Jump to content

Help remove uacinit.dll and UAC in registry


Recommended Posts

Here's my Malwarebytes' Anti-Malware log file :

Malwarebytes' Anti-Malware 1.40

Database version: 2656

Windows 5.1.2600 Service Pack 2

8/19/2009 11:14:45 AM

mbam-log-2009-08-19 (11-14-31).txt

Scan type: Full Scan (C:\|)

Objects scanned: 413921

Time elapsed: 32 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

------------------------------------------------------------------------------------------------------

Here's my Hijack this log file...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:46 AM, on 8/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

c:\oracle\ora92\bin\omtsreco.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Scott\Malwarebytes' Anti-Malware\xxxx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dotnet/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dotnet

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dotnet/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinShade.lnk = C:\Program Files\BlueCarpet\WinShade\Program\WinShade.exe

O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Scott\Bulk Image Downloader\iemenu\iebidqueue.htm

O8 - Extra context menu item: Enqueue link target with Bulk Ima≥ Downloader - file://C:\Scott\Bulk Image Downloader\iemenu\iebidlinkqueue.htm

O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Scott\Bulk Image Downloader\iemenu\iebidlink.htm

O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Scott\Bulk Image Downloader\iemenu\iebid.htm

O8 - Extra context menu item: Post Image to Blog - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5003

O8 - Extra context menu item: Tag This Image - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5002

O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5004

O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5000

O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5001

O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Scott\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Scott\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)

O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)

O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://dotnet

O15 - Trusted Zone: http://toolbar.imageshack.us

O15 - Trusted Zone: http://iowaamsvault02.iowa.gov.state.ia.us

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coolsavings.coupons.smartsource.com...oad/cscmv5X.cab

O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

O16 - DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} (Wild Pockets Loader Plugin Control Class) - http://www.wildpockets.com/common/WildPock...oader-11994.cab

O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (TIClientControl Object) - https://techinline.net/Client/TIClient.cab

O16 - DPF: {CAD4ADEB-C52B-4E83-A7D1-9C75E022ECCC} (Unyte Conferencing Plugin) - https://ash-cs13.conferenceservers.com/comp...ts/WDPLUGIN.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dot.int.lan

O17 - HKLM\Software\..\Telephony: DomainName = dot.int.lan

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dot.int.lan

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dot.int.lan

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dot.int.lan

O20 - AppInit_DLLs: karina.dat nxpksa.dll c:\windows\ c:\windows\ ,ivhzwt.dll frmdsb.dll udgtuh.dll dqrvlo.dll htbkvg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: ssqPjkhi - ssqPjkhi.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterPlot IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe

O23 - Service: Oracleoracle_forms6iClientCache80 - Unknown owner - c:\oracle\forms6i\BIN\ONRSD80.EXE

O23 - Service: Oracleoracle_home92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE

O23 - Service: OracleORACLE_HOME_F6iClientCache80 - Unknown owner - C:\oracle\forms6i\BIN\ONRSD80.EXE

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--

End of file - 11285 bytes

------------------------------------------------------------------------------------------------------------------------------

Thank you very much for your help!!

Link to post
Share on other sites

Hi bigstar21, Welcome to Malwarebytes :(

Looking at the MBAM Scan log, you did not remove those threats. Please run Malwarebytes again, and what ever is detected choose to Quarantine them.

Then:

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Here is my combofix log:

------------------------------------

ComboFix 09-08-18.04 - sweiler 08/19/2009 11:34.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2811 [GMT -5:00]

Running from: c:\scott\Software\Combo-Fix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\-1937472217

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\sweiler\Application Data\EurekaLog

