Jump to content

Spyware alerts MWB and HJT logs enclosed


Ray2020

Recommended Posts

This may be a bit lenghthy, but I have tried to do as much of the legwork as possible.

For several days I have noticed that when clicking on the results of a google or yahoo search by browser has been getting redirected to a random site. This morning when I started my computer, I ran MWB as I usually do. It found two issues. Here is the log.

Malwarebytes' Anti-Malware 1.40

Database version: 2729

Windows 5.1.2600 Service Pack 2

09/02/2009 8:02:20 AM

mbam-log-2009-09-02 (08-02-20).txt

Scan type: Quick Scan

Objects scanned: 118244

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

I rebooted and ran MWB again with the same two problems found. tried clearing them and rebooted with the same results. I then deided to run HJT, and while trying to start it I got numerous "Infected with spyware" messages. HJT would not complete a scan. I tried MWB, and it would not start. I renamed MBAM to iexplore, and it ran almost to completion, found many issues, then the computer shut down. I restarted and ran MWB again successfully, then ran HJT.

Here are the logs:

MWB Log

Malwarebytes' Anti-Malware 1.40

Database version: 2729

Windows 5.1.2600 Service Pack 2

09/02/2009 9:59:30 AM

mbam-log-2009-09-02 (09-59-30).txt

Scan type: Quick Scan

Objects scanned: 118107

Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 2

Registry Keys Infected: 3

Registry Values Infected: 6

Registry Data Items Infected: 12

Folders Infected: 1

Files Infected: 16

Memory Processes Infected:

C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\winupdate.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.

Memory Modules Infected:

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\drivers\smss.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\drivers\smss.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winupdate.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\cpv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\ppc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\sp.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ray\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ray\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ray\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ray\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Delete on reboot.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:03:54 AM, on 09/02/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\arservice.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\DOCUME~1\Ray\LOCALS~1\Temp\winlogon.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\DOCUME~1\Ray\LOCALS~1\Temp\debug.exe

C:\DOCUME~1\Ray\LOCALS~1\Temp\winamp.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\iexplore.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"

O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Ray\LOCALS~1\Temp\winamp.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\cty1da.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.filesymphony.com

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

O16 - DPF: FirstViewer - http://63.68.31.196/alchemyoutside/Components/FirstVwr.CAB

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ryHC_02_03.html

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154053888554

O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.269/qboax8.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9256 bytes

After restarting, I appear to be back where I started this morning. here are those logs:

Malwarebytes' Anti-Malware 1.40

Database version: 2729

Windows 5.1.2600 Service Pack 2

09/02/2009 10:22:04 AM

mbam-log-2009-09-02 (10-22-04).txt

Scan type: Quick Scan

Objects scanned: 117934

Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:25:02 AM, on 09/02/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Malwarebytes' Anti-Malware\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"

O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\cty1da.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.filesymphony.com

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

O16 - DPF: FirstViewer - http://63.68.31.196/alchemyoutside/Components/FirstVwr.CAB

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ryHC_02_03.html

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154053888554

O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.269/qboax8.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8753 bytes

What should I do now?????

Link to post
Share on other sites

Hello Ray2020

Welcome to Malwarebytes. :D

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

===========

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

Here are the requested logs:

OTL logfile created on: 09/03/2009 8:21:16 AM - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Ray\Desktop

Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

958.48 Mb Total Physical Memory | 432.57 Mb Available Physical Memory | 45.13% Memory free

2.26 Gb Paging File | 1.68 Gb Available in Paging File | 74.41% Paging File free

Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 177.51 Gb Total Space | 153.86 Gb Free Space | 86.68% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 0.09 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive K: | 232.88 Gb Total Space | 207.76 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Drive T: | 232.88 Gb Total Space | 207.76 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Computer Name: ADV03

Current User Name: RayA

Logged in as Administrator.

OTL Extras logfile created on: 09/03/2009 8:21:16 AM - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Ray\Desktop

Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

958.48 Mb Total Physical Memory | 432.57 Mb Available Physical Memory | 45.13% Memory free

2.26 Gb Paging File | 1.68 Gb Available in Paging File | 74.41% Paging File free

Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 177.51 Gb Total Space | 153.86 Gb Free Space | 86.68% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 0.09 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive K: | 232.88 Gb Total Space | 207.76 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Drive T: | 232.88 Gb Total Space | 207.76 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Computer Name: ADV03

Current User Name: RayA

Logged in as Administrator.

