Jump to content

Request for Admin assitance with final portion of cleanup


Recommended Posts

I had the MBAM.exe missing and would not install problem. I've worked through most of it but MBAM will not full clean after reboot and I need some direction on how to make this final clean so it will not keep reappearing as it is now. My last thread had some other member entries and was never addressed by an admin so the pertinent information from that thread follows including the current status of the MBAM log which shows the remaining issues.

Thanks for any help or directions you can give!

Chris

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:48:36 PM, on 10/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 knocker

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {61AB07E2-53B5-48BE-8414-85C7E020B733} - c:\windows\system32\taurbtc.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java

Link to post
Share on other sites

  • Staff

Hi,

I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I followed your instructions as follows:

1) Disablede Ad watch Live.

2) Uploaded new version of malwarebytes

3) Did quick scan

4) Did remove selected and most things were removed but about 4 were not. Rebooted as instructed.

5) Ran HijackThis again.

Here are the 2 logs from the runs above as you requsted

Malwarebytes' Anti-Malware 1.41

Database version: 3055

Windows 5.1.2600 Service Pack 3

10/29/2009 4:55:13 PM

mbam-log-2009-10-29 (16-55-13).txt

Scan type: Quick Scan

Objects scanned: 171132

Time elapsed: 19 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61ab07e2-53b5-48be-8414-85c7e020b733} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pzfytnob (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{61ab07e2-53b5-48be-8414-85c7e020b733} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\taurbtc.dll (Trojan.Vundo.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:58:08 PM, on 10/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 knocker

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {61AB07E2-53B5-48BE-8414-85C7E020B733} - c:\windows\system32\taurbtc.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\fix.exe" /runcleanupscript

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

O4 - Global Startup: Event Reminder.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://games.bellsouth.net/Gh/FeedingFrenz...outLauncher.cab

O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\nelesoye.dll vepineto.dll c:\windows\system32\jijuwajo.dll

O20 - Winlogon Notify: pzfytnob - C:\WINDOWS\SYSTEM32\taurbtc.dll

O21 - SSODL: Macelvoc - {F0CCB8DC-5E99-4C4C-812F-62CDF38DF3BF} - C:\WINDOWS\system32\3dovdos.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 9532 bytes

Will wait for futher instructions. Thanks for your help!

Chris

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Downloaded and ran combofix. It rebooted once and then came back and finished and showed me the log but now the machine is totally locked up (I've been waiting about 20 minutes since the log popped up). I guess I'm going to have to do a hard boot to get back in........is that OK?

Let me know and then I'll do it and post the log results.

Thanks!

Chris

Link to post
Share on other sites

Mieke,

Thanks again......here's the log:

ComboFix 09-10-28.08 - Chris 10/29/2009 17:43.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.602 [GMT -4:00]

Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\drivers\afzaafll.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\drivers\ydjpidme.sys

c:\windows\system32\mizuyoha.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\taurbtc.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\system32\ywcycrx.dll

c:\windows\Tasks\uyzieouy.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_YDJPIDME

-------\Service_npf

-------\Service_ydjpidme

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))

.

2009-10-31 04:18 . 2009-10-15 11:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Temp

2009-10-29 04:14 . 2009-10-29 04:14 -------- d-sh--w- c:\documents and settings\Teresa\PrivacIE

2009-10-29 04:14 . 2009-10-29 04:14 -------- d-sh--w- c:\documents and settings\Teresa\IETldCache

2009-10-29 03:47 . 2009-10-29 03:47 -------- d-sh--w- c:\documents and settings\Chris\IECompatCache

2009-10-28 22:13 . 2009-10-28 22:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-28 17:37 . 2009-10-28 17:37 -------- d-sh--w- c:\documents and settings\Amber\PrivacIE

2009-10-28 17:36 . 2009-10-28 17:36 -------- d-sh--w- c:\documents and settings\Amber\IETldCache

2009-10-28 17:24 . 2009-10-28 17:24 -------- d-sh--w- c:\documents and settings\Chris\PrivacIE

