Jump to content

MBAM & HJT will only run in safe mode


Recommended Posts

I'm not able to run any exe's or even task manager. When I run MBAM in safe mode it detects 10-14 issues, but is unable to clean even after reboot. The computer is running McAfee Security Suite. Here are my MBAM & HJT logs...

Malwarebytes' Anti-Malware 1.41

Database version: 2867

Windows 5.1.2600 Service Pack 3

9/30/2009 9:47:23 PM

mbam-log-2009-09-30 (21-47-23).txt

Scan type: Quick Scan

Objects scanned: 99346

Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\gasfkybfamdxnx.dll (Rootkit.TDSS) -> Delete on reboot.

c:\WINDOWS\system32\mivojova.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\tiwurufe.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{662ceb19-21c4-4a90-a629-89de2b0ab1a5} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wutovevuw (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{662ceb19-21c4-4a90-a629-89de2b0ab1a5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mugulakey (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mivojova.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mivojova.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\mivojova.dll (Trojan.Vundo.H) -> Delete on reboot.

\\?\globalroot\systemroot\system32\gasfkybfamdxnx.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tiwurufe.dll (Trojan.Vundo) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:18:20 PM, on 9/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

G:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [uVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [wutovevuw] Rundll32.exe "c:\windows\system32\mivojova.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\429700261.dll"" (User 'NETWORK SERVICE')

O4 - Global Startup: Shortcut to MBAM_Auto.bat.lnk = C:\Documents and Settings\All Users\MBAM_Auto.bat

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Addiction by pogo - http://game3.pogo.com/v/9.0.3.12/applet/ad...ction-en_US.cab

O16 - DPF: Bingo Luau by pogo - http://game3.pogo.com/v/9.0.1.7/applet/fre...bingo-en_US.cab

O16 - DPF: Dice City Roller by pogo - http://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/v/8.1.6.3/applet/che...dflag-en_US.cab

O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.com/v/9.1.1.22/applet/do...mino2-en_US.cab

O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/v/8.1.7.44/applet/fi...lass2-en_US.cab

O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.com/v/9.0.1.7/applet/sup...bingo-en_US.cab

O16 - DPF: Lottso by pogo - http://game3.pogo.com/v/9.0.5.4/applet/lot...ottso-en_US.cab

O16 - DPF: Mah Jong Garden by pogo - http://game3.pogo.com/v/9.0.1.17/applet/ma...jong2-en_US.cab

O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.com/v/9.0.6.14/applet/sa...afari-en_US.cab

O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

O16 - DPF: Pinochle by pogo - http://game1.pogo.com/v/8.1.7.44/applet/pi...ochle-en_US.cab

O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/v/8.1.7.44/applet/ho...treak-en_US.cab

O16 - DPF: Spades 2 by pogo - http://game3.pogo.com/v/9.0.2.13/applet/sp...ades2-en_US.cab

O16 - DPF: Spider Solitaire by pogo - http://game3.pogo.com/v/9.0.1.7/applet/spi...pider-en_US.cab

O16 - DPF: Stax by pogo - http://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

O16 - DPF: Super Dominoes by pogo - http://game3.pogo.com/v/8.1.6.3/applet/sup...omino-en_US.cab

O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/v/8.1.9.7/applet/tur...rbo22-en_US.cab

O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/v/8.1.6.21/applet/wo...class-en_US.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222294296

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222288656

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.35.16/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{51B64D82-475C-4F2E-82DF-DAD1B82E3999}: NameServer = 192.168.1.1

O20 - AppInit_DLLs: tiwurufe.dll c:\windows\system32\mivojova.dll

O21 - SSODL: mugulakey - {662ceb19-21c4-4a90-a629-89de2b0ab1a5} - c:\windows\system32\mivojova.dll

O22 - SharedTaskScheduler: kupuhivus - {662ceb19-21c4-4a90-a629-89de2b0ab1a5} - c:\windows\system32\mivojova.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 8680 bytes

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Ok here's the ComboFix & HFT logs. Looks like we're getting somewhere! Thanks!!!