c:\documents and settings\sweiler\Application Data\EurekaLog\EurekaLog.ini

c:\recycler\S-1-5-21-3657561249-3588590466-2419647484-500

C:\S41.exe

c:\windows\DelSelf.bat

c:\windows\Fonts\ERS_v2_Damage.ttf

c:\windows\Installer\322debc.msp

c:\windows\Installer\5bc4fc1.msi

c:\windows\system32\Cache

c:\windows\system32\drivers\UACyqknawfotk.sys

c:\windows\system32\Drivers\uukugw.sys

c:\windows\system32\eLUwDJlm.ini

c:\windows\system32\eLUwDJlm.ini2

c:\windows\system32\KQYGNqss.ini

c:\windows\system32\KQYGNqss.ini2

c:\windows\system32\MnUDNXbc.ini

c:\windows\system32\MnUDNXbc.ini2

c:\windows\system32\nTuwFeLm.ini

c:\windows\system32\nTuwFeLm.ini2

c:\windows\system32\OqXwDJlm.ini

c:\windows\system32\OqXwDJlm.ini2

c:\windows\system32\oVuuCLUt.ini

c:\windows\system32\oVuuCLUt.ini2

c:\windows\system32\Qqrtvyxx.ini

c:\windows\system32\Qqrtvyxx.ini2

c:\windows\system32\ssDLUvut.ini

c:\windows\system32\ssDLUvut.ini2

c:\windows\system32\UACkxvyetbwxp.db

c:\windows\system32\UACmjlwgrpjxj.dll

c:\windows\system32\UACthtwxukpvg.dll

c:\windows\system32\UACupugwryple.dat

c:\windows\system32\UACvatkveblxk.dll

c:\windows\system32\wxHQtvut.ini

c:\windows\system32\wxHQtvut.ini2

c:\windows\system32\XwGPonmp.ini

c:\windows\system32\XwGPonmp.ini2

----- BITS: Possible infected sites -----

hxxp://Ntdt5.dot.int.lan:80

hxxp://NTDT4.DOT.INT.LAN:80

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_FCI

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 16:41 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-19 16:41 . 2004-08-04 06:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-08-19 16:12 . 2009-08-19 16:12 -------- d-----w- c:\program files\Trend Micro

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\documents and settings\sweiler\Application Data\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 17:48 . 2009-08-03 18:36 1295632 ----a-w- C:\xxxx.exe

2009-08-12 19:02 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2009-08-03 18:37 . 2009-08-03 18:37 -------- d-----w- c:\documents and settings\sweiler\.assistant

2009-07-30 01:29 . 2009-07-30 01:29 -------- d-----w- c:\windows\ms

2009-07-30 01:28 . 2009-07-30 01:28 -------- d-----w- c:\program files\Windows Imaging

2009-07-30 01:28 . 2009-07-30 01:28 -------- dc-h--w- c:\windows\$UninstallRDC$

2009-07-30 01:27 . 2009-07-30 01:27 -------- d-----w- c:\windows\system32\bits

2009-07-30 01:27 . 2007-05-24 13:20 8192 -c----w- c:\windows\system32\dllcache\bitsprx2.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 ------w- c:\windows\system32\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 408064 -c----w- c:\windows\system32\dllcache\qmgr.dll

2009-07-30 01:27 . 2007-05-24 13:20 18944 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll

2009-07-22 02:47 . 2008-12-16 12:47 351232 -c----w- c:\windows\system32\dllcache\winhttp.dll

2009-07-22 02:46 . 2009-02-03 20:08 55808 -c----w- c:\windows\system32\dllcache\secur32.dll

2009-07-22 02:45 . 2009-05-07 15:44 344064 -c----w- c:\windows\system32\dllcache\localspl.dll

2009-07-22 02:44 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-07-22 02:44 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-07-22 02:44 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-07-22 02:44 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-07-22 02:44 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-07-22 02:44 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-07-22 02:44 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-07-22 02:44 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-07-22 02:40 . 2008-06-12 13:47 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll

2009-07-22 02:40 . 2008-06-12 13:47 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll

2009-07-22 02:40 . 2008-06-12 13:47 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll

2009-07-22 02:40 . 2008-06-12 13:47 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll

2009-07-22 02:40 . 2008-06-12 13:47 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll

2009-07-22 02:40 . 2008-06-12 13:47 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll

2009-07-22 02:39 . 2009-06-26 15:59 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 16:42 . 2008-08-05 17:30 -------- d-----w- c:\program files\DNA

2009-08-19 16:42 . 2008-08-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\DNA

2009-08-18 13:57 . 2008-05-20 12:56 -------- d-----w- c:\program files\Coupons

2009-08-17 19:11 . 2007-03-13 13:19 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-17 13:09 . 2008-08-05 17:31 -------- d-----w- c:\documents and settings\sweiler\Application Data\BitTorrent

2009-08-13 18:57 . 2009-04-30 15:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-08-13 18:57 . 2009-04-30 15:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-08-13 18:57 . 2009-04-30 15:31 -------- d-----w- c:\program files\Replay Media Catcher

2009-08-13 18:57 . 2009-04-30 15:31 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-03 18:36 . 2008-08-07 19:11 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-08-07 19:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 13:44 . 2007-03-13 13:13 -------- d-----w- c:\program files\OpFinApps

2009-07-22 02:42 . 2007-04-03 19:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-07-16 13:14 . 2009-07-16 13:14 -------- d-----w- c:\documents and settings\sweiler\Application Data\Safe Software

2009-07-15 17:41 . 2009-07-15 17:40 -------- d-----w- c:\documents and settings\sweiler\Application Data\U3

2009-07-15 12:50 . 2008-07-01 14:22 -------- d-----w- c:\program files\Winamp

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Image Navigator

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Common Files\VIMAS Technologies

2009-07-10 13:42 . 2009-07-10 13:41 -------- d-----w- c:\documents and settings\sweiler\Application Data\Easy Thumbnails

2009-07-06 13:14 . 2008-11-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\ESRI

2009-07-06 13:13 . 2009-07-06 13:13 -------- d-----w- c:\program files\ArcGIS Explorer

