Jump to content

MBAM wont remove MS Juan and MS Track System


Recommended Posts

Malwarebytes' Anti-Malware 1.30

Database version: 1337

Windows 5.1.2600 Service Pack 3

10/29/2008 12:29:04 PM

mbam-log-2008-10-29 (12-29-04).txt

Scan type: Quick Scan

Objects scanned: 55305

Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:37:21 PM, on 10/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\hasplms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

This is what the Free ESET scan gave me at the end.

Win32/Adware.SuperJuan application (unable to clean - deleted)

C:\WINDOWS\system32\xkxovseh.dll

Win32/Adware.SuperJuan application (unable to clean - deleted)

C:\WINDOWS\system32\wxpjyqyq.dll

Win32/Adware.SuperJuan application (unable to clean - deleted (after the next restart))

C:\WINDOWS\system32\rzcatw.dll

Win32/Adware.SuperJuan application (unable to clean - deleted (after the next restart))

C:\WINDOWS\system32\fmoquy.dll

Link to post
Share on other sites

Check the following entries, then click on the Fix Checked button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

O2 - BHO: {001c5cde-f32a-4deb-6844-ea64b419d72c} - {c27d914b-46ae-4486-bed4-a23fedc5c100} - C:\WINDOWS\system32\rzcatw.dll (file missing)

O20 - AppInit_DLLs: fmoquy.dll rzcatw.dll

Also download and run Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Open the program, and press Y when asked to answer Yes or No.

Your system may look frozen while it is running. Please do not click the window or do anything while it's running. When it finishes, post the contents of C:\ComboFix.txt.

Link to post
Share on other sites

ComboFix 08-10-29.07 - user 2008-10-29 14:00:36.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.470 [GMT -5:00]

Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\user\Application Data\Adobe\Player.exe.bak

.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))

.

2008-10-29 13:36 . 2008-10-29 13:36 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-29 13:30 . 2008-10-13 18:16 109,568 --a------ C:\WINDOWS\system32\rzcatw.Vdll

2008-10-29 13:30 . 2008-10-13 13:24 109,568 --a------ C:\WINDOWS\system32\fmoquy.Vdll

2008-10-29 12:31 . 2008-10-29 13:31 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-10-29 12:07 . 2008-10-29 12:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-10-29 00:47 . 2008-10-29 02:54 <DIR> d-------- C:\Documents and Settings\user\Application Data\BitTorrent

2008-10-27 20:34 . 2008-10-27 20:34 <DIR> d-------- C:\VundoFix Backups

2008-10-24 16:37 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll

2008-10-15 06:49 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys

2008-10-15 06:48 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-15 06:48 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-15 06:48 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-15 06:48 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-15 06:48 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

2008-10-14 23:29 . 2008-10-14 23:29 <DIR> d-------- C:\Program Files\DivXCodec

2008-10-13 19:08 . 2005-01-13 21:41 11,254 --a------ C:\WINDOWS\system32\locate.com

2008-10-13 19:06 . 2008-10-13 19:09 <DIR> d-------- C:\MGtools

2008-10-13 19:06 . 2008-10-13 19:09 51,556 --a------ C:\MGlogs.zip

2008-10-13 17:32 . 2008-10-13 17:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes

2008-10-13 17:31 . 2008-10-24 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-10-13 17:31 . 2008-10-13 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-13 17:31 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-13 17:31 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-10-13 15:58 . 2008-10-13 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-10-13 15:56 . 2008-10-13 15:56 1,312,462 --a------ C:\MGtools.exe

2008-10-13 13:26 . 2008-10-13 13:26 <DIR> d-------- C:\Program Files\CCleaner

2008-10-13 00:57 . 2008-10-13 00:57 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll

2008-10-13 00:57 . 2008-10-13 00:57 63,488 --a------ C:\WINDOWS\system32\tfdsx.xl

