Jump to content

Recommended Posts

Ok, so I am following the instructions found here: "Im infected, What do I do now?"

Contents of DDS.txt file:

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL

Run by kevin at 20:34:17.18 on Wed 12/30/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1737 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\winupdate86.exe

C:\Documents and Settings\kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mWinlogon: Userinit=c:\windows\system32\winlogon86.exe

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0819.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [shockmachineReminder] c:\program files\shockwave\shockmachine\SmReminder.exe

uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"

uRun: [<NO NAME>]

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AIM] c:\program files\my installed programs\aol im\aim.exe -cnetwait.odl

uRun: [Aim6]

mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [QuickTime Task] "c:\program files\my installed programs\quicktime\QTTask.exe" -atboottime

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [vptray] c:\progra~1\myinst~1\symantec\vptray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [iMONTRAY] c:\program files\intel\intel® active monitor\imontray.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\my installed programs\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\my installed programs\aol im\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0819.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: tvguide.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab

DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37618.6689930556

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

TCP: {D11DB6FB-4AB5-447B-B589-9AD3A90B566E} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: vuhusihu.dll c:\windows\system32\rujudagu.dll,walikahe.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: godanudaw - {be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

STS: jugezatag: {be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli rowimps.dll dinivosa.dll yivozizi.dll

Hosts: 192.168.0.5 atlas

Hosts: 192.168.0.141 hestia

Hosts: 192.168.0.128 controller

============= SERVICES / DRIVERS ===============

S2 NAVAPEL;NAVAPEL;c:\program files\my installed programs\symantec\Navapel.sys [2003-5-2 30208]

S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\myinst~1\symantec\Rtvscan.exe [2003-5-21 610304]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-20 24652]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-15 38224]

S3 NAVAP;NAVAP;c:\progra~1\myinst~1\symantec\NAVAP.sys [2003-5-2 224256]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\NAVENG.sys [2009-12-27 84912]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\NAVEX15.sys [2009-12-27 1323568]

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

=============== Created Last 30 ================

2009-12-31 00:08:09 0 ----a-w- c:\documents and settings\kevin\defogger_reenable

2009-12-30 08:04:04 3848 ----a-w- c:\windows\system32\tmp.reg

2009-12-30 07:26:28 0 ----a-w- c:\windows\system32\AVR10.exe

2009-12-30 07:26:27 0 ----a-w- c:\windows\system32\winhelper86.dll

2009-12-30 07:25:07 2854 ----a-w- c:\windows\system32\critical_warning.html

2009-12-30 07:25:05 24576 ----a-w- c:\windows\system32\winupdate86.exe

2009-12-30 07:25:05 24576 ----a-w- c:\windows\system32\winlogon86.exe

2009-12-30 07:25:02 24576 ----a-w- C:\waxfhosk.exe

2009-12-30 06:40:14 0 d-----w- c:\windows\system32\AGEIA

2009-12-30 06:40:04 0 d-----w- c:\program files\common files\Wise Installation Wizard

2009-12-30 06:40:03 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys

2009-12-30 06:40:02 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys

2009-12-29 02:17:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2009-12-29 02:15:34 0 d-----w- c:\program files\Symantec AntiVirus

2009-12-28 20:28:44 707072 ----a-w- c:\windows\system32\drivers\mxgsow.sys

2009-12-28 20:28:24 153088 ----a-w- C:\uwlwfa.exe

2009-12-28 20:28:23 47104 ----a-w- C:\haypsixd.exe

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-31 05:11:30 16384 ----a-w- c:\windows\~DFD262.tmp

2009-10-31 05:11:29 16384 ----a-w- c:\windows\~DFCE54.tmp

2009-10-31 04:57:59 23680 ----a-w- c:\windows\system32\emptyregdb.dat

2009-10-31 04:53:00 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2009-10-31 04:51:59 990208 ----a-w- c:\windows\system32\syssetup.dll

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2001-11-23 12:08:20 712704 ----a-w- c:\windows\inf\other\audio3d.dll