2009-07-01 20:48 . 2008-07-08 21:04 -------- d-----w- c:\documents and settings\sweiler\Application Data\dvdcss

2009-06-26 15:59 . 2001-08-23 12:00 668160 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 15:59 . 2007-03-09 20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-17 01:25 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2008-08-04 13:36 . 2008-08-04 13:36 11661 ----a-w- c:\program files\Common Files\ygewowije.ban

2008-08-04 13:36 . 2008-08-04 13:36 10784 ----a-w- c:\program files\Common Files\ygujir.com

2008-08-04 13:17 . 2008-08-04 13:17 17087 ----a-w- c:\program files\Common Files\xoqohoqyh.com

2008-08-04 13:17 . 2008-08-04 13:17 16895 ----a-w- c:\program files\Common Files\ynyvafa.exe

2008-08-04 13:17 . 2008-08-04 13:17 16635 ----a-w- c:\program files\Common Files\ejaloze.lib

2008-08-04 13:17 . 2008-08-04 13:17 16042 ----a-w- c:\program files\Common Files\jipanuhuwo.exe

2008-08-04 13:17 . 2008-08-04 13:17 13052 ----a-w- c:\program files\Common Files\himevem.bin

2008-07-29 20:42 . 2008-07-29 20:42 15398 ----a-w- c:\program files\Common Files\awequzu.bat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-02-11 19:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-02-11 365960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-02-11 365960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-16 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-04-04 136512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]

c:\documents and settings\sweiler\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [3/19/2003 10:10 AM 35302]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [12/29/2008 10:12 AM 126984]

S0 zuekfeku;zuekfeku;c:\windows\system32\drivers\cbvnhuow.sys --> c:\windows\system32\drivers\cbvnhuow.sys [?]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [4/30/2009 11:52 AM 234888]

S2 YKRLTOUV;YKRLTOUV;\??\c:\windows\system32\drivers\YKRLTOUV.sys --> c:\windows\system32\drivers\YKRLTOUV.sys [?]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/30/2008 2:09 PM 16512]

S3 Oracleoracle_forms6iClientCache80;Oracleoracle_forms6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 OracleORACLE_HOME_F6iClientCache80;OracleORACLE_HOME_F6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 Oracleoracle_home92ClientCache;Oracleoracle_home92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

.

- - - - ORPHANS REMOVED - - - -

Notify-ssqPjkhi - ssqPjkhi.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dotnet/

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://dotnet/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: En&queue current page with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidqueue.htm

IE: Enqueue link target with Bulk Ima≥ Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlinkqueue.htm

IE: Open &link target with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlink.htm

IE: Open current page with Bulk I&mage Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebid.htm

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: imageshack.us\toolbar

Trusted Zone: imageshack.us\www

Trusted Zone: state.ia.us\iowaamsvault02.iowa.gov

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

DPF: {CAD4ADEB-C52B-4E83-A7D1-9C75E022ECCC} - hxxps://ash-cs13.conferenceservers.com/components/WDPLUGIN.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 11:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(864)

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3812)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP Pro\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\oracle\ora92\bin\omtsreco.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\rundll32.exe

c:\program files\Network Associates\Common Framework\Mctray.exe

.

**************************************************************************

.

Completion time: 2009-08-19 11:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 16:47

Pre-Run: 88,735,784,960 bytes free

Post-Run: 90,153,545,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /3GB

296

------------------------

Thanks again!!

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\program files\Common Files\ygewowije.ban

c:\program files\Common Files\ygujir.com

c:\program files\Common Files\xoqohoqyh.com

c:\program files\Common Files\ynyvafa.exe

c:\program files\Common Files\ejaloze.lib

c:\program files\Common Files\jipanuhuwo.exe

c:\program files\Common Files\himevem.bin

c:\program files\Common Files\awequzu.bat

Folder::

c:\program files\AskBarDis

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

Driver::

zuekfeku

ASKUpgrade

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

[ComboFix 09-08-18.04 - sweiler 08/19/2009 12:14.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2767 [GMT -5:00]

Running from: c:\scott\Software\Combo-Fix.exe

Command switches used :: C:\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"c:\program files\Common Files\awequzu.bat"

"c:\program files\Common Files\ejaloze.lib"

"c:\program files\Common Files\himevem.bin"

"c:\program files\Common Files\jipanuhuwo.exe"

"c:\program files\Common Files\xoqohoqyh.com"

"c:\program files\Common Files\ygewowije.ban"

"c:\program files\Common Files\ygujir.com"