2008-10-13 00:57 . 2008-10-13 00:57 32,768 --a------ C:\WINDOWS\system32\fe.sp

2008-10-13 00:57 . 2008-10-13 00:57 32,768 --a------ C:\WINDOWS\system32\3fcv.ra

2008-10-03 17:53 . 2008-10-03 17:53 <DIR> d-------- C:\Program Files\MSECache

2008-10-03 14:34 . 2008-10-03 14:34 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

2008-10-03 14:34 . 2008-10-03 14:34 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

2008-10-03 14:14 . 2008-10-03 14:14 187,952 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

2008-10-03 14:14 . 2008-10-03 14:14 146,096 --a------ C:\WINDOWS\system32\drivers\symfw.sys

2008-10-03 14:14 . 2008-10-03 14:14 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

2008-10-03 14:14 . 2008-10-03 14:14 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

2008-10-03 14:14 . 2008-10-03 14:14 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

2008-10-03 14:14 . 2008-10-03 14:14 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

2008-10-03 14:14 . 2008-10-03 14:14 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

2008-10-03 14:14 . 2008-10-03 14:14 10,804 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

2008-10-03 14:14 . 2008-10-03 14:14 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-29 19:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-10-29 18:59 --------- d-----w C:\Documents and Settings\user\Application Data\DNA

2008-10-29 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-10-26 05:22 --------- d-----w C:\Documents and Settings\user\Application Data\Apple Computer

2008-10-23 03:00 --------- d-----w C:\Program Files\TVUPlayer

2008-10-15 04:46 --------- d-----w C:\Program Files\DivX

2008-10-13 05:57 578,560 ----a-w C:\WINDOWS\system32\user32.DLL

2008-10-12 23:39 --------- d-----w C:\Program Files\DNA

2008-10-07 14:15 --------- d-----w C:\Documents and Settings\user\Application Data\U3

2008-09-16 00:14 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-09-16 00:12 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-09-16 00:12 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-09-16 00:12 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-09-16 00:12 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-09-16 00:12 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-09-16 00:12 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-09-16 00:12 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-09-16 00:11 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll

2008-09-16 00:11 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\DivX.dll

2008-09-16 00:11 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-09-16 00:11 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-31 22:15 --------- d-----w C:\Program Files\Apple Software Update

2008-08-31 22:10 --------- d-----w C:\Program Files\iTunes

2008-08-31 22:10 --------- d-----w C:\Program Files\iPod

2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-21 04:30 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-07-08 16:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070820080709\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="1" [X]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-10-12 289088]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-14 54832]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]

"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 771704]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-03-04 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=fmoquy.dll rzcatw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\DNA\\btdna.exe"=

"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-19 22:37 41456]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 351744]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff34103d-2d15-11dc-b5b4-000ea6d19f37}]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff34103f-2d15-11dc-b5b4-000ea6d19f37}]

\Shell\Auto\command - system16.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system16.exe

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-21 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - user.job

- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 04:09]

.

- - - - ORPHANS REMOVED - - - -

BHO-{c27d914b-46ae-4486-bed4-a23fedc5c100} - C:\WINDOWS\system32\rzcatw.dll

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\upi8qxqt.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com

FF -: plugin - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\upi8qxqt.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-29 14:02:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\fmoquy.dll

-> C:\WINDOWS\system32\rzcatw.dll

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\WINDOWS\system32\fmoquy.dll

-> C:\WINDOWS\system32\rzcatw.dll

.

Completion time: 2008-10-29 14:05:04

ComboFix-quarantined-files.txt 2008-10-29 19:04:26

ComboFix2.txt 2008-10-14 00:02:01

Pre-Run: 142,135,050,240 bytes free

Post-Run: 142,198,579,200 bytes free

216 --- E O F --- 2008-10-25 03:14:47

Link to post
Share on other sites

First of all restart your computer.

Then look if the following files are present:

C:\WINDOWS\system32\xkxovseh.dll

C:\WINDOWS\system32\wxpjyqyq.dll

C:\WINDOWS\system32\rzcatw.dl

C:\WINDOWS\system32\fmoquy.dll

(The file that Eset detected)

and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

If they aren't, run another scan with MBAM and see if it still detects the registry entries.

