Jump to content

Can't solve


Recommended Posts

I had a Trojan of some type (Trojan horse PSW.Agent.ABTH, msmtqvswmyk.dll). I think I got rid of it between AVG and malwarebytes. I cannot run Coffecup HTML editor. I upgraded from 2007 to 2009, and it will not start. In task manage I see it pop up, but after I get the error message (below), it disappears and does not spawn.

Now the remnant problem is that when I boot, or even in normal operation, whenever Windows XP loads an application I get the following error (pop up message window):

<xxx>.exe - Unable To Locate Component (where "xxx" is the name of the application)

<big red X in circle> This application has failed to start because msmqvswmyk.dll was not found. Re-installing the application may fix this problem.

I have searched for the dll in regedit- no luck. (Googling it produces nothing. I ma sure thisn is a trojan dll). My brother (whom does some sys work) had me look in some typical registry locations, but nothing unusual.

Thanks!

Malware Bytes Log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 3

8/23/2009 6:10:51 PM

mbam-log-2009-08-23 (18-10-51).txt

Scan type: Quick Scan

Objects scanned: 149921

Time elapsed: 17 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:12:05 PM, on 8/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Kodak\printer\center\KodakSvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {1A849F91-7AC3-4C01-BA4E-BEC8417506E3} - c:\windows\system32\npziqvd.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-20\..\Run: [renagiyine] Rundll32.exe "C:\WINDOWS\system32\weruwoge.dll",s (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')

O4 - Startup: palmOne Registration.lnk.disabled

O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: lhhbhc.dll jfrejc.dll avgrsstx.dll c:\windows\system32\kufubabe.dll jbdgjt.dll ,

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: mgkiqfwl - C:\WINDOWS\SYSTEM32\npziqvd.dll

O20 - Winlogon Notify: Winlogon - C:\WINDOWS\SYSTEM32\winmm64.dll

O21 - SSODL: WinCheck - {EAD8F454-EC03-4B47-A5B7-6534DA513FA5} - winmm64.dll (file missing)

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Staff

Hi JohnQPublic and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I think it is bug.txt?

32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg

32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\

MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfxxe

32788R22FWJFW\PV.cfxxe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe cmd.exe

Killing '*.pif'

Killing 'nircmd.*'

Killing 'ANDRE.EXE'

Killing 'TOLO.exe'

Killing 'Merlin.scr'

Killing 'jalang.exe'

Killing 'jalangkung.exe'

Killing 'jantungan.exe'

Killing 'DOSEN.exe'

Killing 'C3W3K4MPUS.exe'

Killing 'cmd.exe'

pv: No matching processes found

PUSHD "C:\32788R22FWJFW"

IF NOT EXIST pev.cfxxe COPY /Y pev.exe pev.cfxxe

1 file(s) copied.

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe

1 file(s) copied.

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

IF EXIST OsVer EXIT

VER 1>OsVer

GREP.cfxxe -F "5.2." OsVer

IF 1 == 0 GOTO Not_NT

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SED.cfxxe "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV.EXE -rtf -s+901 .\OriPath00 && (

SED.cfxxe -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01

FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter"

Killing 'runonce.exe'

Killing 'grpconv.exe'

Killing 'procmon.exe'

Killing 'ANDRE.EXE'

Killing 'TOLO.exe'

Killing 'Merlin.scr'

Killing 'jalang.exe'

Killing 'jalangkung.exe'

Killing 'jantungan.exe'

Killing 'DOSEN.exe'

Killing 'C3W3K4MPUS.exe'

pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (

PV -o%f * 1>temp01

PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02

GREP -Fif temp00 temp02 1>temp03

SED "/.* /!d; s///" temp03 1>temp04

SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05

FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G

)

CALL :MDCheck

Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md5126C7AECC7661C72C07A152473315731 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail

.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Mark\Application Data

cfExt=cfxxe

CFLDR=32788R22FWJFW

Chksum=126C7AECC7661C72C07A152473315731

CLASSPATH=.;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=WYATT_SERVER

ComSpec=C:\WINDOWS\system32\cmd.execf

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Mark

KMD=CF13024.exe

LOGONSERVER=\\WYATT_SERVER

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter

PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0602

ProgramFiles=C:\Program Files

PROMPT=$

Qrntn=C:\Qoobox\Quarantine

QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip

RKEY_=hklm\software\microsoft\windows nt\currentversion\windows

RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog

SESSIONNAME=Console

sfxcmd="C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe"

sfxname=C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe

SYSTEM=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Mark\LOCALS~1\Temp

TMP=C:\DOCUME~1\Mark\LOCALS~1\Temp

USERDOMAIN=WYATT_SERVER

USERNAME=Mark

USERPROFILE=C:\Documents and Settings\Mark

windir=C:\WINDOWS

=============================================

IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

CALL LANG.bat

Active code page: 1252

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Mark\\Local Settings\\Temporary Internet Files\\Content.IE5\\SHTIP1GP\\ComboFix[1].exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe"

@SET SfxCmd="C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && (

SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01

FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (

SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB

NIRCMD LOOP 2 80 BEEP 3000 200

IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check

IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""

)

DEL /A/F/Q AVChk? AvWhite AvBlack AvBlack0?

