-07-14 16:54 . 2009-07-14 16:54 17237 ----a-w- c:\windows\system32\zomib.sys

2009-07-14 16:54 . 2009-07-14 16:54 16110 ----a-w- c:\program files\Common Files\yzawez.bat

2009-07-14 16:54 . 2009-07-14 16:54 12177 ----a-w- c:\windows\system32\numuheluk.dat

2009-07-14 16:54 . 2009-07-14 16:54 12116 ----a-w- c:\documents and settings\All Users\Application Data\xybexemeki.exe

2009-07-14 16:54 . 2009-07-14 16:54 11907 ----a-w- c:\windows\oxotedife.bat

2009-07-14 16:54 . 2009-07-14 16:54 11230 ----a-w- c:\documents and settings\Kbennett\Local Settings\Application Data\unaxihok.bin

2009-07-14 16:54 . 2009-07-14 16:54 11009 ----a-w- c:\documents and settings\Kbennett\Application Data\cacin.com

2009-07-07 19:51 . 2009-07-07 19:51 -------- d-----w- C:\c1993d69b2257706bc42

2009-07-07 19:51 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2009-07-07 15:45 . 2008-04-11 00:08 212992 ----a-w- c:\windows\system32\stacsv.exe

2009-07-07 15:23 . 2009-07-07 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-07-07 15:20 . 2009-07-07 15:20 -------- d-sh--w- c:\documents and settings\Kbennett\IECompatCache

2009-07-07 15:18 . 2009-07-07 15:18 -------- d-sh--w- c:\documents and settings\Kbennett\PrivacIE

2009-07-07 15:17 . 2009-07-07 15:18 -------- d-----w- C:\20f903efbc480001cc

2009-07-07 15:16 . 2009-07-07 15:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-07 15:07 . 2009-07-07 15:07 -------- d-----w- C:\6892e8b48eb6eb6b09

2009-07-07 15:07 . 2009-07-07 15:13 -------- d-----w- C:\21f913dc4e1d3e76d194

2009-07-07 14:58 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-07-07 14:58 . 2009-07-07 14:58 -------- d-----w- c:\windows\ie8updates

2009-07-07 14:57 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-07-07 14:57 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-07 14:55 . 2009-07-07 14:57 -------- dc-h--w- c:\windows\ie8

2009-07-07 14:07 . 2009-04-29 04:55 78336 -c----w- c:\windows\system32\dllcache\ieencode.dll

2009-07-07 14:07 . 2009-04-29 04:55 78336 ------w- c:\windows\system32\ieencode.dll

2009-07-07 14:00 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

2009-07-07 13:59 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-06 12:47 . 2007-01-24 14:45 -------- d-----w- c:\program files\Peachtree

2009-08-05 19:48 . 2009-04-20 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-03 17:36 . 2009-04-20 19:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2009-04-20 19:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 14:46 . 2007-01-24 13:37 -------- d-----w- c:\program files\DesignPro

2009-07-30 13:02 . 2009-07-30 13:02 184 ----a-w- c:\program files\evovx.txt

2009-07-27 19:33 . 2007-04-19 14:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2009-07-27 19:33 . 2007-04-19 14:47 -------- d-----w- c:\program files\AutoCAD LT 2002

2009-07-27 12:18 . 2009-05-21 14:25 256 ----a-w- c:\windows\system32\pool.bin

2009-07-24 19:57 . 2007-01-24 14:45 -------- d-----w- c:\program files\Common Files\Peach

2009-07-15 20:01 . 2007-11-29 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-07 19:51 . 2009-07-07 19:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-07 19:51 . 2009-07-07 19:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-07 15:15 . 2007-02-08 17:02 158448 ----a-w- c:\documents and settings\Kbennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-07 15:12 . 2009-07-07 15:12 -------- d-----w- c:\program files\MSBuild

2009-07-07 15:12 . 2009-07-07 15:12 -------- d-----w- c:\program files\Reference Assemblies

2009-07-07 15:04 . 2007-11-29 18:20 -------- d-----w- c:\program files\Microsoft Works

2009-07-03 17:09 . 2006-06-01 03:17 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2006-06-01 03:17 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2006-06-01 03:16 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2006-06-01 03:16 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-22 17:09 . 2009-05-22 17:09 10134 ----a-r- c:\documents and settings\Kbennett\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe

2009-05-22 15:29 . 2008-09-24 19:05 826 ----a-w- c:\windows\PSODBCEI.reg

2009-05-22 15:29 . 2008-09-24 19:05 826 ----a-w- c:\windows\PSODBCCI.reg

2009-05-22 15:29 . 2008-09-24 19:05 610 ----a-w- c:\windows\PSOA.reg

2009-05-22 15:29 . 2008-09-24 19:05 18232 ----a-w- c:\windows\PriorPervasive.reg

2009-05-21 16:08 . 2009-05-21 16:08 10134 ----a-r- c:\documents and settings\Kbennett\Application Data\Microsoft\Installer\{2877881B-0736-42AB-B312-D4457D57E56D}\ARPPRODUCTICON.exe

2009-05-09 05:14 . 2009-05-09 05:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-05-09 05:14 . 2009-05-09 05:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"PeachtreePrefetcher.exe"="c:\progra~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-04-06 23040]

"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2007-12-13 20480]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2007-12-13 65536]

UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2007-12-12 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk

backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 ASICIO;ASIC Driver;c:\windows\system32\Drivers\ASICIO.SYS [x]

R2 lywnfsqgwgl;lywnfsqgwgl;c:\windows\system32\drivers\doitjnthfqy.sys [x]

S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

S2 KaseyaAgent;SecureWorkplace;c:\program files\Kaseya\Agent\AgentMon.exe [2008-09-04 610304]

S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2008-12-18 9158656]

S2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe [2008-11-08 100184]

S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2009-04-07 435496]

S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-11-29 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-01-19 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 09:42]

2007-01-19 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 09:42]

2007-01-19 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-01-11 01:32]

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.wmur.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Search

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} - hxxp://kcarmichael1.myphotoalbum.com/MyPhotoAlbumEasyUploader.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-06 09:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(812)

c:\program files\Bonjour\mdnsNSP.dll

.

Completion time: 2009-08-06 9:43

ComboFix-quarantined-files.txt 2009-08-06 13:43

Pre-Run: 50,191,876,096 bytes free

Post-Run: 50,197,454,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

222 --- E O F --- 2009-07-30 12:11

Link to post
Share on other sites

Ok that's great, i will close this topic as finished now :)

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.

Safe surfing :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.