Jump to content

Recommended Posts

Hi

one of our computers was infected "XP Home Security" and I couldn't get it working at all. I was able to do a check on the net on a different computer and found an activation code that I could put in which enabled the computer again. The problem is that it doesn't run quite a few programs and I cant get Maklwarebytes to run at all.

Regards

Jacc

Link to post
Share on other sites

Hello Jacc! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Download DDS and save it to your desktop from here, here or here

Double click dds to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Thanks for the help

Here is the DDS File

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by tewhe at 12:08:20.74 on Wed 30/03/2011

Internet Explorer: 6.0.2900.2180

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.nz/

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.google.com/ie_rsearch.html

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [QuickBooksDB19] c:\program files\intuit\quickbooks 2010-11\qbdbmgrn.exe -n qb_adswbak_19 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10173) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\tewhe\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y

mRun: [MSConfig] c:\windows\system32\msconfig.exe /auto

dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll"

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\tewhe\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\messag~1.lnk - c:\program files\messagepal\MessagePal.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoInstrumentation = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

mPolicies-explorer: DisableCAD = 1 (0x1)

mPolicies-system: DisableCAD = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: NoInstrumentation = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\tewhe\applic~1\mozilla\firefox\profiles\1w0wjrvq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/

FF - prefs.js: network.proxy.ftp - 192.168.0.249

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.0.249

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.0.249

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.0.249

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2011-03-29 20:37:46 1654784 ------w- c:\docume~1\tewhe\locals~1\applic~1\trz1.tmp

2011-02-28 02:00:03 -------- d-----w- c:\docume~1\tewhe\applic~1\Windows Desktop Search

2011-02-28 01:17:43 -------- d-----w- c:\windows\system32\GroupPolicy

2011-02-28 01:17:43 -------- d-----w- c:\program files\Windows Desktop Search

2011-02-28 01:17:25 -------- d-----w- c:\windows\system32\DllCache

2011-02-28 01:17:16 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll

2011-02-28 01:17:16 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll

2011-02-28 01:17:16 192000 ------w- c:\windows\system32\dllcache\offfilt.dll

.

==================== Find3M ====================

.

2011-02-21 00:43:50 249856 ------w- c:\windows\Setup1.exe

2011-02-21 00:43:48 73216 ----a-w- c:\windows\ST6UNST.EXE

2011-02-17 03:01:17 48128 ----a-w- c:\windows\hdk3name.dll

2011-02-17 03:01:17 282624 ----a-w- c:\windows\hdk3ctnt.dll

2011-02-17 03:01:17 184320 ----a-w- c:\windows\hdk3anim.dll

2011-02-17 03:01:11 21648 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

.

============= FINISH: 12:08:36.31 ===============

Here is the Attach file

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

.

==== Disk Partitions =========================

.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

.

ACT!

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.2

ADSW SQL

ADSW SQL (C:\ADSW\)

avast! Free Antivirus

CCleaner

Defraggler

Foxit Reader

Hotfix for Windows XP (KB893357)

Hotfix for Windows XP (KB896344)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB915865)

Intel® PRO Network Connections Drivers

J2SE Runtime Environment 5.0 Update 4

K-Lite Mega Codec Pack 1.34

Macromedia Shockwave Player

Malwarebytes' Anti-Malware

MessagePal

Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix

Microsoft .NET Framework 2.0

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft SQL Server Desktop Engine

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox (3.6.16)

Nero 6 Ultra Edition

NVIDIA Drivers

OnlineAVL 2

QuickBooks Premier Edition 2010-11

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows XP (KB883939)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB903235)

TPM Device Driver

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

User Profile Hive Cleanup Service

VideoLAN VLC media player 0.8.6i

VNC Free Edition 4.1.1

Winamp

Windows Driver Package - Winbond Electronics Corporation Winbond Trusted Platform Module (06/30/2005 5.1.47.2011)

Windows Installer 3.1 (KB893803)

Windows Media Format Runtime

Windows Media Format SDK Hotfix - KB891122

Windows Search 4.0

Windows XP Hotfix - KB834707

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB884020

Windows XP Hotfix - KB884883

Windows XP Hotfix - KB885222

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885626

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB886677

Windows XP Hotfix - KB886716

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB887797

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888240

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890831

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

Windows XP Hotfix - KB896626

WinRAR archiver

.