"c:\program files\Common Files\ynyvafa.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\AskBarDis

c:\program files\AskBarDis\bar\bin\askBar.dll

c:\program files\AskBarDis\bar\bin\askPopStp.dll

c:\program files\AskBarDis\bar\bin\AskSplash.exe

c:\program files\AskBarDis\bar\bin\AskTBApp.exe

c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe

c:\program files\AskBarDis\bar\bin\psvince.dll

c:\program files\AskBarDis\bar\Cache\00127920

c:\program files\AskBarDis\bar\Cache\00127BDF

c:\program files\AskBarDis\bar\Cache\00127D56.bin

c:\program files\AskBarDis\bar\Cache\00127FE6.bin

c:\program files\AskBarDis\bar\Cache\0012817C.bin

c:\program files\AskBarDis\bar\Cache\00128257.bin

c:\program files\AskBarDis\bar\Cache\0012839F.bin

c:\program files\AskBarDis\bar\Cache\001284C8.bin

c:\program files\AskBarDis\bar\Cache\001285C2.bin

c:\program files\AskBarDis\bar\Cache\files.ini

c:\program files\AskBarDis\bar\History\search

c:\program files\AskBarDis\bar\Settings\AskLogo.ico

c:\program files\AskBarDis\bar\Settings\config.dat

c:\program files\AskBarDis\bar\Settings\config.dat.bak

c:\program files\AskBarDis\bar\Settings\prevcfg.htm

c:\program files\AskBarDis\unins00.exe

c:\program files\AskBarDis\unins000.dat

c:\program files\AskBarDis\unins000.exe

c:\program files\Common Files\awequzu.bat

c:\program files\Common Files\ejaloze.lib

c:\program files\Common Files\himevem.bin

c:\program files\Common Files\jipanuhuwo.exe

c:\program files\Common Files\xoqohoqyh.com

c:\program files\Common Files\ygewowije.ban

c:\program files\Common Files\ygujir.com

c:\program files\Common Files\ynyvafa.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASKUPGRADE

-------\Service_ASKUpgrade

-------\Service_zuekfeku

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 16:41 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-19 16:41 . 2004-08-04 06:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-08-19 16:12 . 2009-08-19 16:12 -------- d-----w- c:\program files\Trend Micro

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\documents and settings\sweiler\Application Data\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 17:48 . 2009-08-03 18:36 1295632 ----a-w- C:\xxxx.exe

2009-08-12 19:02 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2009-08-03 18:37 . 2009-08-03 18:37 -------- d-----w- c:\documents and settings\sweiler\.assistant

2009-07-30 01:29 . 2009-07-30 01:29 -------- d-----w- c:\windows\ms

2009-07-30 01:28 . 2009-07-30 01:28 -------- d-----w- c:\program files\Windows Imaging

2009-07-30 01:28 . 2009-07-30 01:28 -------- dc-h--w- c:\windows\$UninstallRDC$

2009-07-30 01:27 . 2009-07-30 01:27 -------- d-----w- c:\windows\system32\bits

2009-07-30 01:27 . 2007-05-24 13:20 8192 -c----w- c:\windows\system32\dllcache\bitsprx2.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 ------w- c:\windows\system32\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 408064 -c----w- c:\windows\system32\dllcache\qmgr.dll

2009-07-30 01:27 . 2007-05-24 13:20 18944 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll

2009-07-22 02:47 . 2008-12-16 12:47 351232 -c----w- c:\windows\system32\dllcache\winhttp.dll

2009-07-22 02:46 . 2009-02-03 20:08 55808 -c----w- c:\windows\system32\dllcache\secur32.dll

2009-07-22 02:45 . 2009-05-07 15:44 344064 -c----w- c:\windows\system32\dllcache\localspl.dll

2009-07-22 02:44 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-07-22 02:44 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-07-22 02:44 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-07-22 02:44 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-07-22 02:44 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-07-22 02:44 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-07-22 02:44 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-07-22 02:44 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-07-22 02:40 . 2008-06-12 13:47 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll

2009-07-22 02:40 . 2008-06-12 13:47 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll

2009-07-22 02:40 . 2008-06-12 13:47 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll

2009-07-22 02:40 . 2008-06-12 13:47 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll

2009-07-22 02:40 . 2008-06-12 13:47 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll

2009-07-22 02:40 . 2008-06-12 13:47 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll

2009-07-22 02:39 . 2009-06-26 15:59 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 17:17 . 2008-08-05 17:30 -------- d-----w- c:\program files\DNA

2009-08-19 17:17 . 2008-08-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\DNA

2009-08-18 13:57 . 2008-05-20 12:56 -------- d-----w- c:\program files\Coupons

2009-08-17 19:11 . 2007-03-13 13:19 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-17 13:09 . 2008-08-05 17:31 -------- d-----w- c:\documents and settings\sweiler\Application Data\BitTorrent

2009-08-13 18:57 . 2009-04-30 15:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-08-13 18:57 . 2009-04-30 15:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-08-13 18:57 . 2009-04-30 15:31 -------- d-----w- c:\program files\Replay Media Catcher

2009-08-13 18:57 . 2009-04-30 15:31 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-03 18:36 . 2008-08-07 19:11 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-08-07 19:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 13:44 . 2007-03-13 13:13 -------- d-----w- c:\program files\OpFinApps

