Jump to content

Need help removing Anti-malware Pro

jen_drinjak
 Share

Recommended Posts

jen_drinjak

jen_drinjak

Posted
Posted

Hi,

This is my second post regarding a household infection of antimalware pro. Unlike my laptop, this netbook is unable to run malwarebytes' anti-malware. It installs, but i think the infection is preventing it from running. I cannot even open the program, even after reinstalling. Please see my previous post for more details.

I following the "I'm infected, what do I do now?" instructions and have the following logs for anyone who is kind enough to help me.

Thanks again for the help,

Jennifer

DDS (Ver_10-11-27.01) - NTFSx86

Run by Jennifer Drinjak at 15:30:40.84 on Thu 12/02/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OA012Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\WSED\WSED.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Jennifer Drinjak\Local Settings\Temporary Internet Files\Content.IE5\FQTJU70A\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [rqpommaudio] rundll32.exe "vttqpm.dll",s

uRun: [nnopqpaudio] rundll32.exe "wvtstq.dll",s

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [OA012Mon] c:\windows\OA012Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [WSED] c:\program files\wsed\WSED.exe

mRun: [<NO NAME>]

mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [khiihfaudio] rundll32.exe "wvtstq.dll",s

mRun: [qoppqnsys] rundll32.exe "iiighi.dll",s

dRun: [yabbyvaudio] rundll32.exe "wvtstq.dll",s

dRun: [xxvsposys] rundll32.exe "iiighi.dll",s

StartupFolder: c:\docume~1\jennif~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 iiighi.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-12-1 14248]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-12-1 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-12-1 134144]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-12-1 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-12-1 272256]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-12-1 162816]

S1 xqkjxypi;xqkjxypi;\??\c:\windows\system32\drivers\xqkjxypi.sys --> c:\windows\system32\drivers\xqkjxypi.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-1 1684736]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

=============== Created Last 30 ================

2010-12-02 19:32:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-02 19:32:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-02 19:32:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 18:19:35 -------- d-----w- c:\docume~1\jennif~1\applic~1\AVP 2009

2010-11-23 19:50:18 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2010-11-23 19:37:10 -------- d-----w- c:\program files\MyWebSearch

2010-11-23 19:36:56 -------- d-----w- c:\program files\FunWebProducts

2010-11-14 20:31:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-14 19:42:03 30 ----a-w- c:\windows\system32\VolumeMSPrLam.dll

==================== Find3M ====================

2010-10-27 01:25:08 98304 ---ha-w- c:\windows\system32\wvtstq.dll

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 1:51:16 PM, on 12/2/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17091)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OA012Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\WSED\WSED.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Documents and Settings\Jennifer Drinjak\Local Settings\Temporary Internet Files\Content.IE5\HW8U5I08\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1

O1 - Hosts:

ark.zip

Attach.zip

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello there, that looks like a bubnix rootkit.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Log.txt in your next reply.

Link to post
Share on other sites
jen_drinjak

jen_drinjak

Posted
  • Author
Posted

Ok, here's the log:

This machine is also giving error messages when booting up. "Error loading vttqpm.dll not found" and another dll file that i wasn't able to write down. I can get it if you need the name.

ComboFix 10-12-03.01 - Jennifer Drinjak 12/03/2010 16:58:01.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.656 [GMT -6:00]

Running from: c:\computer fixes\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\wvtstq.dll

.

---- Previous Run -------

.

c:\documents and settings\Jennifer Drinjak\Application Data\Install.dat

c:\documents and settings\Kat Drinjak\Application Data\FunWebProducts

c:\documents and settings\Kat Drinjak\Application Data\FunWebProducts\Data\Kat Drinjak\avatar.dat

c:\documents and settings\Kat Drinjak\Application Data\Install.dat

c:\program files\FunWebProducts

c:\program files\MyWebSearch

c:\program files\MyWebSearch\bar\History\search3

c:\program files\MyWebSearch\bar\Settings\s_pid.dat

c:\program files\MyWebSearch\bar\Settings\setting2.htm

c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak

c:\program files\MyWebSearch\bar\Settings\settings.dat

c:\program files\MyWebSearch\bar\Settings\settings.dat.bak

c:\windows\system32\config\system~1\applic~1\install.dat

c:\windows\system32\VolumeMSPrLam.dll

c:\windows\system32\wvtstq.dll

.

((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))

.

2010-12-03 22:24 . 2010-12-03 22:26 -------- d-----w- C:\Computer Fixes

2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009

2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp

2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java

2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009

2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-03 23:07 . 2010-10-27 01:25 98304 ---ha-w- c:\windows\system32\wvtstq.dll

2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"nnopqpaudio"="wvtstq.dll" [2010-12-03 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]

"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]

"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"khiihfaudio"="wvtstq.dll" [2010-12-03 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"yabbyvaudio"="wvtstq.dll" [2010-12-03 98304]

c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816]

S1 xqkjxypi;xqkjxypi;\??\c:\windows\system32\drivers\xqkjxypi.sys --> c:\windows\system32\drivers\xqkjxypi.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]

.

Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-rqpommaudio - vttqpm.dll

HKLM-Run-qoppqnsys - iiighi.dll

HKU-Default-Run-xxvsposys - iiighi.dll

SafeBoot-mcmscsvc

SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-03 17:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\wvtstq.dll

- - - - - - - > 'explorer.exe'(860)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\wvtstq.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2010-12-03 17:09:25 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-03 23:09

Pre-Run: 138,775,158,784 bytes free

Post-Run: 138,673,516,544 bytes free

- - End Of File - - 790F839D9C96B6AE35FE2F3A51048B23

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again, no need to note them down, I see the entries in your log. :( Let me know how things are after the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

File::
c:\windows\system32\wvtstq.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nnopqpaudio"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"khiihfaudio"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"yabbyvaudio"=- 

Driver::
xqkjxypi

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites
jen_drinjak

jen_drinjak

Posted
  • Author
Posted

ComboFix 10-12-03.03 - Jennifer Drinjak 12/04/2010 11:20:15.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.574 [GMT -6:00]

Running from: c:\computer fixes\ComboFix.exe

Command switches used :: c:\computer fixes\CFScript.txt

FILE ::

"c:\windows\system32\wvtstq.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\wvtstq.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_xqkjxypi

((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))

.

2010-12-03 22:24 . 2010-12-04 17:20 -------- d-----w- C:\Computer Fixes

2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009

2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp

2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java

2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009

2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec

.

((((((((((((((((((((((((((((( SnapShot@2010-12-03_23.06.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-04 17:27 . 2010-12-04 17:27 16384 c:\windows\Temp\Perflib_Perfdata_2ac.dat

+ 2010-12-04 17:10 . 2010-12-04 17:10 188416 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000002\UsrClass.dat

+ 2010-12-04 17:10 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-4-2010\ERDNT.EXE

+ 2010-12-04 17:10 . 2010-12-04 17:10 3002368 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000001\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ursqopaudio"="wvtstq.dll" [2010-12-04 0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]

"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]

"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"pmkhgfaudio"="wvtstq.dll" [2010-12-04 0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"awwwuuaudio"="wvtstq.dll" [2010-12-04 0]

c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]

.

Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-04 11:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\JENNIF~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2676)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2010-12-04 11:31:15 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-04 17:31

ComboFix2.txt 2010-12-03 23:09

Pre-Run: 138,640,867,328 bytes free

Post-Run: 138,631,012,352 bytes free

- - End Of File - - E32EFC2D0C80F613E7FBE0301A4F1F3E

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again, that still didn't do the trick. Lets see if this works.

Run the following as a CFscript, just like last time and post me the log.

KillAll::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ursqopaudio"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmkhgfaudio"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"awwwuuaudio"=-

Rootkit::
c:\windows\system32\wvtstq.dll

Link to post
Share on other sites
jen_drinjak

jen_drinjak

Posted
  • Author
Posted

Hi here's the latest log. After running the combofix, I noticed that when it rebooted, I did not see any dll errors. So, hopefully, that is a good sign. :( Thanks again for working through this with me.

ComboFix 10-12-04.01 - Jennifer Drinjak 12/05/2010 8:57.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.613 [GMT -6:00]

Running from: c:\computer fixes\ComboFix.exe

Command switches used :: c:\computer fixes\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\wvtstq.dll

.

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))

.

2010-12-03 22:24 . 2010-12-05 14:57 -------- d-----w- C:\Computer Fixes

2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009

2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp

2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java

2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009

2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec

.

((((((((((((((((((((((((((((( SnapShot@2010-12-03_23.06.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-05 15:02 . 2010-12-05 15:02 16384 c:\windows\temp\Perflib_Perfdata_29c.dat

+ 2010-12-05 15:03 . 2010-12-05 15:03 188416 c:\windows\ERDNT\AutoBackup\12-5-2010\Users\00000002\UsrClass.dat

+ 2010-12-05 15:03 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-5-2010\ERDNT.EXE

+ 2010-12-04 17:10 . 2010-12-04 17:10 188416 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000002\UsrClass.dat

+ 2010-12-04 17:10 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-4-2010\ERDNT.EXE

+ 2010-12-05 15:03 . 2010-12-05 15:03 3002368 c:\windows\ERDNT\AutoBackup\12-5-2010\Users\00000001\NTUSER.DAT

+ 2010-12-04 17:10 . 2010-12-04 17:10 3002368 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000001\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]

"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]

"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]

.

Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-05 09:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2492)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2010-12-05 09:06:26 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-05 15:06

ComboFix2.txt 2010-12-04 17:31

ComboFix3.txt 2010-12-03 23:09

Pre-Run: 138,611,494,912 bytes free

Post-Run: 138,569,445,376 bytes free

- - End Of File - - 62010F887228B6C70738BB1A8DEAF2F1

Link to post
Share on other sites
jen_drinjak

jen_drinjak

Posted
  • Author
Posted

Here's the MBAM log; it was able to remove several viruses & trojans.

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5249

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

12/5/2010 1:44:24 PM

mbam-log-2010-12-05 (13-44-24).txt

Scan type: Full scan (C:\|)

Objects scanned: 173173

Time elapsed: 14 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\Java\jre6\bin\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0000018.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001105.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001119.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001306.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi again, those were mostly leftovers. Do you have any problems left?

INSTALL ANTIVIRUS

---------------------------

I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated

New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Please scan your computer with the AV you just installed and let me know if anything was found.

Link to post
Share on other sites
  • 4 weeks later...
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.