2009-10-28 17:24 . 2009-10-28 17:24 -------- d-sh--w- c:\documents and settings\Chris\IETldCache

2009-10-28 17:21 . 2009-10-28 17:21 -------- d-----w- c:\windows\ie8updates

2009-10-28 17:17 . 2009-10-28 17:19 -------- dc-h--w- c:\windows\ie8

2009-10-28 17:15 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-10-28 17:15 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-10-28 17:15 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-25 14:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-25 14:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-25 14:32 . 2009-10-26 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-25 05:09 . 2009-10-25 05:09 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-28 14:03 . 2008-02-17 17:14 -------- d-----w- c:\documents and settings\Chris\Application Data\Wave Systems Corp

2009-09-28 11:22 . 2006-06-29 23:02 -------- d-----w- c:\program files\Google

2009-09-21 15:15 . 2009-01-31 16:39 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-20 22:12 . 2007-12-17 23:05 39048 ----a-w- c:\documents and settings\Amber\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2004-08-11 22:12 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-11 22:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-29 169984]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\fix.exe" [2009-09-10 1312080]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-21 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-29 24576]

EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]

Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2008-1-21 331776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"Macelvoc"= {F0CCB8DC-5E99-4C4C-812F-62CDF38DF3BF} - c:\windows\system32\3dovdos.dll [2007-04-16 831488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/31/2009 12:15 PM 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1028432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2

*NewlyCreated* - MBR

*NewlyCreated* - PCIIDEX_2

*NewlyCreated* - YDJPIDME

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

*Deregistered* - PCIIDEX_2

*Deregistered* - ydjpidme

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

eodwnqrx

.

Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 15:15]

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2057386381-2381177109-2527008568-1005Core.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-31 04:18]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2057386381-2381177109-2527008568-1005UA.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-31 04:18]

2009-10-29 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.my.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-29 17:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(816)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3476)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\3dovdos.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\diresans.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2009-10-29 18:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-29 22:00

Pre-Run: 42,018,791,424 bytes free

Post-Run: 44,275,765,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 85B19BA48455D1370AE4EE67669307C3

Let me know what's next!

Chris

Link to post
Share on other sites

  • Staff

Hi,

I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.

In case it won't disable, it may be better to uninstall AdAware for now, because Adwatch interferes with a lot during malware removal and can make changes back undone.

You can reinstall Adaware afterwards again, once we are done here.

Reboot after uninstalling.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\windows\system32\3dovdos.dll

Suspect::[8]

c:\windows\system32\diresans.dll

NetSvc::

eodwnqrx

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"Macelvoc"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WildTangent CDA"=-

"Malwarebytes Anti-Malware (reboot)"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

OK,

I removed ad-aware.

I created the script file and dropped on the combofix and it ran.

I went to the bleepingcomputer site and submitted the file as you instructed.

Below is the latest combofix log. I've got to leave for about 30 minutes to take my daughter to ballet practice. Don't know how long your in today but I'll check for an update when I return.

Thanks again for all of your help!

Chris

ComboFix 09-10-28.08 - Chris 10/29/2009 18:55.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.628 [GMT -4:00]

Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt

file zipped: c:\windows\system32\3dovdos.dll

file zipped: c:\windows\system32\diresans.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\3dovdos.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))

.

2009-10-31 04:18 . 2009-10-15 11:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Temp

2009-10-29 04:14 . 2009-10-29 04:14 -------- d-sh--w- c:\documents and settings\Teresa\PrivacIE

2009-10-29 04:14 . 2009-10-29 04:14 -------- d-sh--w- c:\documents and settings\Teresa\IETldCache

2009-10-29 03:47 . 2009-10-29 03:47 -------- d-sh--w- c:\documents and settings\Chris\IECompatCache

2009-10-28 22:13 . 2009-10-28 22:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-28 17:37 . 2009-10-28 17:37 -------- d-sh--w- c:\documents and settings\Amber\PrivacIE

2009-10-28 17:36 . 2009-10-28 17:36 -------- d-sh--w- c:\documents and settings\Amber\IETldCache

2009-10-28 17:24 . 2009-10-28 17:24 -------- d-sh--w- c:\documents and settings\Chris\PrivacIE

2009-10-28 17:24 . 2009-10-28 17:24 -------- d-sh--w- c:\documents and settings\Chris\IETldCache

2009-10-28 17:21 . 2009-10-28 17:21 -------- d-----w- c:\windows\ie8updates

2009-10-28 17:17 . 2009-10-28 17:19 -------- dc-h--w- c:\windows\ie8

2009-10-28 17:15 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-10-28 17:15 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-10-28 17:15 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-25 14:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-25 14:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-25 14:32 . 2009-10-26 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-25 05:09 . 2009-10-25 05:09 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-29 22:47 . 2009-01-31 15:58 -------- d-----w- c:\program files\Lavasoft

2009-10-28 14:03 . 2008-02-17 17:14 -------- d-----w- c:\documents and settings\Chris\Application Data\Wave Systems Corp

2009-09-28 11:22 . 2006-06-29 23:02 -------- d-----w- c:\program files\Google

2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-20 22:12 . 2007-12-17 23:05 39048 ----a-w- c:\documents and settings\Amber\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 23:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2004-08-11 22:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-10-29_21.57.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-11 22:00 . 2009-10-29 22:52 53838 c:\windows\system32\perfc009.dat

- 2004-08-11 22:00 . 2009-10-29 21:00 53838 c:\windows\system32\perfc009.dat

+ 2004-08-11 22:00 . 2009-10-29 22:52 382260 c:\windows\system32\perfh009.dat

- 2004-08-11 22:00 . 2009-10-29 21:00 382260 c:\windows\system32\perfh009.dat

+ 2004-08-11 22:00 . 2009-03-21 14:06 170397 c:\windows\system32\dxipman32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-29 169984]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-11-21 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-29 24576]

EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]

Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2008-1-21 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2057386381-2381177109-2527008568-1005Core.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-31 04:18]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2057386381-2381177109-2527008568-1005UA.job

- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-31 04:18]

2009-10-29 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.my.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-29 18:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)

c:\windows\system32\wxvault.dll

c:\windows\system32\detoured.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\wxvault.dll

c:\windows\system32\detoured.dll

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

Completion time: 2009-10-29 19:01

ComboFix-quarantined-files.txt 2009-10-29 23:00

ComboFix2.txt 2009-10-29 22:01

Pre-Run: 44,541,714,432 bytes free

Post-Run: 44,497,379,328 bytes free

- - End Of File - - C160731CFD77B0544308E231B90D0B0F

Upload was successful

Link to post
Share on other sites

  • Staff

Hi,

The files you submitted appear to have keylogging and screencapture capabilities. Similar like Spectorsoft or Eblaster.

Are you aware of this? Some people do install it (although I'm against such programs), but it may be also installed by malware. If you're not aware of this, then Please delete the file c:\windows\system32\diresans.dll since it's also a part of it.

Also change your passwords since they are logged.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

I was not aware.......deleted the .dll and changed passwords. Ran combofix /uninstall successfully. I play with the machine later tonight and let you know how things are tomorrow.

One more question: My original problem was that mbam.exe was missing and would not reinstall. From a different machine, I got the mbam.exe, moved it to a flash drive and changed the name to fix.exe. That is what I have been running. Should I be able to reinstall now and mbam.exe be there? I'm thinking I should go ahead and try but let me know.

Thanks again!!!! <_<

Chris

Link to post
Share on other sites

  • Staff
Should I be able to reinstall now and mbam.exe be there? I'm thinking I should go ahead and try but let me know.
Yes, you should be able to reinstall it properly again now <_<

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Mieke,

Reinstalled mbam.exe w/no issues and ran both quick and full scans through to completion with no errors!!!! I'll look at the other suggestions you gave for helping my machine this weekend.

THANKS SO MUCH for all of your help! Machine is running great and it appears all problems are resolved! <_<:):)

Chris

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.