2009-07-22 02:42 . 2007-04-03 19:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-07-16 13:14 . 2009-07-16 13:14 -------- d-----w- c:\documents and settings\sweiler\Application Data\Safe Software

2009-07-15 17:41 . 2009-07-15 17:40 -------- d-----w- c:\documents and settings\sweiler\Application Data\U3

2009-07-15 12:50 . 2008-07-01 14:22 -------- d-----w- c:\program files\Winamp

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Image Navigator

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Common Files\VIMAS Technologies

2009-07-10 13:42 . 2009-07-10 13:41 -------- d-----w- c:\documents and settings\sweiler\Application Data\Easy Thumbnails

2009-07-06 13:14 . 2008-11-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\ESRI

2009-07-06 13:13 . 2009-07-06 13:13 -------- d-----w- c:\program files\ArcGIS Explorer

2009-07-01 20:48 . 2008-07-08 21:04 -------- d-----w- c:\documents and settings\sweiler\Application Data\dvdcss

2009-06-26 15:59 . 2001-08-23 12:00 668160 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 15:59 . 2007-03-09 20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-17 01:25 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_16.42.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-19 17:16 . 2009-08-19 17:16 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat

+ 2007-09-07 14:52 . 2009-08-19 17:17 227692 c:\windows\system32\inetsrv\MetaBase.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-16 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-04-04 136512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]

c:\documents and settings\sweiler\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [3/19/2003 10:10 AM 35302]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [12/29/2008 10:12 AM 126984]

S2 YKRLTOUV;YKRLTOUV;\??\c:\windows\system32\drivers\YKRLTOUV.sys --> c:\windows\system32\drivers\YKRLTOUV.sys [?]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/30/2008 2:09 PM 16512]

S3 Oracleoracle_forms6iClientCache80;Oracleoracle_forms6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 OracleORACLE_HOME_F6iClientCache80;OracleORACLE_HOME_F6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 Oracleoracle_home92ClientCache;Oracleoracle_home92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dotnet/

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://dotnet/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: En&queue current page with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidqueue.htm

IE: Enqueue link target with Bulk Ima≥ Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlinkqueue.htm

IE: Open &link target with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlink.htm

IE: Open current page with Bulk I&mage Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebid.htm

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: imageshack.us\toolbar

Trusted Zone: imageshack.us\www

Trusted Zone: state.ia.us\iowaamsvault02.iowa.gov

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

DPF: {CAD4ADEB-C52B-4E83-A7D1-9C75E022ECCC} - hxxps://ash-cs13.conferenceservers.com/components/WDPLUGIN.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 12:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(864)

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(4072)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP Pro\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\oracle\ora92\bin\omtsreco.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\rundll32.exe

c:\program files\Network Associates\Common Framework\Mctray.exe

.

**************************************************************************

.

Completion time: 2009-08-19 12:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 17:22

ComboFix2.txt 2009-08-19 16:47

Pre-Run: 90,206,474,240 bytes free

Post-Run: 90,108,899,328 bytes free

268

Link to post
Share on other sites

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

MD "%USERPROFILE%"\desktop\malware.zip

xcopy C:\QooBox "%USERPROFILE%"\desktop\malware.zip /c /q /r /h /y

Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Exit

3. Save the file as "Upload.bat". Make sure to save it with the quotation marks.

4. Double click Upload.bat.

Then go to http://uploads.malwarebytes.org/

Under File 1 Choose Browse and select Malware.zip that is on your desktop to upload.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 2

8/19/2009 12:44:10 PM

mbam-log-2009-08-19 (12-44-10).txt

Scan type: Quick Scan

Objects scanned: 155383

Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Link to post
Share on other sites

ComboFix 09-08-18.04 - sweiler 08/19/2009 12:14.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2767 [GMT -5:00]

Running from: c:\scott\Software\Combo-Fix.exe

Command switches used :: C:\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"c:\program files\Common Files\awequzu.bat"

"c:\program files\Common Files\ejaloze.lib"

"c:\program files\Common Files\himevem.bin"

"c:\program files\Common Files\jipanuhuwo.exe"

"c:\program files\Common Files\xoqohoqyh.com"

"c:\program files\Common Files\ygewowije.ban"

"c:\program files\Common Files\ygujir.com"