GMER 1.0.15.15077 [ykh51okh.exe] - http://www.gmer.net

Rootkit scan 2009-09-03 08:53:37

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code 8546BE98 ZwEnumerateKey

Code 8546C128 ZwFlushInstructionCache

Code 8546B17E ZwSaveKey

Code 8546B906 ZwSaveKeyEx

Code 8546A306 IofCallDriver

Code 8546A0BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 8546A30B

.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 8546A0C3

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 8546C12C

PAGE ntkrnlpa.exe!ZwSaveKey 806173DA 5 Bytes JMP 8546B182

PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061746A 5 Bytes JMP 8546B90A

PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 8546BE9C

? system32\drivers\mnex.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2992] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2992] USER32.dll!MessageBoxA 7E45058A 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2992] USER32.dll!MessageBoxW 7E46630A 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1100] 0x10000000

Library \\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [1536] 0x10000000

Library \\?\globalroot\systemroot\system32\vsfocejoxysjwl.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2384] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfocekndetkkj.sys (*** hidden *** ) [sYSTEM] vsfoceonptouam <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam@imagepath \systemroot\system32\drivers\vsfocekndetkkj.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main@aid 10002

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main@sid 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main\injector@* vsfocewsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocekndetkkj.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules@vsfocecmd.dll \systemroot\system32\vsfoceauotmeyd.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules@vsfocelog.dat \systemroot\system32\vsfocedvtquegv.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules@vsfocewsp.dll \systemroot\system32\vsfocejoxysjwl.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceonptouam\modules@vsfoce.dat \systemroot\system32\vsfoceuejwmrqp.dat

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam@imagepath \systemroot\system32\drivers\vsfocekndetkkj.sys

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main@aid 10002

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main@sid 1

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main\injector@* vsfocewsp.dll

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocekndetkkj.sys

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules@vsfocecmd.dll \systemroot\system32\vsfoceauotmeyd.dll

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules@vsfocelog.dat \systemroot\system32\vsfocedvtquegv.dat

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules@vsfocewsp.dll \systemroot\system32\vsfocejoxysjwl.dll

Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceonptouam\modules@vsfoce.dat \systemroot\system32\vsfoceuejwmrqp.dat

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Link to post
Share on other sites

Here is the ComboFix log:

ComboFix 09-09-03.02 - RayA 09/03/2009 14:47.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.529 [GMT -4:00]

Running from: \\Advserver01\shares\Documents\Ray\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500

c:\windows\Installer\4478203.msp

c:\windows\Installer\4478204.msp

c:\windows\Installer\4478205.msp

c:\windows\Installer\4478206.msp

c:\windows\Installer\4478207.msp

c:\windows\Installer\4478208.msp

c:\windows\Installer\4478209.msp

c:\windows\Installer\96d79ca.msp

c:\windows\Installer\96d79cb.msp

c:\windows\Installer\96d79cc.msp

c:\windows\Installer\96d79cd.msp

c:\windows\Installer\96d79ce.msp

c:\windows\Installer\96d79cf.msp

c:\windows\Installer\96d79d0.msp

c:\windows\kb913800.exe

c:\windows\system32\bszip.dll

c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk

c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\drivers\vsfocekndetkkj.sys

c:\windows\system32\vsfoceauotmeyd.dll

c:\windows\system32\vsfocedvtquegv.dat

c:\windows\system32\vsfocejoxysjwl.dll

c:\windows\system32\vsfoceuejwmrqp.dat

c:\windows\wpd99.drv

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_vsfoceonptouam

-------\Legacy_vsfoceonptouam

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2009-09-02 12:32 . 2009-09-02 12:32 -------- d-----w- c:\program files\Trend Micro

2009-08-25 13:47 . 2009-08-25 13:47 -------- d-----w- c:\windows\TEM

2009-08-13 07:01 . 2009-08-13 07:01 -------- d-----w- c:\windows\ServicePackFiles