SET AVCount=

IF EXIST vista.mac CALL :Vista

GREP -Fx "REGEDIT4" Fin.dat || (

ECHO.1>"C:\DOCUME~1\Mark\LOCALS~1\Temp\tdsstdss"

PEV -rtf "C:\DOCUME~1\Mark\LOCALS~1\Temp\tdsstdss" || (

ECHO.1>wtf_tdssserv

CALL c.bat

GOTO END

)

GOTO AbortD

)

REGEDIT4

IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\Mark\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" DEL /A/F "C:\DOCUME~1\Mark\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log"

COPY /Y /B "C:\WINDOWS\system32\cmd.execf" "C:\WINDOWS\system32\CF13024.exe"

1 file(s) copied.

SET "COMSPEC=C:\WINDOWS\system32\CF13024.exe"

FOR /F "TOKENS=*" %G IN ("C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\ComboFix[1].exe") DO (

SET "FileName=%~NG"

SET "FilePath=%~DPG"

)

(

SET "FileName=ComboFix[1]"

SET "FilePath=C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\SHTIP1GP\"

)

SET FileName 1>FileName

GREP -ix "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB

DEL /A/F/Q DirName0?

Could Not Find C:\32788R22FWJFW\DirName0?

CALL NircmdB.exe INFOBOX "You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""

GOTO END

IF EXIST "C:\WINDOWS\system32\cmd.execf" MOVE /Y "C:\WINDOWS\system32\cmd.execf" "C:\DOCUME~1\Mark\LOCALS~1\Temp"

CD ..

IF DEFINED cfldr RD /S/Q "32788R22FWJFW"

The system cannot find the path specified.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:43:24 PM, on 8/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Kodak\printer\center\KodakSvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Thanks!

Link to post
Share on other sites

Ok. Last time I ran from the link. I guess it never completeld. This time I downloaded the software and ran it. It took 20-30 minutes because every time Combofix ran a new process, the error message with the phantom dll popped up. Apparently it found something in one of the windows temp. internet files (I thought I hade deleted, but guess not). Here it the logfile:

ComboFix 09-08-22.06 - Mark 08/23/2009 20:18.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1321 [GMT -7:00]

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Melva\Local Settings\Temporary Internet Files\tywisy.lib

c:\documents and settings\Melva\Local Settings\Temporary Internet Files\ubepepi.dat

c:\documents and settings\Melva\Local Settings\Temporary Internet Files\vizapil.bat

c:\windows\kb913800.exe

c:\windows\system32\drivers\zcaaqdvn.sys

c:\windows\system32\drivers\zvrinrtq.sys

c:\windows\system32\kinvgnp.dll

c:\windows\system32\npziqvd.dll

c:\windows\system32\winmm64.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\obbzhigi.job

Infected copy of c:\windows\system32\imm32.dll was found and disinfected

Restored copy from - c:\system volume information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP204\A0020273.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TOBVGBIH

-------\Legacy_ZVRINRTQ

-------\Service_tobvgbih

-------\Service_zvrinrtq

((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))

.

2009-08-22 15:46 . 2009-08-02 16:36 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

2009-08-22 15:46 . 2009-08-02 16:36 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

2009-08-22 03:52 . 2009-08-22 03:52 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\program files\MSBuild

2009-08-16 14:40 . 2009-08-16 14:40 -------- d-----w- c:\program files\Reference Assemblies

2009-08-16 14:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-16 14:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-16 14:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-16 14:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-16 14:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-16 14:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-16 14:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-16 02:59 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-04 02:44 . 2009-08-04 02:44 -------- d--h--w- c:\windows\system32\GroupPolicy

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-24 01:11 . 2006-10-31 04:17 -------- d-----w- c:\program files\Trend Micro

2009-08-23 23:40 . 2008-02-07 04:51 -------- d-----w- c:\program files\CoffeeCup Software