ComboFix 09-10-01.05 - Administrator 10/04/2009 9:01.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.504.212 [GMT -4:00]

Running from: G:\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\inst.exe

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\41.exe

c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common

c:\windows\system32\drivers\gasfkyavmyxktf.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\gasfkybfamdxnx.dll

c:\windows\system32\gasfkygivisfdt.dll

c:\windows\system32\gasfkyjniiduus.dll

c:\windows\system32\gasfkykxymhxvb.dat

c:\windows\system32\gasfkyomaivxpf.dat

c:\windows\system32\kebikagu.dll

c:\windows\system32\mivojova.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\tiwurufe.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\wezisuve.dll

c:\windows\system32\wpcap.dll

F:\resycled

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gasfkyvlmfxwbv

-------\Legacy_gasfkyvlmfxwbv

-------\Legacy_NPF

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))

.

2009-10-04 13:13 . 2009-10-04 13:13 -------- d-----w- C:\found.000

2009-10-04 13:09 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-04 13:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-28 15:49 . 2009-09-28 17:55 -------- d-----w- c:\program files\Unlocker

2009-09-28 15:18 . 2009-09-28 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-27 21:40 . 2009-09-27 21:40 -------- d-----w- c:\windows\srchasst

2009-09-27 17:44 . 2009-09-27 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-27 17:19 . 2007-07-02 19:02 996648 ----a-w- c:\windows\system32\ShellManager10E2D762.dll

2009-09-11 12:49 . 2009-09-11 12:49 -------- d-----w- c:\program files\IrfanView

2009-09-10 22:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 22:20 . 2009-09-28 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 22:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\mui

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\ime

2009-09-10 01:22 . 2009-09-10 01:22 -------- d-----w- c:\documents and settings\DesktopPC\Application Data\Malwarebytes

2009-09-09 23:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-05 15:31 . 2009-09-05 15:31 -------- d-----w- c:\program files\TightVNC

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-28 17:39 . 2009-05-10 21:12 189 ----a-w- c:\documents and settings\All Users\MBAM_Auto.bat

2009-09-13 23:03 . 2009-08-04 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity

2009-09-10 23:57 . 2008-01-01 22:48 29792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-10 01:21 . 2009-04-19 12:39 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 01:18 . 2009-02-26 19:18 -------- d-----w- c:\program files\Lexmark X1100 Series

2009-08-28 12:58 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software

2009-08-24 12:07 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software

2009-08-21 21:00 . 2009-08-21 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\MoveFab

2009-08-21 16:37 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\RootsMagic

2009-08-21 16:36 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\RootsMagic

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-02 1682744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Shortcut to MBAM_Auto.bat.lnk - c:\documents and settings\All Users\MBAM_Auto.bat [2009-5-10 189]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 lcaqymeqrcjyoic;lcaqymeqrcjyoic;\??\c:\windows\system32\drivers\uleskqqvha.sys --> c:\windows\system32\drivers\uleskqqvha.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-27 c:\windows\Tasks\Malwarebytes' Anti-Malware.job

- c:\progra~1\MALWAR~1\mbam.exe [2009-09-10 18:53]

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 17:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

TCP: {51B64D82-475C-4F2E-82DF-DAD1B82E3999} = 192.168.1.1

DPF: Addiction by pogo - hxxp://game3.pogo.com/v/9.0.3.12/applet/addiction/addiction-en_US.cab

DPF: Bingo Luau by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/freebingo/freebingo-en_US.cab

DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

DPF: Dice Derby by pogo - hxxp://game1.pogo.com/v/8.1.6.3/applet/checkeredflag/checkeredflag-en_US.cab

