Jump to content

Recommended Posts

While surfing with Firefox my browser restarted. It was then that I started to get notices from WinPatrol that programs were wanting to start. I answered "no" to the alerts and ran my anti-virus software (Microsoft Security Essentials). There were no viruses detected. So I rant Malwarebytes Anti Malware and found 3 infections. One of them was IPH.Trojan.Hiloti.B. I quarantined and deleted this and I am still getting a message from WinPatrol asking me if I want to approve the addition of a program startup setting. WinPatrol is wanting to allow the startup of igfxtray.exe which I realize is just an Intel Graphics Accelerator but I am afraid that there might be something more to this. I have looked at the Startup Processes in WinPatrol and igfxtray.exe is there but there is no company associated with this file. I have tried to disable and remove but it won't go away. I keep getting a popup from WinPatrol asking me if I want to allow the program to continue.

Here is my log file from Malwarebytes.

Before deletion:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6172

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/26/2011 12:29:39 AM

mbam-log-2011-03-26 (00-29-39).txt

Scan type: Quick scan

Objects scanned: 44513

Time elapsed: 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\uxosadiyurega.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ukagojikeh (IPH.Trojan.Hiloti.B) -> Value: Ukagojikeh -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\uxosadiyurega.dll (IPH.Trojan.Hiloti.B) -> Quarantined and deleted successfully.

After deletion:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6172

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/26/2011 10:53:10 AM

mbam-log-2011-03-26 (10-53-10).txt

Scan type: Quick scan

Objects scanned: 231333

Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks!

Link to post
Share on other sites

Hello bellio! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download DDS and save it to your desktop from here, here or here

Double click dds to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

Hello bellio! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download DDS and save it to your desktop from here, here or here

Double click dds to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. DDS log with Attach.txt

Thank you for helping me.

Here the logs.

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6186

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/27/2011 4:36:29 PM

mbam-log-2011-03-27 (16-36-29).txt

Scan type: Quick scan

Objects scanned: 231796

Time elapsed: 15 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Brian at 16:37:44.59 on Sun 03/27/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.338 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Tanagra\Memeo\MemeoService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

-k netsvcs

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Brian\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://kansas.scout.com/index.html

uInternet Connection Wizard,ShellNext = iexplore

BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn0\ycomp5_5_7_0.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll

TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn0\ycomp5_5_7_0.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\ypager.exe" -quiet

uRun: [Java Platform SE binary] c:\documents and settings\brian\desktop\jre-6u15-windows-i586-s.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE

mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\documents and settings\brian\start menu\programs\startup\igfxtray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://messenger.zone.msn.com/binary/ZAxRcMgr.cab

DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam.thesandbar.com/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab

TCP: {82D3E1E5-1B3D-495B-BD0A-CCEAC1E03835} = 24.225.5.2 24.225.0.1

Notify: igfxcui - igfxsrvc.dll

Notify: WRNotifier - WRLogonNTF.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\c45zpzdo.brian\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.kusports.com/|http://forums.scout.com/mb.aspx?S=172&FIX=1#S=172|http://kansas.rivals.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - plugin: c:\documents and settings\brian\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\brian\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\brian\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\progra~1\meadco~1\npmeadax.dll

FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}

FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Media Converter: {6e764c17-863a-450f-bdd0-6772bd5aaa18} - %profile%\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}

FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: XULRunner: {751B6529-B611-4E20-A952-4D62F12B6F9A} - c:\documents and settings\brian\local settings\application data\{751B6529-B611-4E20-A952-4D62F12B6F9A}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\brian\application data\Move Networks

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]

R1 MpKslf3ccb5e8;MpKslf3ccb5e8;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90ccc171-05fd-4038-a8f8-2d5662a5ea7b}\MpKslf3ccb5e8.sys [2011-3-27 28752]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-4-26 70016]

S2 DVC150;DVC 150B;c:\windows\system32\drivers\DVC150B.sys [2005-2-28 31924]

S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-3-4 152576]

S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

S4 Qlnte0erpwpa;Qlnte0erpwpa; [x]

.