2003-02-28 21:53:01 66936 --sha-w- c:\windows\dlinfo_0.drv

2009-09-30 07:25:13 45568 --sha-w- c:\windows\system32\fohuvefa.dll

2009-09-30 07:25:08 153088 --sha-w- c:\windows\system32\giwohide.dll

2009-09-30 07:25:08 153088 --sha-w- c:\windows\system32\yivozizi.dll

2009-09-30 07:25:13 39424 --sha-w- c:\windows\system32\zugezevu.dll

2008-09-16 17:45:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 20:36:41.09 ===============

The contents of my last Malwarebytes scan (Note that this scan yielded nothing malicious, and was the last successful scan before Malwarebytes began giving me the 'run-time error 9' message).

Malwarebytes' Anti-Malware 1.42

Database version: 3442

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/29/2009 1:33:09 AM

mbam-log-2009-12-29 (01-33-09).txt

Scan type: Full Scan (C:\|D:\|T:\|)

Objects scanned: 149100

Time elapsed: 41 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also ran the requisite GMER and attached its ark.txt and the other DDS 'attach.txt' files. See "Ark.zip"

ark.zip

Link to post
Share on other sites

When I went to install the new version, the .exe was not installed. I was forced to install the program on another computer, copy it to a flash drive, and run the program from there. I just finished scanning and will be rebooting to finish clean-up.

Malwarebytes' Anti-Malware 1.43

Database version: 3458

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/2/2010 1:06:13 AM

mbam-log-2010-01-02 (01-06-13).txt

Scan type: Full Scan (C:\|D:\|T:\|)

Objects scanned: 240906

Time elapsed: 44 minute(s), 5 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 12

Folders Infected: 0

Files Infected: 38

Memory Processes Infected:

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\yivozizi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: yivozizi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d11db6fb-4ab5-447b-b589-9ad3a90b566e}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\fohuvefa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\giwohide.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yivozizi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zugezevu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\haypsixd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\uwlwfa.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\waxfhosk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP46\A0007622.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP46\A0007623.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP46\A0007624.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP46\A0007630.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP46\A0007639.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0011685.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0011688.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0011689.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0011690.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013687.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013704.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013708.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013718.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013725.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013748.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0014747.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0014754.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0014806.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0014930.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0014940.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0015940.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0016941.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP50\A0017941.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP50\A0018942.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP51\A0018968.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TWLYTSL\hnkppz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

New DDS Log, Thanks in advance,

DDS (Ver_09-12-01.01) - NTFSx86

Run by kevin at 11:11:46.28 on Sat 01/02/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1306 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\MYINST~1\Symantec\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\MYINST~1\Symantec\Rtvscan.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\MYINST~1\Symantec\vptray.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Documents and Settings\kevin\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0819.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [shockmachineReminder] c:\program files\shockwave\shockmachine\SmReminder.exe

uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"

uRun: [<NO NAME>]

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AIM] c:\program files\my installed programs\aol im\aim.exe -cnetwait.odl

uRun: [Aim6]

mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [QuickTime Task] "c:\program files\my installed programs\quicktime\QTTask.exe" -atboottime

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [vptray] c:\progra~1\myinst~1\symantec\vptray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [iMONTRAY] c:\program files\intel\intel® active monitor\imontray.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\my installed programs\aol im\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0819.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: tvguide.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab

DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37618.6689930556

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: vuhusihu.dll c:\windows\system32\rujudagu.dll,walikahe.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: godanudaw - {be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

STS: jugezatag: {be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli rowimps.dll dinivosa.dll

Hosts: 192.168.0.5 atlas

Hosts: 192.168.0.141 hestia

Hosts: 192.168.0.128 controller

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\my installed programs\symantec\Navapel.sys [2003-5-2 30208]

R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\myinst~1\symantec\Rtvscan.exe [2003-5-21 610304]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-20 24652]