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Dominoes v2 by pogo - hxxp://game3.pogo.com/v/9.1.1.22/applet/domino2/domino2-en_US.cab

DPF: First Class Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/firstclass2/firstclass2-en_US.cab

DPF: Fortune Bingo by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/superbingo/superbingo-en_US.cab

DPF: Lottso by pogo - hxxp://game3.pogo.com/v/9.0.5.4/applet/lottso/lottso-en_US.cab

DPF: Mah Jong Garden by pogo - hxxp://game3.pogo.com/v/9.0.1.17/applet/mahjong2/mahjong2-en_US.cab

DPF: Mahjong Safari by Pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/safari/safari-en_US.cab

DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Pinochle by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/pinochle/pinochle-en_US.cab

DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab

DPF: Spades 2 by pogo - hxxp://game3.pogo.com/v/9.0.2.13/applet/spades2/spades2-en_US.cab

DPF: Spider Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/spider/spider-en_US.cab

DPF: Stax by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

DPF: Super Dominoes by pogo - hxxp://game3.pogo.com/v/8.1.6.3/applet/superdomino/superdomino-en_US.cab

DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab

DPF: World Class Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.6.21/applet/worldclass/worldclass-en_US.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{18953b73-6d05-4021-a249-7dd77c6509c8} - kebikagu.dll

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-wutovevuw - c:\windows\system32\mivojova.dll

HKLM-Run-sawizujufi - wezisuve.dll

SharedTaskScheduler-{662ceb19-21c4-4a90-a629-89de2b0ab1a5} - c:\windows\system32\mivojova.dll

SSODL-mugulakey-{662ceb19-21c4-4a90-a629-89de2b0ab1a5} - c:\windows\system32\mivojova.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-04 09:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2868)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\StkASv2K.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Lexmark X1100 Series\lxbkbmon.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\progra~1\McAfee\VIRUSS~1\mcods.exe

c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe

.

**************************************************************************

.

Completion time: 2009-10-04 9:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-04 13:22

Pre-Run: 52,102,242,304 bytes free

Post-Run: 52,169,072,640 bytes free

247 --- E O F --- 2009-09-10 00:15

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:26:13 AM, on 10/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkASv2K.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\WINDOWS\explorer.exe

G:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [uVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - Global Startup: Shortcut to MBAM_Auto.bat.lnk = C:\Documents and Settings\All Users\MBAM_Auto.bat

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Addiction by pogo - http://game3.pogo.com/v/9.0.3.12/applet/ad...ction-en_US.cab

O16 - DPF: Bingo Luau by pogo - http://game3.pogo.com/v/9.0.1.7/applet/fre...bingo-en_US.cab

O16 - DPF: Dice City Roller by pogo - http://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/v/8.1.6.3/applet/che...dflag-en_US.cab

O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.com/v/9.1.1.22/applet/do...mino2-en_US.cab

O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/v/8.1.7.44/applet/fi...lass2-en_US.cab

O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.com/v/9.0.1.7/applet/sup...bingo-en_US.cab

O16 - DPF: Lottso by pogo - http://game3.pogo.com/v/9.0.5.4/applet/lot...ottso-en_US.cab

O16 - DPF: Mah Jong Garden by pogo - http://game3.pogo.com/v/9.0.1.17/applet/ma...jong2-en_US.cab

O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.com/v/9.0.6.14/applet/sa...afari-en_US.cab

O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

O16 - DPF: Pinochle by pogo - http://game1.pogo.com/v/8.1.7.44/applet/pi...ochle-en_US.cab

O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/v/8.1.7.44/applet/ho...treak-en_US.cab

O16 - DPF: Spades 2 by pogo - http://game3.pogo.com/v/9.0.2.13/applet/sp...ades2-en_US.cab

O16 - DPF: Spider Solitaire by pogo - http://game3.pogo.com/v/9.0.1.7/applet/spi...pider-en_US.cab

O16 - DPF: Stax by pogo - http://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

O16 - DPF: Super Dominoes by pogo - http://game3.pogo.com/v/8.1.6.3/applet/sup...omino-en_US.cab

O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/v/8.1.9.7/applet/tur...rbo22-en_US.cab

O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/v/8.1.6.21/applet/wo...class-en_US.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222294296

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222288656

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.35.16/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{51B64D82-475C-4F2E-82DF-DAD1B82E3999}: NameServer = 192.168.1.1

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 8821 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please download this file and save it as it's originally named, next to ComboFix.exe.

RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

Link to post
Share on other sites

Here's the new ComboFix log...

ComboFix 09-10-01.05 - Administrator 10/04/2009 21:03.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.504.221 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))

.

2009-10-04 15:33 . 2009-10-04 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-10-04 13:13 . 2009-10-04 13:13 -------- d-----w- C:\found.000

2009-10-04 13:09 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-04 13:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-28 15:49 . 2009-09-28 17:55 -------- d-----w- c:\program files\Unlocker

2009-09-28 15:18 . 2009-09-28 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-27 21:40 . 2009-09-27 21:40 -------- d-----w- c:\windows\srchasst

2009-09-27 17:44 . 2009-09-27 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-27 17:19 . 2007-07-02 19:02 996648 ----a-w- c:\windows\system32\ShellManager10E2D762.dll

2009-09-11 12:49 . 2009-09-11 12:49 -------- d-----w- c:\program files\IrfanView

2009-09-10 22:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 22:20 . 2009-09-28 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 22:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\mui

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\ime

2009-09-10 01:22 . 2009-09-10 01:22 -------- d-----w- c:\documents and settings\DesktopPC\Application Data\Malwarebytes

2009-09-09 23:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-05 15:31 . 2009-09-05 15:31 -------- d-----w- c:\program files\TightVNC

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-04 15:36 . 2009-05-10 21:12 185 ----a-w- c:\documents and settings\All Users\MBAM_Auto.bat

2009-09-13 23:03 . 2009-08-04 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity

2009-09-10 23:57 . 2008-01-01 22:48 29792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-10 01:21 . 2009-04-19 12:39 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 01:18 . 2009-02-26 19:18 -------- d-----w- c:\program files\Lexmark X1100 Series

2009-08-28 12:58 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software

2009-08-24 12:07 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software

2009-08-21 21:00 . 2009-08-21 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\MoveFab

2009-08-21 16:37 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\RootsMagic

2009-08-21 16:36 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\RootsMagic

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_13.15.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-01 20:35 . 2009-10-04 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-01 20:35 . 2009-10-04 12:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-04 18:38 . 2009-10-04 23:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-01-01 20:35 . 2009-10-04 12:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-24 1685816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Shortcut to MBAM_Auto.bat.lnk - c:\documents and settings\All Users\MBAM_Auto.bat [2009-5-10 185]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 lcaqymeqrcjyoic;lcaqymeqrcjyoic;\??\c:\windows\system32\drivers\uleskqqvha.sys --> c:\windows\system32\drivers\uleskqqvha.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-27 c:\windows\Tasks\Malwarebytes' Anti-Malware.job

- c:\progra~1\MALWAR~1\mbam.exe [2009-09-10 18:53]

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 17:32]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 17:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

TCP: {51B64D82-475C-4F2E-82DF-DAD1B82E3999} = 192.168.1.1

DPF: Addiction by pogo - hxxp://game3.pogo.com/v/9.0.3.12/applet/addiction/addiction-en_US.cab

DPF: Bingo Luau by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/freebingo/freebingo-en_US.cab

DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

DPF: Dice Derby by pogo - hxxp://game1.pogo.com/v/8.1.6.3/applet/checkeredflag/checkeredflag-en_US.cab

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Dominoes v2 by pogo - hxxp://game3.pogo.com/v/9.1.1.22/applet/domino2/domino2-en_US.cab