==== End Of File ===========================

Regards

Jacc

Link to post
Share on other sites

Please locate to C:\Program Files\Malwarebytes and rename mbam.exe to firefox.exe and then:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Please locate to C:\Program Files\Malwarebytes and rename mbam.exe to firefox.exe and then:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

I can't start Malwarebytes whenever I double click on it or try to start it from the start menu the computer comes up with a "open With" box and the program is not listed. I downloaded the latest version but it does the same thing. Any other suggestions?

Jacc

Link to post
Share on other sites

Try again, but first:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are seven different versions. If one of them won't run then download and try to run the other one.

Vista and Windows 7 users need to right-click and choose Run as Administrator

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. eXplorer.exe - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
  5. iExplore.exe
  6. WiNlOgOn.exe
  7. uSeRiNiT.exe

Link to post
Share on other sites

Thanks for the patience

I tried all the programs, they all came up with the "open With" box but I didn't know which program to use to start it. If I use firefox to start the program it comes up with a box with "Save File" or "Cancel".

Jacc

Link to post
Share on other sites

Boot your PC in Safe Mode with Networking and try again with Malwarebytes' Anti-Malware:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true

Hi again

Had a problem rebooting in safe mode, was not able to boot into safe mode with networking.

Was able to run Malwarebytes and it found three problems but I cant find the log files.

We still have the problem that most of the icons on the desktop or shortcut bar do not start. They come up with the message "application not found". Malware will not run if I start in normal mode.

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**


  1. If you are using Firefox, make sure that your download settings are as follows:

    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------



  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**


  1. If you are using Firefox, make sure that your download settings are as follows:

    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------



  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Hi again

Sorry for the delay, had a couple of issues getting it started.

Combofix downloaded a new version and ran ok, here is the log file

ComboFix 11-03-29.06 - tewhe 31/03/2011 8:23.1.2 - x86

Running from: c:\documents and settings\tewhe\Desktop\Combo-Fix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\ST6UNST.000

c:\windows\system32\msconfig.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))

.

.

No new files created in this timespan

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-21 00:43 . 2010-06-16 01:15 249856 ------w- c:\windows\Setup1.exe

2011-02-21 00:43 . 2010-06-16 01:15 73216 ----a-w- c:\windows\ST6UNST.EXE

2011-02-17 03:01 . 2011-02-17 03:01 48128 ----a-w- c:\windows\hdk3name.dll

2011-02-17 03:01 . 2011-02-17 03:01 282624 ----a-w- c:\windows\hdk3ctnt.dll

2011-02-17 03:01 . 2011-02-17 03:01 184320 ----a-w- c:\windows\hdk3anim.dll

2011-02-17 03:01 . 2011-02-17 03:01 21648 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-01-13 08:47 . 2011-02-07 05:05 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2011-02-07 05:05 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2011-02-07 05:05 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2011-02-07 05:05 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2011-02-07 05:05 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2011-02-07 05:05 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2011-02-07 05:05 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2011-02-07 05:05 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2011-02-07 05:05 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-10 08:49 . 2010-06-12 00:56 16541204 ----a-w- C:\adsw20100419gt.zip

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

"QuickBooksDB19"="c:\program files\Intuit\QuickBooks 2010-11\QBDBMgrN.exe" [2010-03-02 126016]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

.

c:\documents and settings\tewhe\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\adminian\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\wes\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

WinampAgent.lnk - c:\program files\Winamp\winampa.exe [2004-12-20 33792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

MessagePal.lnk - c:\program files\MessagePal\MessagePal.exe [2010-11-1 1220608]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-2 969792]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-12 00:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-07-12 00:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-07-12 00:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9052:TCP"= 9052:TCP:pospszk

.