R3 NAVAP;NAVAP;c:\progra~1\myinst~1\symantec\NAVAP.sys [2003-5-2 224256]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\NAVENG.sys [2009-12-27 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091227.004\NAVEX15.sys [2009-12-27 1323568]

S0 jtvlck;jtvlck;c:\windows\system32\drivers\akjetlgb.sys [2010-1-2 0]

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

=============== Created Last 30 ================

2010-01-02 07:17:11 0 ----a-w- c:\windows\system32\drivers\akjetlgb.sys

2009-12-31 00:08:09 0 ----a-w- c:\documents and settings\kevin\defogger_reenable

2009-12-30 08:04:04 3848 ----a-w- c:\windows\system32\tmp.reg

2009-12-30 06:40:14 0 d-----w- c:\windows\system32\AGEIA

2009-12-30 06:40:04 0 d-----w- c:\program files\common files\Wise Installation Wizard

2009-12-30 06:40:03 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys

2009-12-30 06:40:02 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys

2009-12-29 02:17:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2009-12-29 02:15:34 0 d-----w- c:\program files\Symantec AntiVirus

2009-12-28 20:28:44 707072 ----a-w- c:\windows\system32\drivers\mxgsow.sys

==================== Find3M ====================

2009-12-30 20:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-31 05:11:30 16384 ----a-w- c:\windows\~DFD262.tmp

2009-10-31 05:11:29 16384 ----a-w- c:\windows\~DFCE54.tmp

2009-10-31 04:57:59 23680 ----a-w- c:\windows\system32\emptyregdb.dat

2009-10-31 04:53:00 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2009-10-31 04:51:59 990208 ----a-w- c:\windows\system32\syssetup.dll

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2001-11-23 12:08:20 712704 ----a-w- c:\windows\inf\other\audio3d.dll

2003-02-28 21:53:01 66936 --sha-w- c:\windows\dlinfo_0.drv

2008-09-16 17:45:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 11:13:44.84 ===============

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.43

Database version: 3482

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/2/2010 6:23:17 PM

mbam-log-2010-01-02 (18-23-17).txt

Scan type: Full Scan (C:\|D:\|T:\|)

Objects scanned: 241462

Time elapsed: 27 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\kevin\Local Settings\Temporary Internet Files\Content.IE5\V2QI6SZ0\book[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013722.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP49\A0013723.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP51\A0019002.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{DB8352DE-5949-41D1-BBB1-2F321A0D0159}\RP51\A0019004.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Okay, updated, rescanned, and uploaded, Thanks in advance.

Link to post
Share on other sites

Still need to fix a few things. Before we do that, please upload a few files for mbam researchers

c:\windows\system32\drivers\akjetlgb.sys

c:\windows\system32\drivers\mxgsow.sys

Add them a zip file and name it submission.zip. Here is a fee zip utility

http://download.cnet.com/WinRAR-32-bit/300...4-10007677.html

Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70

Afterwards,

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Okay, to start off, I was able to add the first file, "akjetlgb.sys", but not the second file "mxgsow.sys" to a zip/rar file that I just submitted.

2nd, here is the ComboFix log file

ComboFix 10-01-02.01 - kevin 01/03/2010 1:02.1.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1746 [GMT -6:00]

Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\EventSystem.log

c:\windows\Install.txt

c:\windows\msddr.dat

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\ctbv2.dll

c:\windows\system32\drivers\akjetlgb.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\KVI_111.dll

c:\windows\system32\o4Patch.exe

c:\windows\system32\OMsetup.exe

c:\windows\system32\Process.exe

c:\windows\system32\SHAgent.dll

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\system32\Xcite.dll

c:\windows\system32\Xcite.exe

c:\windows\unins000.dat

c:\windows\unins000.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IAS

-------\Legacy_WINSTS

-------\Service_jtvlck

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))

.