DPF: First Class Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/firstclass2/firstclass2-en_US.cab

DPF: Fortune Bingo by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/superbingo/superbingo-en_US.cab

DPF: Lottso by pogo - hxxp://game3.pogo.com/v/9.0.5.4/applet/lottso/lottso-en_US.cab

DPF: Mah Jong Garden by pogo - hxxp://game3.pogo.com/v/9.0.1.17/applet/mahjong2/mahjong2-en_US.cab

DPF: Mahjong Safari by Pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/safari/safari-en_US.cab

DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Pinochle by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/pinochle/pinochle-en_US.cab

DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab

DPF: Spades 2 by pogo - hxxp://game3.pogo.com/v/9.0.2.13/applet/spades2/spades2-en_US.cab

DPF: Spider Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/spider/spider-en_US.cab

DPF: Stax by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

DPF: Super Dominoes by pogo - hxxp://game3.pogo.com/v/8.1.6.3/applet/superdomino/superdomino-en_US.cab

DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab

DPF: World Class Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.6.21/applet/worldclass/worldclass-en_US.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-04 21:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3272)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-10-05 21:14

ComboFix-quarantined-files.txt 2009-10-05 01:13

ComboFix2.txt 2009-10-04 13:22

Pre-Run: 52,025,040,896 bytes free

Post-Run: 52,086,194,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

202 --- E O F --- 2009-09-10 00:15

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

lcaqymeqrcjyoic

File::

c:\windows\system32\drivers\uleskqqvha.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Ok here's the ComboFix & HJT logs...

ComboFix 09-10-05.01 - Administrator 10/06/2009 8:18.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.504.206 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

FILE ::

"c:\windows\system32\drivers\uleskqqvha.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LCAQYMEQRCJYOIC

-------\Service_lcaqymeqrcjyoic

((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))

.

2009-10-04 15:33 . 2009-10-04 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-10-04 13:13 . 2009-10-04 13:13 -------- d-----w- C:\found.000

2009-10-04 13:09 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-04 13:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-28 15:49 . 2009-09-28 17:55 -------- d-----w- c:\program files\Unlocker

2009-09-28 15:18 . 2009-09-28 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-27 21:40 . 2009-09-27 21:40 -------- d-----w- c:\windows\srchasst

2009-09-27 17:44 . 2009-09-27 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-27 17:19 . 2007-07-02 19:02 996648 ----a-w- c:\windows\system32\ShellManager10E2D762.dll

2009-09-11 12:49 . 2009-09-11 12:49 -------- d-----w- c:\program files\IrfanView

2009-09-10 22:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 22:20 . 2009-09-28 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 22:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\mui

2009-09-10 21:32 . 2009-09-10 21:32 -------- d-----w- c:\windows\ime

2009-09-10 01:22 . 2009-09-10 01:22 -------- d-----w- c:\documents and settings\DesktopPC\Application Data\Malwarebytes

2009-09-09 23:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-06 12:11 . 2008-01-01 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-06 12:03 . 2008-01-01 22:57 -------- d-----w- c:\program files\McAfee

2009-10-04 15:36 . 2009-05-10 21:12 185 ----a-w- c:\documents and settings\All Users\MBAM_Auto.bat

2009-09-13 23:03 . 2009-08-04 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity

2009-09-10 23:57 . 2008-01-01 22:48 29792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-10 01:21 . 2009-04-19 12:39 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 01:18 . 2009-02-26 19:18 -------- d-----w- c:\program files\Lexmark X1100 Series

2009-09-05 15:31 . 2009-09-05 15:31 -------- d-----w- c:\program files\TightVNC

2009-08-28 12:58 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\id Software

2009-08-24 12:07 . 2009-08-24 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software

2009-08-21 21:00 . 2009-08-21 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\MoveFab

2009-08-21 16:37 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\RootsMagic