The Combo Fix log was not complete. It creates a HJT log. Update MBAM, run a quick scan post that log and a new HJT log.

Edited by JeanInMontana
This log work is being monitored for safety of the user
Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.30

Database version: 1337

Windows 5.1.2600 Service Pack 3

10/29/2008 2:36:10 PM

mbam-log-2008-10-29 (14-36-10).txt

Scan type: Quick Scan

Objects scanned: 52359

Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ComboFix 08-10-29.07 - user 2008-10-29 14:37:51.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.524 [GMT -5:00]

Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))

.

2008-10-29 13:36 . 2008-10-29 13:36 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-29 12:31 . 2008-10-29 13:31 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-10-29 12:07 . 2008-10-29 12:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-10-29 00:47 . 2008-10-29 02:54 <DIR> d-------- C:\Documents and Settings\user\Application Data\BitTorrent

2008-10-27 20:34 . 2008-10-27 20:34 <DIR> d-------- C:\VundoFix Backups

2008-10-24 16:37 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll

2008-10-15 06:49 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys

2008-10-15 06:48 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-15 06:48 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-15 06:48 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-15 06:48 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-15 06:48 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

2008-10-14 23:29 . 2008-10-14 23:29 <DIR> d-------- C:\Program Files\DivXCodec

2008-10-13 19:08 . 2005-01-13 21:41 11,254 --a------ C:\WINDOWS\system32\locate.com

2008-10-13 19:06 . 2008-10-13 19:09 <DIR> d-------- C:\MGtools

2008-10-13 19:06 . 2008-10-13 19:09 51,556 --a------ C:\MGlogs.zip

2008-10-13 17:32 . 2008-10-13 17:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes

2008-10-13 17:31 . 2008-10-24 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-10-13 17:31 . 2008-10-13 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-13 17:31 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-13 17:31 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com

2008-10-13 15:59 . 2008-10-13 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-10-13 15:58 . 2008-10-13 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-10-13 15:56 . 2008-10-13 15:56 1,312,462 --a------ C:\MGtools.exe

2008-10-13 13:26 . 2008-10-13 13:26 <DIR> d-------- C:\Program Files\CCleaner

2008-10-13 00:57 . 2008-10-13 00:57 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll

2008-10-13 00:57 . 2008-10-13 00:57 63,488 --a------ C:\WINDOWS\system32\tfdsx.xl

2008-10-13 00:57 . 2008-10-13 00:57 32,768 --a------ C:\WINDOWS\system32\fe.sp

2008-10-13 00:57 . 2008-10-13 00:57 32,768 --a------ C:\WINDOWS\system32\3fcv.ra

2008-10-03 17:53 . 2008-10-03 17:53 <DIR> d-------- C:\Program Files\MSECache

2008-10-03 14:34 . 2008-10-03 14:34 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

2008-10-03 14:34 . 2008-10-03 14:34 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

2008-10-03 14:14 . 2008-10-03 14:14 187,952 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

2008-10-03 14:14 . 2008-10-03 14:14 146,096 --a------ C:\WINDOWS\system32\drivers\symfw.sys

2008-10-03 14:14 . 2008-10-03 14:14 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

2008-10-03 14:14 . 2008-10-03 14:14 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

2008-10-03 14:14 . 2008-10-03 14:14 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

2008-10-03 14:14 . 2008-10-03 14:14 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

2008-10-03 14:14 . 2008-10-03 14:14 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

2008-10-03 14:14 . 2008-10-03 14:14 10,804 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

2008-10-03 14:14 . 2008-10-03 14:14 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-29 19:32 --------- d-----w C:\Documents and Settings\user\Application Data\DNA

2008-10-29 19:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-10-29 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-10-26 05:22 --------- d-----w C:\Documents and Settings\user\Application Data\Apple Computer