"c:\program files\Common Files\ynyvafa.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\AskBarDis

c:\program files\AskBarDis\bar\bin\askBar.dll

c:\program files\AskBarDis\bar\bin\askPopStp.dll

c:\program files\AskBarDis\bar\bin\AskSplash.exe

c:\program files\AskBarDis\bar\bin\AskTBApp.exe

c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe

c:\program files\AskBarDis\bar\bin\psvince.dll

c:\program files\AskBarDis\bar\Cache\00127920

c:\program files\AskBarDis\bar\Cache\00127BDF

c:\program files\AskBarDis\bar\Cache\00127D56.bin

c:\program files\AskBarDis\bar\Cache\00127FE6.bin

c:\program files\AskBarDis\bar\Cache\0012817C.bin

c:\program files\AskBarDis\bar\Cache\00128257.bin

c:\program files\AskBarDis\bar\Cache\0012839F.bin

c:\program files\AskBarDis\bar\Cache\001284C8.bin

c:\program files\AskBarDis\bar\Cache\001285C2.bin

c:\program files\AskBarDis\bar\Cache\files.ini

c:\program files\AskBarDis\bar\History\search

c:\program files\AskBarDis\bar\Settings\AskLogo.ico

c:\program files\AskBarDis\bar\Settings\config.dat

c:\program files\AskBarDis\bar\Settings\config.dat.bak

c:\program files\AskBarDis\bar\Settings\prevcfg.htm

c:\program files\AskBarDis\unins00.exe

c:\program files\AskBarDis\unins000.dat

c:\program files\AskBarDis\unins000.exe

c:\program files\Common Files\awequzu.bat

c:\program files\Common Files\ejaloze.lib

c:\program files\Common Files\himevem.bin

c:\program files\Common Files\jipanuhuwo.exe

c:\program files\Common Files\xoqohoqyh.com

c:\program files\Common Files\ygewowije.ban

c:\program files\Common Files\ygujir.com

c:\program files\Common Files\ynyvafa.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASKUPGRADE

-------\Service_ASKUpgrade

-------\Service_zuekfeku

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 16:41 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-19 16:41 . 2004-08-04 06:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-08-19 16:12 . 2009-08-19 16:12 -------- d-----w- c:\program files\Trend Micro

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\documents and settings\sweiler\Application Data\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 17:48 . 2009-08-03 18:36 1295632 ----a-w- C:\xxxx.exe

2009-08-12 19:02 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2009-08-03 18:37 . 2009-08-03 18:37 -------- d-----w- c:\documents and settings\sweiler\.assistant

2009-07-30 01:29 . 2009-07-30 01:29 -------- d-----w- c:\windows\ms

2009-07-30 01:28 . 2009-07-30 01:28 -------- d-----w- c:\program files\Windows Imaging

2009-07-30 01:28 . 2009-07-30 01:28 -------- dc-h--w- c:\windows\$UninstallRDC$

2009-07-30 01:27 . 2009-07-30 01:27 -------- d-----w- c:\windows\system32\bits

2009-07-30 01:27 . 2007-05-24 13:20 8192 -c----w- c:\windows\system32\dllcache\bitsprx2.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 ------w- c:\windows\system32\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 408064 -c----w- c:\windows\system32\dllcache\qmgr.dll

2009-07-30 01:27 . 2007-05-24 13:20 18944 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll

2009-07-22 02:47 . 2008-12-16 12:47 351232 -c----w- c:\windows\system32\dllcache\winhttp.dll

2009-07-22 02:46 . 2009-02-03 20:08 55808 -c----w- c:\windows\system32\dllcache\secur32.dll

2009-07-22 02:45 . 2009-05-07 15:44 344064 -c----w- c:\windows\system32\dllcache\localspl.dll

2009-07-22 02:44 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-07-22 02:44 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-07-22 02:44 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-07-22 02:44 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-07-22 02:44 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-07-22 02:44 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-07-22 02:44 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-07-22 02:44 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-07-22 02:40 . 2008-06-12 13:47 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll

2009-07-22 02:40 . 2008-06-12 13:47 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll

2009-07-22 02:40 . 2008-06-12 13:47 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll

2009-07-22 02:40 . 2008-06-12 13:47 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll

2009-07-22 02:40 . 2008-06-12 13:47 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll

2009-07-22 02:40 . 2008-06-12 13:47 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll

2009-07-22 02:39 . 2009-06-26 15:59 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 17:17 . 2008-08-05 17:30 -------- d-----w- c:\program files\DNA

2009-08-19 17:17 . 2008-08-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\DNA

2009-08-18 13:57 . 2008-05-20 12:56 -------- d-----w- c:\program files\Coupons

2009-08-17 19:11 . 2007-03-13 13:19 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-17 13:09 . 2008-08-05 17:31 -------- d-----w- c:\documents and settings\sweiler\Application Data\BitTorrent

2009-08-13 18:57 . 2009-04-30 15:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-08-13 18:57 . 2009-04-30 15:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-08-13 18:57 . 2009-04-30 15:31 -------- d-----w- c:\program files\Replay Media Catcher

2009-08-13 18:57 . 2009-04-30 15:31 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-03 18:36 . 2008-08-07 19:11 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-08-07 19:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 13:44 . 2007-03-13 13:13 -------- d-----w- c:\program files\OpFinApps

2009-07-22 02:42 . 2007-04-03 19:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-07-16 13:14 . 2009-07-16 13:14 -------- d-----w- c:\documents and settings\sweiler\Application Data\Safe Software