2010-01-03 00:23 . 2010-01-03 00:23 54016 ----a-w- c:\windows\system32\drivers\asgi.sys

2009-12-30 15:49 . 2009-12-30 15:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C31BA4B7C5A15CB4BA6A67F2188944C4.dll

2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A9814017295C65A4CAE9C7C01A53ADC3.dll

2009-12-30 06:40 . 2009-12-30 06:40 -------- d--h--r- c:\documents and settings\kevin\Application Data\SecuROM

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\AGEIA Technologies

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\windows\system32\AGEIA

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-30 06:40 . 2009-12-30 06:40 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys

2009-12-30 06:40 . 2009-12-30 06:40 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys

2009-12-29 02:15 . 2009-12-29 02:15 -------- d-----w- c:\program files\Symantec AntiVirus

2009-12-28 20:28 . 2010-01-03 07:22 767488 ----a-w- c:\windows\system32\drivers\mxgsow.sys

2009-12-28 12:23 . 2009-12-28 12:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-15 05:51 . 2009-12-15 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-12-09 17:20 . 2009-12-09 17:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-03 06:39 . 2007-07-01 14:56 -------- d-----w- c:\program files\My Installed Programs

2009-12-30 20:55 . 2009-03-15 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2009-03-15 18:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-30 12:02 . 2009-12-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2009-12-30 06:37 . 2002-12-29 02:03 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-28 12:28 . 2009-11-22 16:37 -------- d-----w- c:\documents and settings\kevin\Application Data\vlc

2009-12-15 17:29 . 2002-12-30 22:25 -------- d-----w- c:\program files\Eudora - Home

2009-12-08 22:22 . 2009-03-27 08:06 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 08:54 . 2008-08-03 23:47 -------- d-----w- c:\documents and settings\kevin\Application Data\dvdcss

2009-11-24 04:17 . 2004-02-01 04:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-21 15:51 . 2008-04-14 11:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-01 00:42 . 2004-10-24 07:13 53176 ----a-w- c:\documents and settings\kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-31 05:11 . 2009-10-31 05:11 512 ----atw- c:\windows\~DFD26C.tmp

2009-10-31 05:11 . 2009-10-31 05:11 16384 ----a-w- c:\windows\~DFD262.tmp

2009-10-31 05:11 . 2009-10-31 05:11 512 ----atw- c:\windows\~DFCE5E.tmp

2009-10-31 05:11 . 2009-10-31 05:11 16384 ----a-w- c:\windows\~DFCE54.tmp

2009-10-31 04:57 . 2002-12-28 18:50 23680 ----a-w- c:\windows\system32\emptyregdb.dat

2009-10-31 04:53 . 2009-10-31 04:53 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2009-10-31 04:51 . 2009-10-31 04:52 990208 ----a-w- c:\windows\system32\syssetup.dll

2009-10-29 07:45 . 2008-04-14 11:42 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2008-04-14 11:42 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2008-04-14 11:41 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2008-04-14 06:23 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2008-04-14 11:42 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2008-04-14 11:42 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2008-04-14 11:42 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-08 19:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 19:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 19:56 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2003-02-28 21:53 . 2003-02-28 21:53 66936 --sha-w- c:\windows\dlinfo_0.drv

.

------- Sigcheck -------

[-] 2009-10-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShockmachineReminder"="c:\program files\Shockwave\Shockmachine\SmReminder.exe" [2001-05-04 98304]

"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2003-09-02 106574]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]

"AIM"="c:\program files\My Installed Programs\AOL IM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"QuickTime Task"="c:\program files\My Installed Programs\Quicktime\QTTask.exe" [2009-05-26 413696]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-20 335872]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-29 684032]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-01 69632]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 185896]

"vptray"="c:\progra~1\MYINST~1\Symantec\vptray.exe" [2003-05-21 90112]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2005-05-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-19 82026]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-7-13 221295]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.exe"=

"c:\\Program Files\\Canon\\CSCLIB\\CDPROC.exe"=

"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\My Installed Programs\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\My Installed Programs\\AOL IM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\My Installed Programs\\Shareaza\\Shareaza.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/20/2009 10:58 PM 24652]

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mxgsow

.

Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = 127.0.0.1

IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: tvguide.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

SharedTaskScheduler-{be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

SSODL-godanudaw-{be8fcfb7-9f31-49c4-ba52-28f2577ca64b} - c:\windows\system32\rujudagu.dll

Notify-NavLogon - (no file)

AddRemove-AST - c:\windows\unast.exe

AddRemove-mini-player - c:\program files\ebkrdr\ebook.exe

AddRemove-Mozilla Firefox (2.0.0.12) - c:\program files\My Installed Programs\uninstall\helper.exe

AddRemove-PCI Audio Applications - c:\program files\PCI Audio Applications\Bin\Uninstall.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe

AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-03 01:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mxgsow]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

[HKEY_USERS\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\

Link to post
Share on other sites

Please make sure you install the recovery console when prompted.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=35100&st=0entry179013

Collect::[70]
c:\windows\system32\drivers\mxgsow.sys
c:\windows\system32\ndisdrv.sys
SRPeek::
c:\windows\system32\sfcfiles.dll
Driver::
ndisdrv
mxgsow

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Followed all instructions, and here's the new ComboFix.txt file.

ComboFix 10-01-02.01 - kevin 01/04/2010 13:26:41.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1281 [GMT -6:00]

Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\kevin\Desktop\CFScript.txt

file zipped: c:\windows\system32\drivers\mxgsow.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mxgsow.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MXGSOW

-------\Legacy_NDISDRV

-------\Service_mxgsow

-------\Service_ndisdrv

((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))

.

2010-01-03 07:37 . 2010-01-03 07:37 388096 ----a-r- c:\documents and settings\kevin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2009-12-30 15:49 . 2009-12-30 15:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C31BA4B7C5A15CB4BA6A67F2188944C4.dll

2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A9814017295C65A4CAE9C7C01A53ADC3.dll

2009-12-30 06:40 . 2009-12-30 06:40 -------- d--h--r- c:\documents and settings\kevin\Application Data\SecuROM

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\AGEIA Technologies

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\windows\system32\AGEIA

2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-30 06:40 . 2009-12-30 06:40 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys

2009-12-30 06:40 . 2009-12-30 06:40 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys

2009-12-29 02:15 . 2009-12-29 02:15 -------- d-----w- c:\program files\Symantec AntiVirus

2009-12-28 12:23 . 2009-12-28 12:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-15 05:51 . 2009-12-15 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-12-09 17:20 . 2009-12-09 17:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-03 11:10 . 2008-04-14 06:10 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-01-03 09:03 . 2008-04-14 06:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp

2010-01-03 07:37 . 2007-07-01 14:56 -------- d-----w- c:\program files\My Installed Programs

2009-12-30 20:55 . 2009-03-15 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 20:54 . 2009-03-15 18:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-30 12:02 . 2009-12-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2009-12-30 06:37 . 2002-12-29 02:03 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-28 12:28 . 2009-11-22 16:37 -------- d-----w- c:\documents and settings\kevin\Application Data\vlc

2009-12-15 17:29 . 2002-12-30 22:25 -------- d-----w- c:\program files\Eudora - Home

2009-12-08 22:22 . 2009-03-27 08:06 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 08:54 . 2008-08-03 23:47 -------- d-----w- c:\documents and settings\kevin\Application Data\dvdcss

2009-11-24 04:17 . 2004-02-01 04:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-21 15:51 . 2008-04-14 11:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-01 00:42 . 2004-10-24 07:13 53176 ----a-w- c:\documents and settings\kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-31 05:11 . 2009-10-31 05:11 512 ----atw- c:\windows\~DFD26C.tmp

2009-10-31 05:11 . 2009-10-31 05:11 16384 ----a-w- c:\windows\~DFD262.tmp

2009-10-31 05:11 . 2009-10-31 05:11 512 ----atw- c:\windows\~DFCE5E.tmp

2009-10-31 05:11 . 2009-10-31 05:11 16384 ----a-w- c:\windows\~DFCE54.tmp

2009-10-31 04:57 . 2002-12-28 18:50 23680 ----a-w- c:\windows\system32\emptyregdb.dat

