Jump to content

Infected with malware, Malwarebytes isn't removing it

Steve133

By Steve133
in Resolved Malware Removal Logs

 Share

Recommended Posts

Steve133

Steve133

Posted
Posted

I was recently infected with a 'security tool'. Following some instructions from these forums, I was able to get malwarebytes up and running long enough to remove it. However, I'm now encountering random pop up ads whenever I use the internet. In addition, the 'security tool' will sometimes show up again once I reboot my computer. I've scanned with malwarebytes countless times, and each time it finds 20 or so infected files. Each time I delete them, they re-emerge once I reboot my computer. Any advice? (Hijackthis logs posted below)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:45:44 PM, on 10/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mbamtest\Malwarebytes' Anti-Malware\mbam2.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mbamtest\Malwarebytes' Anti-Malware\mbam2.exe" /runcleanupscript

O4 - HKLM\..\Run: [mokotepad] Rundll32.exe "c:\windows\system32\halukozo.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Startup: MRI_DISABLED

O4 - Global Startup: MRI_DISABLED

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: lwuklu.dll c:\windows\system32\kuwokilo.dll rojawati.dll c:\windows\system32\nezusena.dll c:\windows\system32\halukozo.dll

O20 - Winlogon Notify: awtrRLCR - awtrRLCR.dll (file missing)

O20 - Winlogon Notify: byXPFwxY - byXPFwxY.dll (file missing)

O21 - SSODL: yodivolod - {e1e95d45-d192-4cce-a1c2-9210c06211b3} - c:\windows\system32\kuwokilo.dll (file missing)

O21 - SSODL: vuyaridak - {a022ebc4-fe5f-4d0f-b15a-a6b2eff088e5} - c:\windows\system32\nezusena.dll (file missing)

O21 - SSODL: gamesoziy - {f11b9f05-9620-4a40-9c32-fbcb8388d3e4} - c:\windows\system32\halukozo.dll

O22 - SharedTaskScheduler: jugezatag - {e1e95d45-d192-4cce-a1c2-9210c06211b3} - c:\windows\system32\kuwokilo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {a022ebc4-fe5f-4d0f-b15a-a6b2eff088e5} - c:\windows\system32\nezusena.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {f11b9f05-9620-4a40-9c32-fbcb8388d3e4} - c:\windows\system32\halukozo.dll

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe

O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 12665 bytes

Link to post
Share on other sites
Steve133

Steve133

Posted
  • Author
Posted

ComboFix 09-10-16.02 - Owner 10/16/2009 15:45.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1202 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\07387833

c:\documents and settings\All Users\Application Data\07387833\07387833.exe

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\kb913800.exe

c:\windows\system32\bugubado.dll

c:\windows\system32\damozibu.dll

c:\windows\system32\dimepevo.dll

c:\windows\system32\jihozutu.exe

c:\windows\system32\jokiwutu.dll

c:\windows\system32\kapidapu.dll

c:\windows\system32\mazihihe.dll

c:\windows\system32\nibaheya.dll

c:\windows\system32\piyuzuju.dll

c:\windows\system32\rojawati.dll

c:\windows\system32\senobefi.dll

c:\windows\system32\sozukayo.dll

c:\windows\system32\tevajeke.dll

c:\windows\system32\varareto.dll

c:\windows\system32\wokibezo.dll

c:\windows\system32\xGMUttwa.ini

c:\windows\system32\xGMUttwa.ini2

c:\windows\system32\zakupila.dll

c:\windows\Tasks\ajukpwht.job

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://ccp.vo.llnwd.net

.

((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))

.

2009-10-16 06:10 . 2009-10-16 21:00 46640 ----a-w- c:\windows\system32\msln.exe

2009-10-16 02:49 . 2009-10-16 04:30 -------- d-----w- c:\program files\ncymhe

2009-10-11 00:47 . 2009-10-11 00:47 -------- d-----w- c:\program files\GameSpy Arcade

2009-10-10 01:13 . 2009-10-10 01:13 -------- d-----w- c:\program files\CCP

2009-10-10 01:13 . 2009-10-10 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP

2009-10-09 07:14 . 2009-10-09 07:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\Temporary Internet Files

2009-10-09 07:14 . 2009-10-09 07:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\History

2009-10-09 03:51 . 2009-10-09 03:53 -------- d-----w- c:\program files\Mbamtest

2009-10-09 03:41 . 2009-10-09 03:41 0 ----a-w- c:\documents and settings\Owner\settings.dat