R2 flhct;Monitor Driver;c:\windows\system32\svchost.exe [2004-08-03 14336]

R2 urfbyz;System Center;c:\windows\system32\svchost.exe [2004-08-03 14336]

R3 itbujeky;itbujeky;c:\windows\system32\01.tmp [x]

R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\18.tmp [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

flhct

urfbyz

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.nz/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\tewhe\Application Data\Mozilla\Firefox\Profiles\1w0wjrvq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/

FF - prefs.js: network.proxy.ftp - 192.168.0.249

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.0.249

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.0.249

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.0.249

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-31 08:26

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\itbujeky]

"ImagePath"="\??\c:\windows\system32\01.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\18.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\flhct]

"ServiceDll"="c:\windows\system32\itbwyls.dll"

--

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\urfbyz]

"ServiceDll"="c:\windows\system32\itbwyls.dll"

.

Completion time: 2011-03-31 08:28:07

ComboFix-quarantined-files.txt 2011-03-30 19:28

.

Pre-Run: 66,852,859,904 bytes free

Post-Run: 66,942,984,192 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 5F3145D94CB3D1EA5687A51D2DC1A328

Hope this is some help.

Link to post
Share on other sites

A huge help in my opinion.

Please visit www.virustotal.com and upload the following file:

c:\windows\hdk3name.dll

Post the result in your next reply.

Hi

Here is the result, not sure what you wanted so copied the complete file result

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

hdk3name.dll

Submission date:

2011-04-01 01:32:43 (UTC)

Current status:

queued queued analysing finished

Result:

0/ 41 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.01.00 2011.03.31 -

AntiVir 7.11.5.152 2011.04.01 -

Antiy-AVL 2.0.3.7 2011.03.31 -

Avast 4.8.1351.0 2011.03.31 -

Avast5 5.0.677.0 2011.03.31 -

AVG 10.0.0.1190 2011.03.31 -

BitDefender 7.2 2011.04.01 -

CAT-QuickHeal 11.00 2011.03.31 -

ClamAV 0.97.0.0 2011.03.31 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8178 2011.04.01 -

DrWeb 5.0.2.03300 2011.04.01 -

eSafe 7.0.17.0 2011.04.01 -

eTrust-Vet 36.1.8246 2011.03.31 -

F-Prot 4.6.2.117 2011.04.01 -

F-Secure 9.0.16440.0 2011.03.23 -

Fortinet 4.2.254.0 2011.04.01 -

GData 22 2011.04.01 -

Ikarus T3.1.1.103.0 2011.04.01 -

Jiangmin 13.0.900 2011.03.31 -

K7AntiVirus 9.96.4264 2011.03.31 -

McAfee 5.400.0.1158 2011.04.01 -

McAfee-GW-Edition 2010.1C 2011.03.31 -

Microsoft 1.6702 2011.04.01 -

NOD32 6004 2011.04.01 -

Norman 6.07.03 2011.03.31 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.31 -

PCTools 7.0.3.5 2011.03.30 -

Prevx 3.0 2011.04.01 -

Rising 23.51.03.06 2011.03.31 -

Sophos 4.64.0 2011.04.01 -

SUPERAntiSpyware 4.40.0.1006 2011.04.01 -

Symantec 20101.3.2.89 2011.04.01 -

TheHacker 6.7.0.1.162 2011.03.31 -

TrendMicro 9.200.0.1012 2011.03.31 -

TrendMicro-HouseCall 9.200.0.1012 2011.04.01 -

VBA32 3.12.14.3 2011.03.31 -

VIPRE 8882 2011.04.01 -

ViRobot 2011.3.31.4386 2011.04.01 -

VirusBuster 13.6.280.0 2011.03.31 -

Additional information

Show all

MD5 : 46b5ff227a091b90722d74f58125e0c3

SHA1 : 11103228a0f4d87e54eb87f4ae10b582678ce4d2

SHA256: 5b3e1093c680e13e67f1bf9ed4414c7b58c59ae3fe5b3c28cd29b1dc94f88891

ssdeep: 768:rNuBItCbRD5GqWwXQeukbH5Sv+c07UsuEgn:rNuBIotFGqWwXQPkFS/uz1gn

File size : 48128 bytes

First seen: 2010-10-22 10:42:54

Last seen : 2011-04-01 01:32:43

TrID:

Win32 Executable MS Visual C++ 4.x (69.2%)

Win32 Executable MS Visual C++ (generic) (19.3%)