=============== Created Last 30 ================

.

2011-03-27 20:16:21 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{90ccc171-05fd-4038-a8f8-2d5662a5ea7b}\MpKslf3ccb5e8.sys

2011-03-26 05:02:12 0 ----a-w- c:\windows\Hyupiv.bin

2011-03-26 05:02:10 -------- d-----w- c:\docume~1\brian\locals~1\applic~1\{751B6529-B611-4E20-A952-4D62F12B6F9A}

2011-03-25 02:37:56 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{90ccc171-05fd-4038-a8f8-2d5662a5ea7b}\mpengine.dll

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

.

============= FINISH: 16:39:12.92 ===============

DDS Log w/ attachment is included

Attach.txt.zip

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

Driver::
Qlnte0erpwpa

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

Driver::
Qlnte0erpwpa

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Borislav,

Per your instructions here is the log from ComboFix:

ComboFix 11-03-28.02 - Brian 03/29/2011 18:16:19.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.555 [GMT -5:00]

Running from: c:\documents and settings\Brian\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Qlnte0erpwpa

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))

.

.

2011-03-28 21:14 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CFE90EA-790D-4B1F-855C-1CB4A223689F}\mpengine.dll

2011-03-26 05:02 . 2011-03-26 05:02 0 ----a-w- c:\windows\Hyupiv.bin

2011-03-13 03:28 . 2011-03-15 22:49 -------- d-----w- c:\program files\Microsoft Silverlight

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-15 04:05 . 2010-10-26 16:48 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 1980-01-01 00:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 1980-01-01 00:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2005-02-16 19:58 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2005-02-16 19:58 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 1980-01-01 00:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 09:41 . 2011-01-25 18:38 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-01-07 14:09 . 1980-01-01 00:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 1980-01-01 00:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 2048000]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-02-24 2506752]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 135214]

"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2006-10-01 255552]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-07 148888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Matthew\Start Menu\Programs\Startup\

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Memeo Launcher.lnk]

path=c:\documents and settings\Brian\Start Menu\Programs\Startup\Memeo Launcher.lnk

backup=c:\windows\pss\Memeo Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\StubInstaller.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

"c:\\Program Files\\Susteen\\DataPilot Trial\\DpLauncherTR.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze 6\\squeeze.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11976:TCP"= 11976:TCP:BitComet 11976 TCP

"11976:UDP"= 11976:UDP:BitComet 11976 UDP

.

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [4/26/2007 8:44 PM 70016]

S1 MpKsl5f1dad0a;MpKsl5f1dad0a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CFE90EA-790D-4B1F-855C-1CB4A223689F}\MpKsl5f1dad0a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CFE90EA-790D-4B1F-855C-1CB4A223689F}\MpKsl5f1dad0a.sys [?]

S1 MpKsled03af86;MpKsled03af86;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CFE90EA-790D-4B1F-855C-1CB4A223689F}\MpKsled03af86.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CFE90EA-790D-4B1F-855C-1CB4A223689F}\MpKsled03af86.sys [?]

S2 DVC150;DVC 150B;c:\windows\system32\drivers\DVC150B.sys [2/28/2005 8:53 PM 31924]

S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [3/4/2005 12:02 AM 152576]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://kansas.scout.com/index.html

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta

TCP: {82D3E1E5-1B3D-495B-BD0A-CCEAC1E03835} = 24.225.5.2 24.225.0.1

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam.thesandbar.com/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\c45zpzdo.Brian\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.kusports.com/|http://forums.scout.com/mb.aspx?S=172&FIX=1#S=172|http://kansas.rivals.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}

FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Media Converter: {6e764c17-863a-450f-bdd0-6772bd5aaa18} - %profile%\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}

FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Brian\Application Data\Move Networks

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-29 18:34

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

This is normal and is the result of the first run of ComboFix. In your case it's not necessary.

Last steps for you:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

This is normal and is the result of the first run of ComboFix. In your case it's not necessary.

Last steps for you:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Thanks for your help Borislav! If I was in Bulgaria I would have my wife make your an apple pie! You do great work.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.