2009-10-09 02:57 . 2009-10-09 02:57 -------- d-----w- c:\program files\Trend Micro

2009-10-09 02:48 . 2009-10-09 02:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-10-09 02:44 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-09 02:44 . 2009-10-09 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 02:44 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-09 02:35 . 2009-10-09 02:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-10-09 02:26 . 2009-10-09 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-08 17:12 . 2009-10-08 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2009-10-08 17:07 . 2009-10-08 17:07 -------- d-----w- c:\program files\Common Files\iS3

2009-10-08 17:07 . 2009-10-09 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-10-08 16:47 . 2009-10-08 16:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!

2009-10-03 02:24 . 2009-10-03 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield

2009-10-02 00:36 . 2009-10-02 00:37 -------- d-----w- c:\documents and settings\Owner\Application Data\MSNInstaller

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-16 20:59 . 2008-01-20 22:53 -------- d-----w- c:\program files\Symantec AntiVirus

2009-10-16 20:14 . 2009-05-08 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2009-10-16 13:04 . 2009-05-08 00:50 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2009-10-11 00:38 . 2006-09-12 05:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-03 02:25 . 2007-04-27 00:51 -------- d-----w- c:\program files\LucasArts

2009-10-03 02:13 . 2009-03-05 02:29 -------- d-----w- c:\program files\Turbine

2009-10-03 00:26 . 2009-08-25 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-09-28 19:24 . 2008-08-27 00:44 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-28 19:21 . 2008-08-27 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab

2009-09-16 17:23 . 2006-09-12 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-09 04:07 . 2007-04-27 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Petroglyph

2009-08-29 02:28 . 2006-12-26 06:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-25 16:37 . 2009-08-25 16:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Turbine

2009-08-25 16:09 . 2006-12-26 06:27 -------- d-----w- c:\program files\World of Warcraft

2009-08-25 16:06 . 2009-05-20 01:18 -------- d-----w- c:\program files\Telltale Games

2009-08-25 02:51 . 2009-08-25 02:51 -------- d-----w- c:\program files\Pando Networks

2009-07-22 11:37 . 2006-12-26 15:33 109321 ----a-w- c:\windows\War3Unin.dat

2009-07-15 18:53 . 2009-07-15 18:53 1080354 --sha-w- c:\windows\system32\halifegu.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-08-22 472568]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Mbamtest\Malwarebytes' Anti-Malware\mbam2.exe" [2009-09-10 1312080]

"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-28 532480]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^StartUp^Vongo Tray.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\StartUp\Vongo Tray.lnk

backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\NeverwinterNights\\NWN\\nwmain.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\battlegrounds_x1.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"58621:TCP"= 58621:TCP:Pando Media Booster

"58621:UDP"= 58621:UDP:Pando Media Booster

"57161:TCP"= 57161:TCP:Pando Media Booster

"57161:UDP"= 57161:UDP:Pando Media Booster

R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [12/8/2006 9:34 AM 78336]

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [3/4/2009 9:29 PM 267760]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/14/2008 1:10 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 8:03 PM 102448]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 3:39 PM 61952]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [8/21/2009 10:17 PM 218608]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

.

Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fpsi4t17.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{62427bde-7bae-4cf3-9734-a0a680198167} - yetuheke.dll

Toolbar-SITEguard - (no file)

HKCU-Run-Steam - c:\program files\Steam\Steam.exe

HKLM-Run-07387833 - c:\docume~1\ALLUSE~1\APPLIC~1\07387833\07387833.exe

HKLM-Run-yugefikila - mazihihe.dll

HKU-Default-Run-msiexec.exe - msiconf.exe

SharedTaskScheduler-{e1e95d45-d192-4cce-a1c2-9210c06211b3} - c:\windows\system32\kuwokilo.dll

SharedTaskScheduler-{a022ebc4-fe5f-4d0f-b15a-a6b2eff088e5} - c:\windows\system32\nezusena.dll

SharedTaskScheduler-{697db619-3817-4a2a-9cb7-22dfa180d62b} - c:\windows\system32\jokiwutu.dll

SSODL-yodivolod-{e1e95d45-d192-4cce-a1c2-9210c06211b3} - c:\windows\system32\kuwokilo.dll

SSODL-vuyaridak-{a022ebc4-fe5f-4d0f-b15a-a6b2eff088e5} - c:\windows\system32\nezusena.dll