Win32 Executable Generic (4.3%)

Win32 Dynamic Link Library (generic) (3.8%)

Win16/32 Executable Delphi generic (1.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x14F0

timedatestamp....: 0x360A768A (Thu Sep 24 16:42:50 1998)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x5E50, 0x6000, 6.40, 62fb6f2e6d6714d351dbd5634c5c8e56

.rdata, 0x7000, 0xB7C, 0xC00, 4.76, c7a04d11e0e858545e4bfa9ff80d8c37

.data, 0x8000, 0x4AF8, 0x3600, 1.29, 02d12e6a6707622fa8c0efd33c4f01b6

.idata, 0xD000, 0x612, 0x800, 4.18, 0966b7fbe9c9a1b210d31fa1eb0c844f

.reloc, 0xE000, 0xC16, 0xE00, 4.53, e82dc35c6042d0c558ee37909705d914

[[ 1 import(s) ]]

KERNEL32.dll: GetEnvironmentStringsW, FindFirstFileA, FindNextFileA, SetCurrentDirectoryA, CreateDirectoryA, GetLastError, MoveFileA, GetCommandLineA, GetProcAddress, GetModuleHandleA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, GetCPInfo, GetACP, GetOEMCP, FreeEnvironmentStringsA, MultiByteToWideChar, FreeEnvironmentStringsW, GetEnvironmentStrings, FindClose, WideCharToMultiByte, HeapDestroy, HeapCreate, VirtualFree, WriteFile, SetFilePointer, InterlockedDecrement, InterlockedIncrement, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapAlloc, HeapFree, VirtualAlloc, LoadLibraryA, SetStdHandle, FlushFileBuffers, CloseHandle, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetLocaleInfoW, LCMapStringA, LCMapStringW

[[ 3 export(s) ]]

CreateDir32, LowerCase, RenameLongFilename

ExifTool:

file metadata

CodeSize: 24576

EntryPoint: 0x14f0

FileSize: 47 kB

FileType: Win32 DLL

ImageVersion: 0.0

InitializedDataSize: 28160

LinkerVersion: 5.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

PEType: PE32

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 1998:09:24 18:42:50+02:00

UninitializedDataSize: 0

VT Community

Link to post
Share on other sites

Thanks!

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\01.tmp
c:\windows\system32\itbwyls.dll

Driver::
pospszk
flhct
Monitor Driver
urfbyz
System Center
itbujeky

NetSvc::
flhct
urfbyz

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9052:TCP"= -
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\itbujeky]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\flhct]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\urfbyz]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Thanks!

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\01.tmp
c:\windows\system32\itbwyls.dll

Driver::
pospszk
flhct
Monitor Driver
urfbyz
System Center
itbujeky

NetSvc::
flhct
urfbyz

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9052:TCP"= -
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\itbujeky]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\flhct]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\urfbyz]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Here is the latest log file

ComboFix 11-04-01.01 - tewhe 02/04/2011 9:39.2.2 - x86

Running from: c:\documents and settings\tewhe\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\tewhe\Desktop\CFScript.txt

* Created a new restore point

.

FILE ::

"c:\windows\system32\01.tmp"

"c:\windows\system32\itbwyls.dll"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_FLHCT

-------\Legacy_ITBUJEKY

-------\Legacy_URFBYZ

-------\Service_flhct

-------\Service_itbujeky

-------\Service_urfbyz

.

.

((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))

.

.

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\system32\xircom

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\system32\wbem\snmp

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\srchasst

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\program files\microsoft frontpage

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-21 00:43 . 2010-06-16 01:15 249856 ------w- c:\windows\Setup1.exe

2011-02-21 00:43 . 2010-06-16 01:15 73216 ----a-w- c:\windows\ST6UNST.EXE

2011-02-17 03:01 . 2011-02-17 03:01 48128 ----a-w- c:\windows\hdk3name.dll

2011-02-17 03:01 . 2011-02-17 03:01 282624 ----a-w- c:\windows\hdk3ctnt.dll

2011-02-17 03:01 . 2011-02-17 03:01 184320 ----a-w- c:\windows\hdk3anim.dll

2011-02-17 03:01 . 2011-02-17 03:01 21648 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-01-13 08:47 . 2011-02-07 05:05 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2011-02-07 05:05 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2011-02-07 05:05 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2011-02-07 05:05 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2011-02-07 05:05 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2011-02-07 05:05 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2011-02-07 05:05 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2011-02-07 05:05 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2011-02-07 05:05 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-10 08:49 . 2010-06-12 00:56 16541204 ----a-w- C:\adsw20100419gt.zip

.