2008-10-23 03:00 --------- d-----w C:\Program Files\TVUPlayer

2008-10-15 04:46 --------- d-----w C:\Program Files\DivX

2008-10-13 05:57 578,560 ----a-w C:\WINDOWS\system32\user32.DLL

2008-10-12 23:39 --------- d-----w C:\Program Files\DNA

2008-10-07 14:15 --------- d-----w C:\Documents and Settings\user\Application Data\U3

2008-09-16 00:14 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-09-16 00:12 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-09-16 00:12 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-09-16 00:12 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-09-16 00:12 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-09-16 00:12 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-09-16 00:12 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-09-16 00:12 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-09-16 00:11 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll

2008-09-16 00:11 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\DivX.dll

2008-09-16 00:11 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-09-16 00:11 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-31 22:15 --------- d-----w C:\Program Files\Apple Software Update

2008-08-31 22:10 --------- d-----w C:\Program Files\iTunes

2008-08-31 22:10 --------- d-----w C:\Program Files\iPod

2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-21 04:30 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-07-08 16:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070820080709\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="1" [X]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-10-12 289088]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-14 54832]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]

"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 771704]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-03-04 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=fmoquy.dll rzcatw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\DNA\\btdna.exe"=

"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-19 22:37 41456]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 351744]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff34103d-2d15-11dc-b5b4-000ea6d19f37}]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff34103f-2d15-11dc-b5b4-000ea6d19f37}]

\Shell\Auto\command - system16.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system16.exe

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-21 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - user.job

- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 04:09]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\upi8qxqt.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com

FF -: plugin - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\upi8qxqt.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-29 14:39:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-10-29 14:42:12

ComboFix-quarantined-files.txt 2008-10-29 19:41:32

ComboFix2.txt 2008-10-29 19:05:06

ComboFix3.txt 2008-10-14 00:02:01

Pre-Run: 142,208,958,464 bytes free

Post-Run: 142,199,005,184 bytes free

200 --- E O F --- 2008-10-25 03:14:47

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:03:33 PM, on 10/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\hasplms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

OK please run HJT again in scan only mode place a check next to the following items and then click fix.

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O20 - AppInit_DLLs: fmoquy.dll rzcatw.dll

You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here Java Update and install the correct version for your system. Choose the offline installation.

Now please reboot your machine. Update MBAM, run a quick scan, post that log and a new HJT log

Link to post
Share on other sites

@Xtreme15

The entry that Emperor Darius had you remove here:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

...is not malicious. It is related to your Yahoo companion. It is expected to reappear (as it has in your latest log) the next time you open Yahoo and use the companion...so no need to be alarmed in that regard.

It also appears from the cf log, that you have had some AWF issues as evidenced by the entry "Player.exe.bak"...

It may be best for you too if you were able to remove the YOP since it would indeed be causing you some conflict with your on board antivirus software from Symantec.

I would hazard a rather well educated guess that most of your current issues are directly related to your use of the BitTorrent software. If you were to have read the sticky posts at the top of the hjt forum you would have known that your original assistant was not approved. You can read more on that Here.

Carry on with your expert assistant JeanInMontana...at least now, you're in good hands!

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.30

Database version: 1337

Windows 5.1.2600 Service Pack 3

10/29/2008 6:36:22 PM

mbam-log-2008-10-29 (18-36-22).txt

Scan type: Quick Scan

Objects scanned: 53283

Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:36:42 PM, on 10/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\hasplms.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Y.O.P.=Yahoo Online Protection

To remove it:

Go to Add/Remove Programs and find either AT&T Yahoo Applications or SBC Yahoo Applications. Click Remove and a window will open. Here you can select the entire Online Protection Package or individual programs for removal. Check the box(es) and then click the Uninstall button.

Link to post
Share on other sites

Bit torrent is usually used to down load illegal music or videos. It is most likely how you got infected also.

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP and Vista is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price, from the link in my signature.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.