SSODL-huwogavov-{697db619-3817-4a2a-9cb7-22dfa180d62b} - c:\windows\system32\jokiwutu.dll

Notify-awtrRLCR - awtrRLCR.dll

Notify-byXPFwxY - byXPFwxY.dll

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-16 16:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3905493575-3718811003-140673782-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3905493575-3718811003-140673782-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:24,b9,ab,b1,13,76,9c,c7,f2,fa,fd,f5,00,26,30,63,ed,c3,03,ec,67,45,f8,

24,88,80,1a,9c,cd,38,24,be,e7,03,b8,41,2b,64,34,27,51,26,ba,a1,94,63,6c,10,\

"??"=hex:38,ac,69,90,f2,79,52,2f,4d,01,2e,76,21,cb,41,32

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)

c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(2116)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\dllhost.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-10-16 16:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-16 21:15

Pre-Run: 9,851,875,328 bytes free

Post-Run: 11,751,112,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

283 --- E O F --- 2009-03-16 01:42

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27949&st=0entry144229
COLLECT::
c:\windows\system32\halifegu.exe
FOLDER::
c:\Program Files\ncymhe
c:\windows\system32\config\systemprofile\Temporary Internet Files
c:\windows\system32\config\systemprofile\History

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

---------------

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites
Steve133

Steve133

Posted
  • Author
Posted

ComboFix Log:

ComboFix 09-10-16.03 - Owner 10/16/2009 17:26.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1264 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\halifegu.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\ncymhe

c:\windows\system32\config\systemprofile\History

c:\windows\system32\config\systemprofile\History\desktop.ini

c:\windows\system32\config\systemprofile\History\History.IE5\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\97YAEQ10\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\DR8C9KTC\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\I4IDDS9Z\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat

c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\NP74Z442\desktop.ini

c:\windows\system32\config\systemprofile\Temporary Internet Files\desktop.ini

c:\windows\system32\halifegu.exe

.

((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))

.

2009-10-16 21:23 . 2009-10-16 21:23 -------- d-----w- c:\windows\LastGood

2009-10-11 00:47 . 2009-10-11 00:47 -------- d-----w- c:\program files\GameSpy Arcade

2009-10-10 01:13 . 2009-10-10 01:13 -------- d-----w- c:\program files\CCP

2009-10-10 01:13 . 2009-10-10 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP

2009-10-09 03:51 . 2009-10-09 03:53 -------- d-----w- c:\program files\Mbamtest

2009-10-09 03:41 . 2009-10-09 03:41 0 ----a-w- c:\documents and settings\Owner\settings.dat

2009-10-09 02:57 . 2009-10-09 02:57 -------- d-----w- c:\program files\Trend Micro

2009-10-09 02:48 . 2009-10-09 02:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-10-09 02:44 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-09 02:44 . 2009-10-09 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 02:44 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-09 02:35 . 2009-10-09 02:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-10-09 02:26 . 2009-10-09 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-08 17:12 . 2009-10-08 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2009-10-08 17:07 . 2009-10-08 17:07 -------- d-----w- c:\program files\Common Files\iS3

2009-10-08 17:07 . 2009-10-09 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-10-08 16:47 . 2009-10-08 16:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!

2009-10-03 02:24 . 2009-10-03 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield

2009-10-02 00:36 . 2009-10-02 00:37 -------- d-----w- c:\documents and settings\Owner\Application Data\MSNInstaller

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-16 22:36 . 2009-05-08 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2009-10-16 22:14 . 2008-01-20 22:53 -------- d-----w- c:\program files\Symantec AntiVirus

2009-10-16 21:05 . 2009-05-08 00:50 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2009-10-11 00:38 . 2006-09-12 05:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-03 02:25 . 2007-04-27 00:51 -------- d-----w- c:\program files\LucasArts

2009-10-03 02:13 . 2009-03-05 02:29 -------- d-----w- c:\program files\Turbine

2009-10-03 00:26 . 2009-08-25 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-09-28 19:24 . 2008-08-27 00:44 -------- d-----w- c:\program files\SystemRequirementsLab

2009-09-28 19:21 . 2008-08-27 00:11 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab

2009-09-16 17:23 . 2006-09-12 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-09 04:07 . 2007-04-27 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Petroglyph

2009-08-29 02:28 . 2006-12-26 06:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-25 16:37 . 2009-08-25 16:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Turbine