2009-08-06 11:59 . 2009-08-06 11:59 59120 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild

2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies

2009-08-06 07:06 . 2009-08-06 07:06 -------- d-----w- C:\0ae592e350803052cbcf9b

2009-08-06 07:06 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-06 07:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-06 07:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-06 07:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-06 07:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-06 07:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-06 07:06 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-06 07:06 . 2009-08-06 07:22 -------- d-----w- c:\windows\SxsCaPendDel

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-03 13:37 . 2006-10-03 16:25 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-09-02 13:31 . 2009-08-03 12:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-01 19:23 . 2006-07-31 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2009-08-28 12:51 . 2008-07-03 18:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-28 12:51 . 2008-07-03 18:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 12:51 . 2008-07-03 18:16 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-06 11:59 . 2006-07-31 15:03 59120 ----a-w- c:\documents and settings\Ray\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:11 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-08-03 17:36 . 2009-08-03 12:41 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2009-08-03 12:41 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-03 12:41 . 2009-08-03 12:41 -------- d-----w- c:\documents and settings\Ray\Application Data\Malwarebytes

2009-08-03 12:41 . 2009-08-03 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-17 18:55 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 11:59 . 2009-01-16 12:41 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-13 14:08 . 2004-08-09 21:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 15:59 . 2004-08-09 21:00 668160 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 15:59 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll

2009-06-25 18:36 . 2004-08-09 21:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-09 21:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-09 21:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-09 21:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-09 21:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-09 21:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2004-08-09 21:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2004-08-09 21:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2004-08-09 21:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2004-08-09 21:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2004-08-09 21:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2004-08-09 21:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-22 11:49 . 2004-08-09 21:00 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2004-08-09 21:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2004-08-09 21:00 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2004-08-09 21:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-16 14:55 . 2004-08-09 21:00 82432 ------w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-09 21:00 119808 ------w- c:\windows\system32\t2embed.dll

2009-06-12 11:50 . 2004-08-09 21:00 80896 ------w- c:\windows\system32\tlntsess.exe

2009-06-12 11:50 . 2004-08-10 04:00 76288 ------w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-09 21:00 84992 ------w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-09 21:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2006-10-03 16:25 . 2006-10-03 16:25 88 --sh--r- c:\windows\system32\05AE9FCA52.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]

"Act.Outlook.Service"="c:\program files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2007-03-28 9728]

"Act! Preloader"="c:\program files\ACT\ACT for Windows\ActSage.exe" [2007-03-28 1015808]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-10-06 866584]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-09 29744]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-6 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-9 972064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 12:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"<NO NAME>"=

"AlwaysReady Power Message APP"=ARPWRMSG.EXE

"DISCover"=c:\program files\DISC\DISCover.exe

"DiscUpdateManager"=c:\program files\DISC\DiscUpdMgr.exe

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe"

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

"HPHUPD08"=c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"PCDrProfiler"=

"RTHDCPL"=RTHDCPL.EXE

"ehTray"=c:\windows\ehome\ehtray.exe

"nwiz"=nwiz.exe /install

"Reminder"="c:\windows\Creator\Remind_XP.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\WINDOWS\\system32\\javaws.exe"=

"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaws.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"7803:TCP"= 7803:TCP:Remote Desktop-Alternate Port

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/03/2008 2:16 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/03/2008 2:16 PM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/05/2008 9:06 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/05/2008 9:06 AM 297752]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [01/11/2007 10:00 AM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [10/05/2006 11:11 PM 13592]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/09/2008 9:00 AM 29744]

.

Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-06 03:11]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: filesymphony.com\www

Trusted Zone: trymedia.com

DPF: FirstViewer - hxxp://63.68.31.196/alchemyoutside/Components/FirstVwr.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 14:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\arservice.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\rundll32.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-09-03 15:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-03 19:00

Pre-Run: 165,105,688,576 bytes free

Post-Run: 165,636,161,536 bytes free

242 --- E O F --- 2009-09-03 17:15

Link to post
Share on other sites

First: Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Second: Online Scanner

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.