2009-08-21 16:36 . 2009-08-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\RootsMagic

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 16:32 . 2008-01-01 22:58 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 17:44 . 2008-01-01 22:58 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 17:44 . 2008-01-01 22:58 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 17:44 . 2008-01-01 22:58 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 17:44 . 2008-01-01 22:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 17:43 . 2008-01-01 22:58 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_13.15.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-06 12:28 . 2009-10-06 12:28 40960 c:\windows\Temp\rtdrvmon.exe

- 2009-10-04 13:15 . 2009-10-04 13:15 40960 c:\windows\Temp\rtdrvmon.exe

+ 2009-10-05 12:51 . 2009-10-06 12:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-01 20:35 . 2009-10-06 12:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-01 20:35 . 2009-10-04 12:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-05 12:51 . 2009-10-06 12:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-01-01 20:35 . 2009-10-04 12:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-24 1685816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Shortcut to MBAM_Auto.bat.lnk - c:\documents and settings\All Users\MBAM_Auto.bat [2009-5-10 185]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 0122211254830646mcinstcleanup;McAfee Application Installer Cleanup (0122211254830646);c:\windows\TEMP\012221~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012221~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Malwarebytes' Anti-Malware.job

- c:\progra~1\MALWAR~1\mbam.exe [2009-09-10 18:53]

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 01:26]

2008-12-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-01 01:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

TCP: {51B64D82-475C-4F2E-82DF-DAD1B82E3999} = 192.168.1.1

DPF: Addiction by pogo - hxxp://game3.pogo.com/v/9.0.3.12/applet/addiction/addiction-en_US.cab

DPF: Bingo Luau by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/freebingo/freebingo-en_US.cab

DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

DPF: Dice Derby by pogo - hxxp://game1.pogo.com/v/8.1.6.3/applet/checkeredflag/checkeredflag-en_US.cab

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Dominoes v2 by pogo - hxxp://game3.pogo.com/v/9.1.1.22/applet/domino2/domino2-en_US.cab

DPF: First Class Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/firstclass2/firstclass2-en_US.cab

DPF: Fortune Bingo by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/superbingo/superbingo-en_US.cab

DPF: Lottso by pogo - hxxp://game3.pogo.com/v/9.0.5.4/applet/lottso/lottso-en_US.cab

DPF: Mah Jong Garden by pogo - hxxp://game3.pogo.com/v/9.0.1.17/applet/mahjong2/mahjong2-en_US.cab

DPF: Mahjong Safari by Pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/safari/safari-en_US.cab

DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Pinochle by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/pinochle/pinochle-en_US.cab

DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab

DPF: Spades 2 by pogo - hxxp://game3.pogo.com/v/9.0.2.13/applet/spades2/spades2-en_US.cab

DPF: Spider Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/spider/spider-en_US.cab

DPF: Stax by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

DPF: Super Dominoes by pogo - hxxp://game3.pogo.com/v/8.1.6.3/applet/superdomino/superdomino-en_US.cab

DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab

DPF: World Class Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.6.21/applet/worldclass/worldclass-en_US.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - G:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-06 08:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ADMINI~1\LOCALS~1\Temp\~DF6B7.tmp 16384 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,e1,8b,6c,f4,1f,9c,4d,a1,c6,cd,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3924)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Lexmark X1100 Series\lxbkbmon.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\StkASv2K.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

.

**************************************************************************

.