2009-08-25 16:09 . 2006-12-26 06:27 -------- d-----w- c:\program files\World of Warcraft

2009-08-25 16:06 . 2009-05-20 01:18 -------- d-----w- c:\program files\Telltale Games

2009-08-25 02:51 . 2009-08-25 02:51 -------- d-----w- c:\program files\Pando Networks

2009-07-22 11:37 . 2006-12-26 15:33 109321 ----a-w- c:\windows\War3Unin.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-10-16_21.02.30 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2009-08-22 472568]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Mbamtest\Malwarebytes' Anti-Malware\mbam2.exe" [2009-09-10 1312080]

"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-28 532480]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^StartUp^Vongo Tray.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\StartUp\Vongo Tray.lnk

backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\NeverwinterNights\\NWN\\nwmain.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\battlegrounds_x1.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"58621:TCP"= 58621:TCP:Pando Media Booster

"58621:UDP"= 58621:UDP:Pando Media Booster

"57161:TCP"= 57161:TCP:Pando Media Booster

"57161:UDP"= 57161:UDP:Pando Media Booster

R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [12/8/2006 9:34 AM 78336]

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [3/4/2009 9:29 PM 267760]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/14/2008 1:10 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 8:03 PM 102448]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 3:39 PM 61952]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [8/21/2009 10:17 PM 218608]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

.

Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fpsi4t17.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-16 17:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3905493575-3718811003-140673782-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3905493575-3718811003-140673782-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:24,b9,ab,b1,13,76,9c,c7,f2,fa,fd,f5,00,26,30,63,ed,c3,03,ec,67,45,f8,

24,88,80,1a,9c,cd,38,24,be,e7,03,b8,41,2b,64,34,27,51,26,ba,a1,94,63,6c,10,\

"??"=hex:38,ac,69,90,f2,79,52,2f,4d,01,2e,76,21,cb,41,32

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)

c:\windows\system32\WRLogonNTF.dll

.

Completion time: 2009-10-16 17:45

ComboFix-quarantined-files.txt 2009-10-16 22:45

ComboFix2.txt 2009-10-16 21:16

Pre-Run: 11,375,427,584 bytes free

Post-Run: 11,348,586,496 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

217 --- E O F --- 2009-03-16 01:42

Upload was successful

Kap Log:

Friday, October 16, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, October 17, 2009 00:20:34

Records in database: 3011544

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

E:\

Scan statistics

Objects scanned 119055

Threats found 11

Infected objects found 16

Suspicious objects found 2

Scan duration 03:07:21

File name Threat Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC80000\4ECEBC8D.VBN Infected: Trojan.Win32.Plapon.vd 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC80001\4ECEBD15.VBN Infected: Trojan.Win32.Plapon.ux 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC80009\4ECEC0AF.VBN Infected: Trojan.Win32.Monderb.beon 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680001.VBN Infected: Trojan.Win32.Plapon.ux 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10140000\5ADEEED6.VBN Infected: Trojan.Win32.Monderb.beon 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10F40000\5AF6D244.VBN Infected: Trojan.Win32.Monderb.bfah 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13880000\5BDF3CED.VBN Infected: Trojan.Win32.Monderb.beuz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13880001\5BDF5C8A.VBN Infected: Trojan.Win32.Monderb.beuz 1

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\07387833\07387833.exe.vir Infected: Trojan.Win32.FraudPack.wso 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\damozibu.dll.vir Infected: Trojan.Win32.Monderb.betp 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nibaheya.dll.vir Infected: Trojan.Win32.Monderb.beza 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\sozukayo.dll.vir Infected: Trojan.Win32.Monderb.bfoq 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\wokibezo.dll.vir Infected: Trojan.Win32.Monderb.bewz 1

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP261\A0180775.exe Infected: Trojan.Win32.FraudPack.wso 1

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP261\A0180778.dll Infected: Trojan.Win32.Monderb.betp 1

C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP261\A0180784.dll Infected: Trojan.Win32.Monderb.beza 1

Selected area has been scanned.

As for a performance update, I haven't encountered any more pop-ups, or a repeat of the Security Tool.

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2

This is the database file for Outlook. You probably have some junk mail in there that hasn't been deleted. Launch Outlook and do that.

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC80000\

This is Symantec's quarantine cache. You should empty the cache by having Symantec delete the files.

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /U
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept