Jump to content

Can't get rid of nsrbgxod.bak, no internet connection


Kdog

Recommended Posts

Hi,

Thank you for your great work here.

My kid's computer got infected and screeched to a halt. I ran the Malwarebytes Anti-Malware program and it seems to have gotten rid of everything but nsrbgxod.bak. It said it would delete nsrbgxod.bak on reboot but after several attempts it is clearly not deleting it. In addition, I cannot connect to the internet on that computer so I have had to download Malwarebytes Anti-Malware and Trend Micro HijackThis to a flash drive and transfer it to the infected computer. After running the Malwarebytes program I ran a virus scan using the CA Antivirus program and it did not find anything bad. Any help would be greatly appreciated.

Thanks.

Here are the log files:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

11/11/2009 11:44:51 AM

mbam-log-2009-11-11 (11-44-51).txt

Scan type: Quick Scan

Objects scanned: 107917

Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

********************************************************************************

************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:15:40 PM, on 11/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clubpenguin.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GEST] =

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" (User '?')

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User '?')

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {d5978a5c-4586-4452-a389-d5098e9b5f52} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: vufosesa.dll

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--

End of file - 12297 bytes

Thanks !!!!!

Link to post
Share on other sites

Hello Kdog and welcome to the forums here at MalwareBytes.

The PC still appears to be infected with Vundo. Well use a bigger hammer on this.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to post
Share on other sites

Thank you for your reply!!!

I did as you instructed and it now appears that windows boots up quite a bit faster now and perhaps Vundo is gone. Unfortunately, I still can't connect to the internet. When I "diagnose" the problem it states in the "Network Adapter identification" box as follows:

"error - failed with error 0x8007043B: The executable program that this service is configured to run in does not implement the service."

I poked around the internet (on a different computer) to see if I could fix that error. The microsoft website posted these troubleshooting tips:

Error 1083: The executable program that this service is configured to run in does not implement the service. (0x8007043B)

If you receive this error message, follow these steps:

Click Start, click Run, type Regsvr32 %windir%\system32\qmgr.dll, and then click OK.

Click Start, click Run, type regsvr32 %windir%\system32\qmgrprxy.dll, and then click OK.

Click Start, click Run, type services.msc, and then click OK.

Double-click Background Intelligent Transfer Service.

In the General tab, click Start.

I did as they instructed and it seemed that nothing changed other than "BITS" is now "started. I even restarted the computer and BITS remained "started" but there was still no internet connection. By the way, I am running windows xp pro and using a cable modem.

Here are the logfiles:

ComboFix 09-11-13.04 - Owner 11/12/2009 16:10.1.2 - NTFSx86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\ntuser.dll

c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll

c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk

C:\dtacmawh.exe

C:\ldvx.exe

c:\program files\Shared

C:\qsdhs.exe

c:\recycler\S-1-5-21-1123561945-1637723038-682003330-1003

c:\windows\batmeter16.dll

c:\windows\system32\biyebafi.exe

c:\windows\system32\calc.dll

c:\windows\system32\config\systemprofile\ntuser.dll

c:\windows\system32\dojudemu.exe

c:\windows\system32\drivers\gasfkymvdedrma.sys

c:\windows\system32\gasfkybbttrhkq.dll

c:\windows\system32\gasfkyjuwyqhhp.dat

c:\windows\system32\gasfkynkorlsdq.dll

c:\windows\system32\gasfkyrijqanna.dat

c:\windows\system32\isapeep.sys

c:\windows\system32\lipemeye.dll

c:\windows\system32\pufidihu.exe

c:\windows\system32\wl.exe

c:\windows\system32\wonupago.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkylwxpsktw

-------\Service_gasfkylwxpsktw

-------\Legacy_isapeep

-------\Service_isapeep

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))

.

2009-11-11 20:15 . 2009-11-11 20:15 -------- d-----w- c:\program files\Trend Micro

2009-11-11 00:26 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-11 00:26 . 2009-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-11 00:26 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-11 00:11 . 2009-11-11 00:11 -------- d-----w- C:\Linksys Driver

2009-11-07 22:23 . 2009-11-07 22:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-10-14 01:02 . 2009-10-14 01:02 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys

2009-10-14 01:02 . 2009-10-14 01:02 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2

2009-11-13 00:15 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1

2009-11-13 00:15 . 2009-04-26 17:40 59678 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0

2009-11-11 18:40 . 2008-12-26 16:05 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor

2009-10-21 03:12 . 2008-12-26 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2009-10-21 02:07 . 2008-12-26 20:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2009-10-14 01:02 . 2009-08-22 19:12 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll

2009-10-02 02:20 . 2009-09-29 02:11 -------- d-----w- c:\program files\TS

2009-10-02 00:43 . 2009-10-02 00:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-10-02 00:42 . 2009-10-02 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 17:35 . 2009-09-17 02:30 -------- d-----w- c:\program files\Google

2009-09-17 02:30 . 2009-09-17 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 04:54 . 2008-12-19 04:15 73992 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-29 08:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-03-21 14:06 . 2008-04-14 12:00 23552 --sha-w- c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll

.

------- Sigcheck -------

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GEST"="=" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]

"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-14 177392]

"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-04-26 14088]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-10-15 230664]

"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2009-04-26 1193200]

"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-04-26 173296]

"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-04-26 259312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2007-05-18 20:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S0 KmxStart;KmxStart;c:\windows\System32\DRIVERS\kmxstart.sys [2008-06-25 93712]

S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-25 63504]

S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-25 45584]

S1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-25 115216]

S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 134648]

S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-25 66576]

S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]

S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]

S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-25 281104]

S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-25 88816]

S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-17 189704]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

NETSVCS REQUIRES REPAIRS - current entries shown

AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-17 02:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.clubpenguin.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\VetRedir.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-12 16:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,d5,6f,3f,ec,0d,a3,41,a0,75,f4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,d5,6f,3f,ec,0d,a3,41,a0,75,f4,\

[HKEY_USERS\S-1-5-21-2948811530-3269059372-3255304491-1003\Software\SecuROM\License information*]

"datasecu"=hex:85,8c,09,4a,dd,45,24,c3,e5,04,e8,c0,24,e0,d0,ab,bc,ce,96,c4,fa,

0b,b7,d0,c4,c6,f7,38,3b,2a,9e,41,9d,11,c5,8f,1d,1e,43,45,7d,95,02,c0,4f,74,\

"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef,c4,ac,6c,b4

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)

c:\windows\system32\UmxWnp.Dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(836)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2488)

c:\windows\system32\WININET.dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

c:\program files\CA\CA Internet Security Suite\ccprovsp.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-11-12 16:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-13 00:22

Pre-Run: 83,823,943,680 bytes free

Post-Run: 85,449,625,600 bytes free

- - End Of File - - 083F72303118272C2ACB2CA1C80F7503

********************************************************************************

*******

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:25:08 PM, on 11/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clubpenguin.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GEST] =

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" (User '?')

O4 - HKUS\S-1-5-21-2948811530-3269059372-3255304491-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--

End of file - 11434 bytes

Thanks again!!!!!!!

Link to post
Share on other sites

Thanks!!!

ComboFix 09-11-13.04 - Owner 11/13/2009 11:30.2.2 - NTFSx86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))

.

2009-11-11 20:15 . 2009-11-11 20:15 -------- d-----w- c:\program files\Trend Micro

2009-11-11 00:26 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-11 00:26 . 2009-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-11 00:26 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-11 00:11 . 2009-11-11 00:11 -------- d-----w- C:\Linksys Driver

2009-11-07 22:23 . 2009-11-07 22:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2

2009-11-13 04:59 . 2009-04-26 17:40 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1

2009-11-13 04:59 . 2009-04-26 17:40 59678 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0

2009-11-11 18:40 . 2008-12-26 16:05 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor

2009-10-21 03:12 . 2008-12-26 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2009-10-21 02:07 . 2008-12-26 20:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2009-10-14 01:02 . 2009-10-14 01:02 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys

2009-10-14 01:02 . 2009-10-14 01:02 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys

2009-10-14 01:02 . 2009-08-22 19:12 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll

2009-10-02 02:20 . 2009-09-29 02:11 -------- d-----w- c:\program files\TS

2009-10-02 00:43 . 2009-10-02 00:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-10-02 00:42 . 2009-10-02 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 17:35 . 2009-09-17 02:30 -------- d-----w- c:\program files\Google

2009-09-17 02:30 . 2009-09-17 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 04:54 . 2008-12-19 04:15 73992 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-29 08:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-03-21 14:06 . 2008-04-14 12:00 23552 --sha-w- c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_00.18.28 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-14 12:00 . 2009-10-16 04:47 68360 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-11-13 19:31 68360 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2009-11-13 19:31 435590 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2009-10-16 04:47 435590 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GEST"="=" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]

"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-14 177392]

"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-04-26 14088]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-10-15 230664]

"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2009-04-26 1193200]

"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-04-26 173296]

"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-04-26 259312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2007-05-18 20:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"JavaQuickStarterService"=2 (0x2)

"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 6:08 PM 93712]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 6:08 PM 63504]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 6:08 PM 45584]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 6:08 PM 115216]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 6:08 PM 134648]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 6:08 PM 66576]

R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 9:24 AM 1010192]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 9:24 AM 801296]

R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 6:10 PM 281104]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 6:08 PM 88816]

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 8:10 PM 189704]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-17 02:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.clubpenguin.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\VetRedir.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-13 11:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,d5,6f,3f,ec,0d,a3,41,a0,75,f4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,d5,6f,3f,ec,0d,a3,41,a0,75,f4,\

[HKEY_USERS\S-1-5-21-2948811530-3269059372-3255304491-1003\Software\SecuROM\License information*]

"datasecu"=hex:85,8c,09,4a,dd,45,24,c3,e5,04,e8,c0,24,e0,d0,ab,bc,ce,96,c4,fa,

0b,b7,d0,c4,c6,f7,38,3b,2a,9e,41,9d,11,c5,8f,1d,1e,43,45,7d,95,02,c0,4f,74,\

"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef,c4,ac,6c,b4

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)

c:\windows\system32\UmxWnp.Dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(832)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3956)

c:\windows\system32\WININET.dll

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-11-13 11:35

ComboFix-quarantined-files.txt 2009-11-13 19:34

ComboFix2.txt 2009-11-13 00:22

Pre-Run: 85,458,939,904 bytes free

Post-Run: 85,420,445,696 bytes free

- - End Of File - - 27F2F3BAE8A586E13C8C342FC66203A6

Link to post
Share on other sites

Great, glad we got it back. They should all be this easy... :)

I would suggest a scan with an updated MalwareBytes. If anything is found post the log.

I would also suggest an online virus scan.

I would like you to run the following scan: Eset Online Scanner

Run with Internet Explorer

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button, or click the notification bar at the top of the window and choose to install.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Link to post
Share on other sites

Rats. I ran Malwarebytes and it found 19 infected files: see log below. Then I ran it two more times and each time it came up clean: see the latest log below. Then I ran the scanner and it came up with three threats. I couldn't find a details tab or log so I copied and pasted the threats it found: see below.

Malwarebytes' Anti-Malware 1.41

Database version: 3164

Windows 5.1.2600 Service Pack 3

11/13/2009 2:03:48 PM

mbam-log-2009-11-13 (14-03-48).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 284905

Time elapsed: 19 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 19

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\dtacmawh.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\ldvx.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\qsdhs.exe.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\isapeep.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lipemeye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\ntuser.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055408.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055492.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055657.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055489.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055490.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055493.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055494.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055497.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055498.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055503.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055504.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{201F11F7-9D80-4330-B310-1B1F3CBA1645}\RP189\A0055552.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.41

Database version: 3164

Windows 5.1.2600 Service Pack 3

11/13/2009 3:17:27 PM

mbam-log-2009-11-13 (15-17-27).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 285037

Time elapsed: 19 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Files found with the ESET online scanner:

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybbttrhkq.dll.vir probably a variant of Win32/Agent trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynkorlsdq.dll.vir probably a variant of Win32/Obfuscated trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkymvdedrma.sys.vir a variant of Win32/Olmarik.NU trojan

Link to post
Share on other sites

I found the log...doh!

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=d6ce545eb02bb145b075b64c65e55185

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-11-13 11:42:32

# local_time=2009-11-13 03:42:32 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 101435 101435 0 0

# compatibility_mode=1026 16777214 0 2 23171212 23171212 0 0

# compatibility_mode=4865 16777189 100 100 0 70426708 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=163449

# found=3

# cleaned=0

# scan_time=997

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybbttrhkq.dll.vir probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynkorlsdq.dll.vir probably a variant of Win32/Obfuscated trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkymvdedrma.sys.vir a variant of Win32/Olmarik.NU trojan 00000000000000000000000000000000 I

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=d6ce545eb02bb145b075b64c65e55185

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-11-14 12:10:27

# local_time=2009-11-13 04:10:27 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 103103 103103 0 0

# compatibility_mode=1026 16777214 0 2 23172880 23172880 0 0

# compatibility_mode=4865 16777189 100 100 0 70428376 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=163525

# found=3

# cleaned=0

# scan_time=1005

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybbttrhkq.dll.vir probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynkorlsdq.dll.vir probably a variant of Win32/Obfuscated trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkymvdedrma.sys.vir a variant of Win32/Olmarik.NU trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

No problems...

Most everything that was found was either in combofix quarantine (Qoobox folder) or in your restore points. We'll clear both of those out now.

Uninstall Combofix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:

  • Delete the following: ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

If all is running well then just some final advice.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

In addition to updating and using what you currently have you may want to consider the following:

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -

Use Winpatrol to take control of your PC and provide another layer of security.

Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -

http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -

Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,

Dave

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.