2009-10-31 04:53 . 2009-10-31 04:53 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2009-10-31 04:51 . 2009-10-31 04:52 990208 ----a-w- c:\windows\system32\syssetup.dll

2009-10-29 07:45 . 2008-04-14 11:42 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2008-04-14 11:42 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2008-04-14 11:41 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2008-04-14 06:23 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2008-04-14 11:42 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2008-04-14 11:42 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2008-04-14 11:42 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-08 19:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 19:57 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 19:56 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2003-02-28 21:53 . 2003-02-28 21:53 66936 --sha-w- c:\windows\dlinfo_0.drv

.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

------- Sigcheck -------

[-] 2009-10-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-03_07.21.26 )))))))))))))))))))))))))))))))))))))))))

.

- 2002-12-28 18:55 . 2010-01-03 06:42 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2002-12-28 18:55 . 2010-01-03 19:41 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2002-12-28 18:55 . 2010-01-03 06:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2002-12-28 18:55 . 2010-01-03 19:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-12-28 12:23 . 2010-01-03 06:52 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-12-28 12:23 . 2010-01-03 20:02 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2002-12-28 18:55 . 2010-01-03 19:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2002-12-28 18:55 . 2010-01-03 06:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-01-03 07:37 . 2010-01-03 07:37 1093632 c:\windows\Installer\105cbb.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShockmachineReminder"="c:\program files\Shockwave\Shockmachine\SmReminder.exe" [2001-05-04 98304]

"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2003-09-02 106574]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]

"AIM"="c:\program files\My Installed Programs\AOL IM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"QuickTime Task"="c:\program files\My Installed Programs\Quicktime\QTTask.exe" [2009-05-26 413696]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-20 335872]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-29 684032]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-01 69632]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 185896]

"vptray"="c:\progra~1\MYINST~1\Symantec\vptray.exe" [2003-05-21 90112]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2005-05-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-19 82026]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-7-13 221295]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.exe"=

"c:\\Program Files\\Canon\\CSCLIB\\CDPROC.exe"=

"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\My Installed Programs\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\My Installed Programs\\AOL IM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\My Installed Programs\\Shareaza\\Shareaza.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/20/2009 10:58 PM 24652]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/15/2009 12:03 PM 38224]

.

Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = 127.0.0.1

IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: tvguide.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-04 13:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

[HKEY_USERS\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\

Link to post
Share on other sites

So far so good, I just send the file off to bleepingcomputers.com, though the only file I could find was

[70]-Submit_2010-01-04_13.24.27.zip

and not

[70]submit-2010 4-1.13:26.zip

As for afterwards, I've run a check and found one virus, and it was quarantined, though I also have a free version of Symantec Antivirus that detected something that it was unable to quarantine or affect in any way.

File Symantec found is here: "C:\WINDOWS\System32\Drivers\atapi.sys.tmp" and was identified as "Backdoor.Tidserv!inf"

My computer is disconnected from the internet until I know for certain whether there is any concern (so I'm sending this from my laptop).

Your thoughts,

Thanks in advance for all the help so far.

Kevin

Link to post
Share on other sites

Update: I was unable to remove this file via any anti-virus program I have installed.

I went to this website Backdoor.Tidserv!inf | Symante and did most of the steps, but even in safemode, the virus continued to show up.

When I went into Windows Recover Console, I was able to "delete" the problematic file. Then I let my computer finish booting and let it run its virus scans, and the file wasn't found this time. I'm rebooting and running one final scan, before I turn the system restore point back on and hooking it up to the internet once more.

Thank you so much for all your help, as of right now my computer is free and clear of viruses (pending the final scan). I can't tell you how grateful I am for all your assistance.

If there is anything further you would like me to do to check my computer, do let me know.

Thank you

Kevin

=-=-=-=-=-=-=-=-=-=

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.