2009-07-15 17:41 . 2009-07-15 17:40 -------- d-----w- c:\documents and settings\sweiler\Application Data\U3

2009-07-15 12:50 . 2008-07-01 14:22 -------- d-----w- c:\program files\Winamp

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Image Navigator

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Common Files\VIMAS Technologies

2009-07-10 13:42 . 2009-07-10 13:41 -------- d-----w- c:\documents and settings\sweiler\Application Data\Easy Thumbnails

2009-07-06 13:14 . 2008-11-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\ESRI

2009-07-06 13:13 . 2009-07-06 13:13 -------- d-----w- c:\program files\ArcGIS Explorer

2009-07-01 20:48 . 2008-07-08 21:04 -------- d-----w- c:\documents and settings\sweiler\Application Data\dvdcss

2009-06-26 15:59 . 2001-08-23 12:00 668160 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 15:59 . 2007-03-09 20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-17 01:25 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_16.42.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-19 17:16 . 2009-08-19 17:16 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat

+ 2007-09-07 14:52 . 2009-08-19 17:17 227692 c:\windows\system32\inetsrv\MetaBase.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-16 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-04-04 136512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]

c:\documents and settings\sweiler\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [3/19/2003 10:10 AM 35302]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [12/29/2008 10:12 AM 126984]

S2 YKRLTOUV;YKRLTOUV;\??\c:\windows\system32\drivers\YKRLTOUV.sys --> c:\windows\system32\drivers\YKRLTOUV.sys [?]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/30/2008 2:09 PM 16512]

S3 Oracleoracle_forms6iClientCache80;Oracleoracle_forms6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 OracleORACLE_HOME_F6iClientCache80;OracleORACLE_HOME_F6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 Oracleoracle_home92ClientCache;Oracleoracle_home92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dotnet/

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://dotnet/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: En&queue current page with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidqueue.htm

IE: Enqueue link target with Bulk Ima≥ Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlinkqueue.htm

IE: Open &link target with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlink.htm

IE: Open current page with Bulk I&mage Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebid.htm

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: imageshack.us\toolbar

Trusted Zone: imageshack.us\www

Trusted Zone: state.ia.us\iowaamsvault02.iowa.gov

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

DPF: {CAD4ADEB-C52B-4E83-A7D1-9C75E022ECCC} - hxxps://ash-cs13.conferenceservers.com/components/WDPLUGIN.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 12:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(864)

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(4072)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP Pro\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\oracle\ora92\bin\omtsreco.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\rundll32.exe

c:\program files\Network Associates\Common Framework\Mctray.exe

.

**************************************************************************

.

Completion time: 2009-08-19 12:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 17:22

ComboFix2.txt 2009-08-19 16:47

Pre-Run: 90,206,474,240 bytes free

Post-Run: 90,108,899,328 bytes free

268

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\xxxx.exe

Driver::

YKRLTOUV

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

ComboFix 09-08-20.07 - sweiler 08/21/2009 8:41.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2731 [GMT -5:00]

Running from: c:\scott\Software\ComboFix.exe

Command switches used :: c:\scott\Software\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"C:\xxxx.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\sweiler\Application Data\EurekaLog

c:\windows\Downloaded Program Files\CpnMgr.dll

C:\xxxx.exe

----- BITS: Possible infected sites -----

hxxp://Ntdt5.dot.int.lan:80

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_YKRLTOUV

-------\Service_YKRLTOUV

((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))

.

2009-08-19 20:11 . 2009-08-19 20:11 -------- d-s---w- C:\Combo-Fix

2009-08-19 17:34 . 2009-08-19 17:34 182 ----a-w- C:\upload.bat

2009-08-19 16:41 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-19 16:41 . 2004-08-04 06:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-08-19 16:12 . 2009-08-19 16:12 -------- d-----w- c:\program files\Trend Micro

2009-08-19 14:15 . 2009-08-19 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-19 14:15 . 2009-08-19 17:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-19 14:15 . 2009-08-19 17:26 -------- d-----w- c:\documents and settings\sweiler\Application Data\SUPERAntiSpyware.com

2009-08-12 19:02 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

2009-08-03 18:37 . 2009-08-03 18:37 -------- d-----w- c:\documents and settings\sweiler\.assistant

2009-07-30 01:29 . 2009-07-30 01:29 -------- d-----w- c:\windows\ms

2009-07-30 01:28 . 2009-07-30 01:28 -------- d-----w- c:\program files\Windows Imaging

2009-07-30 01:28 . 2009-07-30 01:28 -------- dc-h--w- c:\windows\$UninstallRDC$

2009-07-30 01:27 . 2009-07-30 01:27 -------- d-----w- c:\windows\system32\bits

2009-07-30 01:27 . 2007-05-24 13:20 8192 -c----w- c:\windows\system32\dllcache\bitsprx2.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll

2009-07-30 01:27 . 2007-05-24 13:20 7168 ------w- c:\windows\system32\bitsprx4.dll

2009-07-30 01:27 . 2007-05-24 13:20 408064 -c----w- c:\windows\system32\dllcache\qmgr.dll

2009-07-30 01:27 . 2007-05-24 13:20 18944 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-21 13:45 . 2008-08-05 17:30 -------- d-----w- c:\program files\DNA

2009-08-21 13:45 . 2008-08-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\DNA

2009-08-18 13:57 . 2008-05-20 12:56 -------- d-----w- c:\program files\Coupons

2009-08-17 19:11 . 2007-03-13 13:19 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-17 13:09 . 2008-08-05 17:31 -------- d-----w- c:\documents and settings\sweiler\Application Data\BitTorrent

2009-08-13 18:57 . 2009-04-30 15:31 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-08-13 18:57 . 2009-04-30 15:31 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-08-13 18:57 . 2009-04-30 15:31 -------- d-----w- c:\program files\Replay Media Catcher

2009-08-13 18:57 . 2009-04-30 15:31 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-04 12:46 . 2008-10-23 13:59 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 18:36 . 2008-08-07 19:11 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-08-07 19:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 13:44 . 2007-03-13 13:13 -------- d-----w- c:\program files\OpFinApps

2009-07-22 02:42 . 2007-04-03 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-16 13:14 . 2009-07-16 13:14 -------- d-----w- c:\documents and settings\sweiler\Application Data\Safe Software

2009-07-15 17:41 . 2009-07-15 17:40 -------- d-----w- c:\documents and settings\sweiler\Application Data\U3

2009-07-15 12:50 . 2008-07-01 14:22 -------- d-----w- c:\program files\Winamp

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Image Navigator

2009-07-10 13:53 . 2009-07-10 13:53 -------- d-----w- c:\program files\Common Files\VIMAS Technologies

2009-07-10 13:42 . 2009-07-10 13:41 -------- d-----w- c:\documents and settings\sweiler\Application Data\Easy Thumbnails

2009-07-06 13:14 . 2008-11-05 17:30 -------- d-----w- c:\documents and settings\sweiler\Application Data\ESRI

2009-07-06 13:13 . 2009-07-06 13:13 -------- d-----w- c:\program files\ArcGIS Explorer

2009-07-01 20:48 . 2008-07-08 21:04 -------- d-----w- c:\documents and settings\sweiler\Application Data\dvdcss

2009-06-26 15:59 . 2001-08-23 12:00 668160 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 15:59 . 2007-03-09 20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-17 01:25 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:27 . 2001-08-23 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-29 13:28 . 2009-05-29 13:28 152576 ----a-w- c:\documents and settings\sweiler\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-29 13:20 . 2009-05-29 13:09 152576 ----a-w- c:\documents and settings\sweiler\Application Data\Sun\Java\jre1.6.0_12\lzma.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-16 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-04-04 136512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]

c:\documents and settings\sweiler\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=DrvTrNTm.dll

"wave"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [3/19/2003 10:10 AM 35302]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]

R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [12/29/2008 10:12 AM 126984]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/30/2008 2:09 PM 16512]

S3 Oracleoracle_forms6iClientCache80;Oracleoracle_forms6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 OracleORACLE_HOME_F6iClientCache80;OracleORACLE_HOME_F6iClientCache80;c:\oracle\forms6i\BIN\ONRSD80.EXE [10/27/2000 1:45 PM 101136]

S3 Oracleoracle_home92ClientCache;Oracleoracle_home92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dotnet/

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://dotnet/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: En&queue current page with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidqueue.htm

IE: Enqueue link target with Bulk Ima≥ Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlinkqueue.htm

IE: Open &link target with Bulk Image Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebidlink.htm

IE: Open current page with Bulk I&mage Downloader - file://c:\scott\Bulk Image Downloader\iemenu\iebid.htm

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: imageshack.us\toolbar

Trusted Zone: imageshack.us\www

Trusted Zone: state.ia.us\iowaamsvault02.iowa.gov

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab

DPF: {CAD4ADEB-C52B-4E83-A7D1-9C75E022ECCC} - hxxps://ash-cs13.conferenceservers.com/components/WDPLUGIN.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-21 08:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(864)

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(4052)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP Pro\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\oracle\ora92\bin\omtsreco.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\rundll32.exe

c:\program files\Network Associates\Common Framework\Mctray.exe

.

**************************************************************************

.

Completion time: 2009-08-21 8:50 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-21 13:50

ComboFix2.txt 2009-08-19 17:22

Pre-Run: 90,407,219,200 bytes free

Post-Run: 90,731,089,920 bytes free

203

Link to post
Share on other sites

  • Staff

Hi bigstar21,

Right click this file, and click Open With Notepad:

C:\upload.bat

Post the contents here.

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.