Completion time: 2009-10-06 8:33 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-06 12:33

ComboFix2.txt 2009-10-05 01:14

ComboFix3.txt 2009-10-04 13:22

Pre-Run: 51,838,480,384 bytes free

Post-Run: 51,808,006,144 bytes free

232 --- E O F --- 2009-09-10 00:15

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:35:14 AM, on 10/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkASv2K.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [uVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Shortcut to MBAM_Auto.bat.lnk = C:\Documents and Settings\All Users\MBAM_Auto.bat

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Addiction by pogo - http://game3.pogo.com/v/9.0.3.12/applet/ad...ction-en_US.cab

O16 - DPF: Bingo Luau by pogo - http://game3.pogo.com/v/9.0.1.7/applet/fre...bingo-en_US.cab

O16 - DPF: Dice City Roller by pogo - http://game3.pogo.com/v/9.0.6.14/applet/ytz/ytz-en_US.cab

O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/v/8.1.6.3/applet/che...dflag-en_US.cab

O16 - DPF: Dominoes v2 by pogo - http://game3.pogo.com/v/9.1.1.22/applet/do...mino2-en_US.cab

O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/v/8.1.7.44/applet/fi...lass2-en_US.cab

O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.com/v/9.0.1.7/applet/sup...bingo-en_US.cab

O16 - DPF: Lottso by pogo - http://game3.pogo.com/v/9.0.5.4/applet/lot...ottso-en_US.cab

O16 - DPF: Mah Jong Garden by pogo - http://game3.pogo.com/v/9.0.1.17/applet/ma...jong2-en_US.cab

O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.com/v/9.0.6.14/applet/sa...afari-en_US.cab

O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/9.1.1.1/applet/shoes/shoes-en_US.cab

O16 - DPF: Pinochle by pogo - http://game1.pogo.com/v/8.1.7.44/applet/pi...ochle-en_US.cab

O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/v/8.1.7.44/applet/ho...treak-en_US.cab

O16 - DPF: Spades 2 by pogo - http://game3.pogo.com/v/9.0.2.13/applet/sp...ades2-en_US.cab

O16 - DPF: Spider Solitaire by pogo - http://game3.pogo.com/v/9.0.1.7/applet/spi...pider-en_US.cab

O16 - DPF: Stax by pogo - http://game3.pogo.com/v/8.1.9.1/applet/stax/stax-en_US.cab

O16 - DPF: Super Dominoes by pogo - http://game3.pogo.com/v/8.1.6.3/applet/sup...omino-en_US.cab

O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/v/8.1.9.7/applet/tur...rbo22-en_US.cab

O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/v/8.1.6.21/applet/wo...class-en_US.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222294296

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199222288656

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.35.16/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{51B64D82-475C-4F2E-82DF-DAD1B82E3999}: NameServer = 192.168.1.1

O23 - Service: McAfee Application Installer Cleanup (0122211254830646) (0122211254830646mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\012221~1.EXE (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 9210 bytes

Link to post
Share on other sites

F-Secure & SecurityCheck logs below. Looks like there's still an issue with ARIYUFOMORABULEZ.DLL

Scanning Report

Tuesday, October 6, 2009 08:59:24 - 10:12:19

Computer name: COMPAQ

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ F:\

--------------------------------------------------------------------------------

2 malware found

Trojan.Packed.Hiloti (spyware)

System (Disinfected)

Trojan.Packed.Hiloti.Gen.1 (virus)

C:\WINDOWS\ARIYUFOMORABULEZ.DLL (Not cleaned)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 39613

System: 3282

Not scanned: 6

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

Not cleaned: 1

Submitted: 0

Files not scanned:

C:\WINDOWS\TEMP\MCMSC_RTXSIDJPTBVML1B

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

McAfee SecurityCenter

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 11

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Does the following file still exist?

C:\WINDOWS\ARIYUFOMORABULEZ.DLL

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

The ARIYUFOMORABULEZ.DLL file is gone. After the F-Secure scan I got a warning that my AV was disabled. I re-enabled and McAfee did a scan and found several trojans (vundo & artemis). On the third scan it finally didn't find anything. MBAM quick scan was clean also.

Java has been updated.

Think it's cleaned up now?

Link to post
Share on other sites

  • Staff

Yes looks like we're good to go; the things McAfee found were probably in quarantine or System Restore. Can you post its log?

If there are no more issues, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.