2009-08-22 15:46 . 2009-01-19 07:18 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-22 15:46 . 2009-01-19 07:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-22 15:46 . 2009-01-19 07:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-22 05:35 . 2009-01-20 03:58 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-22 05:31 . 2009-01-20 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-22 03:52 . 2009-01-21 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-18 04:43 . 2006-10-30 05:40 107184 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 04:07 . 2006-12-01 05:05 -------- d-----w- c:\documents and settings\Mark\Application Data\ZoomBrowser EX

2009-08-06 04:03 . 2007-12-28 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-08-05 09:01 . 2004-08-10 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 20:36 . 2009-01-21 03:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-01-21 03:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-31 04:26 . 2007-12-27 04:00 -------- d-----w- c:\documents and settings\Mark\Application Data\gtk-2.0

2009-07-17 19:01 . 2004-08-10 20:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 17:08 . 2004-08-10 20:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 03:01 . 2009-07-11 02:59 -------- d-----w- c:\documents and settings\Melva\Application Data\gtk-2.0

2009-06-29 16:12 . 2005-10-21 03:39 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-10 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-10 20:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-26 02:48 . 2009-06-26 02:48 -------- d-----w- c:\documents and settings\Melva\Application Data\HotSync

2009-06-26 02:36 . 2007-02-18 22:22 -------- d-----w- c:\documents and settings\Mark\Application Data\Arcsoft

2009-06-26 02:34 . 2009-06-26 02:21 -------- d-----w- c:\program files\palmOne

2009-06-26 02:28 . 2009-06-26 02:28 -------- d-----w- c:\documents and settings\Mark\Application Data\Leadertech

2009-06-26 02:22 . 2009-06-26 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HotSync

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\PalmDesktopShortcut.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut6.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut5.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut4.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut2.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut1.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:22 . 2009-06-26 02:22 65536 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\ARPPRODUCTICON.exe

2009-06-26 02:22 . 2009-06-26 02:22 49152 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{E434580A-2D4A-4433-A81E-4BCAE86AD148}\NewShortcut3.4DA64122_6F1D_4317_BC6A_2B3299881D1B.exe

2009-06-26 02:20 . 2009-06-26 02:20 -------- d-----w- c:\documents and settings\Mark\Application Data\HotSync

2009-06-26 02:20 . 2009-06-26 02:22 53248 ----a-w- c:\windows\PalmDevC.dll

2009-06-26 02:20 . 2004-06-09 20:37 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys

2009-06-26 01:41 . 2009-06-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-06-25 08:25 . 2005-06-15 17:49 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-10-28 01:21 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 20:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 20:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 20:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2004-08-10 20:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-10 20:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-10 20:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-14 23:07 . 2009-06-22 19:23 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2009-06-12 12:31 . 2004-08-10 20:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2005-05-10 23:45 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2004-08-10 20:00 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-10 20:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-10 20:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2005-08-30 04:13 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 14:03 . 2009-06-02 14:03 390664 ----a-w- c:\documents and settings\Mark\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

2008-11-18 01:26 . 2008-11-18 01:26 19046 ----a-w- c:\program files\Common Files\izidyja.sys

2008-11-18 01:26 . 2008-11-18 01:26 15208 ----a-w- c:\program files\Common Files\orud.lib

2008-11-18 01:26 . 2008-11-18 01:26 10440 ----a-w- c:\program files\Common Files\daguh.scr

2006-11-13 02:41 . 2006-11-13 02:41 251 ----a-w- c:\program files\wt3d.ini

2006-10-11 08:04 . 2008-02-10 04:57 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-10-11 08:04 . 2008-02-10 04:57 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-10-11 08:05 . 2008-02-10 04:57 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2006-10-11 08:05 . 2008-02-10 04:57 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2006-10-11 08:04 . 2008-02-10 04:57 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-01-19 00:33 . 2009-01-19 00:33 1354509 --sh--w- c:\windows\system32\afayojel.tmp

2009-01-21 03:16 . 2009-01-21 03:16 4546 --sh--w- c:\windows\system32\ropenoya.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 397312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-18 282624]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-14 1052672]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]

"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-31 16269312]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-21 218496]

c:\documents and settings\Mark\Start Menu\Programs\Startup\

palmOne Registration.lnk.disabled [2009-8-19 755]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

Wireless 802.11g USB Adapter.lnk - c:\program files\Wireless 802.11g USB Adapter\ZDWlan.exe [2004-11-19 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 15:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 12:18 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 12:18 AM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2009 12:18 AM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 12:18 AM 297752]

R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [3/22/2007 7:04 PM 9728]

S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [9/22/2007 10:49 PM 24576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ZVRINRTQ

*Deregistered* - zvrinrtq

.

Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job

- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2007-03-23 02:04]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)

SSODL-WinCheck-{EAD8F454-EC03-4B47-A5B7-6534DA513FA5} - winmm64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\a3j2hjjg.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-23 20:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,9f,82,be,4b,99,

69,0a,cc,e2,63,26,f1,3f,c8,ff,68,a1,2e,d3,5f,c9,b6,4f,3b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,b5,cc,f8,84,25,

46,a2,21,6a,9c,d6,61,af,45,84,18,a3,2c,cb,70,2f,70,db,82,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,44,83,89,9d,8a,

db,d2,74,ff,7c,85,e0,43,d4,0e,fe,54,f3,ab,5a,a8,b9,c2,7b,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,bf,dd,ef,9d,

db,b5,af,86,8c,21,01,be,91,eb,e7,63,68,f1,a3,47,ec,e4,10,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,2e,4e,a5,0c,17,

b9,ba,75,f5,1d,4d,73,a8,13,5c,05,a9,7b,e2,bc,fd,8e,b9,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b8,85,9c,50,03,

6f,36,af,df,20,58,62,78,6b,cf,c8,98,bd,1d,71,2f,a6,dd,e8,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,19,14,28,0d,13,

27,b7,7c,fb,a7,78,e6,12,2f,9a,ea,72,a6,c3,51,a6,7e,c7,0d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,72,8b,be,65,88,

44,55,92,01,3a,48,fc,e8,04,4a,f1,11,7d,73,c9,8c,c4,36,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,1b,3f,52,79,7a,

64,9b,bb,f6,0f,4e,58,98,5b,89,c9,d6,c8,11,12,0b,f3,eb,1f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,21,10,a6,2b,49,

d2,0a,9f,3d,ce,ea,26,2d,45,aa,78,40,3b,26,ef,24,04,60,3e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,34,b5,2b,96,e7,

fd,e0,e3,2a,b7,cc,b5,b9,7f,41,e7,e5,17,53,83,5a,0f,c4,8a,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,ce,e6,ed,e3,3a,

3b,2d,18,6c,43,2d,1e,aa,22,2f,9c,2d,6a,52,a6,02,98,1b,13,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1564)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\progra~1\SPYBOT~1\SDHelper.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\dllhost.exe

c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe

c:\program files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2009-08-24 20:45 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-24 03:45

Pre-Run: 50,300,743,680 bytes free

Post-Run: 51,007,373,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

325 --- E O F --- 2009-08-17 13:26

Link to post
Share on other sites

  • Staff

Hi,

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

After that, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

F-Secure output (i'll do Security Check seperately):

Scanning Report

Sunday, August 23, 2009 21:33:38 - 22:31:30

Computer name: WYATT_SERVER

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

16 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

Trojan:INI/Vundo.gen!F (spyware)

System (Disinfected)

Trojan.Boaxxe.P (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 72438

System: 4890

Not scanned: 9

Actions:

Disinfected: 16

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\HIBERFIL.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2164232128_12779520_10995

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AVG SECURITY TOOLBAR\IETOOLBAR.DLL

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Link to post
Share on other sites

Security Check:

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 8.5

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 3

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

Mark LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe

Mark LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe

Mark LOCALS~1 Temp fsonlinescanner.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

Got it all.

ASnother Trojan showed up (AVG caught it):

Resident Shield detection

Infection;"Object";"Result";"Detection time";"Object Type";"Process"

Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 8:06:25 PM";"file";"C:\WINDOWS\system32\svchost.exe"

Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 5:04:58 PM";"file";"C:\WINDOWS\system32\svchost.exe"

Trojan horse SHeur2.AYQL;"C:\System Volume Information\_restore{8BCC4B01-D0FC-49E1-B6BB-E313623C63D2}\RP220\A0025359.dll";"Infected";"8/24/2009, 4:21:12 PM";"file";"C:\WINDOWS\system32\svchost.exe"

Other than that, everything is running pretty good.

I did a quick scan with malwarebytes and it did not catch anything.

Link to post
Share on other sites

  • Staff

JohnQPublic,

Those infections are only in System Restore's cache and aren't dangerous unless you do a System Restore.

Let's clear your infected Restore Points, and create a fresh, clean one.

To clear existing restore points:

  • Right-click My Computer and select the System Restore tab.
  • Click to add a check mark next to Turn off System Restore, and click OK.
  • You will be warned that all existing Restore Points will be deleted, select Yes to continue.

All system restore points are deleted. Now please create a new restore point by doing the following:

  • Right-click My Computer and select the System Restore tab.
  • Click to remove the check mark next to Turn off System Restore, and click OK.

Restart your computer and let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.