.

((((((((((((((((((((((((((((( SnapShot@2011-03-30_19.26.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-01 20:43 . 2011-04-01 20:43 16384 c:\windows\Temp\Perflib_Perfdata_110.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

"QuickBooksDB19"="c:\program files\Intuit\QuickBooks 2010-11\QBDBMgrN.exe" [2010-03-02 126016]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

.

c:\documents and settings\tewhe\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\adminian\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\wes\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

WinampAgent.lnk - c:\program files\Winamp\winampa.exe [2004-12-20 33792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

MessagePal.lnk - c:\program files\MessagePal\MessagePal.exe [2010-11-1 1220608]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-2 969792]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-12 00:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-07-12 00:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-07-12 00:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\18.tmp [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

*NewlyCreated* - SECLOGON

*Deregistered* - uphcleanhlp

.

NETSVCS REQUIRES REPAIRS - current entries shown

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

ERSvc

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

SENS

Sharedaccess

SRService

Tapisrv

Themes

TrkWks

W32Time

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

BITS

wuauserv

ShellHWDetection

WmdmPmSN

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.nz/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\tewhe\Application Data\Mozilla\Firefox\Profiles\1w0wjrvq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/

FF - prefs.js: network.proxy.ftp - 192.168.0.249

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.0.249

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.0.249

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.0.249

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-02 09:44

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\18.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3912)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\msi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\UPHClean\uphclean.exe

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2011-04-02 09:46:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-01 20:46

ComboFix2.txt 2011-03-30 19:28

.

Pre-Run: 66,885,169,152 bytes free

Post-Run: 66,807,844,864 bytes free

.

- - End Of File - - 0A9AB9835C926A60250AAF6AA9C0AABF

Link to post
Share on other sites

Please download and extract the following file. Then double click on it to merge it into the Registry.

Then delete your current copy of Combofix.exe and download a NEW fresh copy and after disabling your Anti-Virus run it again and post back that new log.

Link to post
Share on other sites

Please download and extract the following file. Then double click on it to merge it into the Registry.

Then delete your current copy of Combofix.exe and download a NEW fresh copy and after disabling your Anti-Virus run it again and post back that new log.

Here is the latest file

ComboFix 11-04-01.01 - tewhe 02/04/2011 12:44:51.3.2 - x86

Running from: c:\documents and settings\tewhe\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))

.

.

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\system32\xircom

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\system32\wbem\snmp

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\windows\srchasst

2011-04-01 20:43 . 2011-04-01 20:43 -------- d-----w- c:\program files\microsoft frontpage

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-21 00:43 . 2010-06-16 01:15 249856 ------w- c:\windows\Setup1.exe

2011-02-21 00:43 . 2010-06-16 01:15 73216 ----a-w- c:\windows\ST6UNST.EXE

2011-02-17 03:01 . 2011-02-17 03:01 48128 ----a-w- c:\windows\hdk3name.dll

2011-02-17 03:01 . 2011-02-17 03:01 282624 ----a-w- c:\windows\hdk3ctnt.dll

2011-02-17 03:01 . 2011-02-17 03:01 184320 ----a-w- c:\windows\hdk3anim.dll

2011-02-17 03:01 . 2011-02-17 03:01 21648 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-01-13 08:47 . 2011-02-07 05:05 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2011-02-07 05:05 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2011-02-07 05:05 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2011-02-07 05:05 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2011-02-07 05:05 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2011-02-07 05:05 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2011-02-07 05:05 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2011-02-07 05:05 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2011-02-07 05:05 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-10 08:49 . 2010-06-12 00:56 16541204 ----a-w- C:\adsw20100419gt.zip

.

.

((((((((((((((((((((((((((((( SnapShot@2011-03-30_19.26.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-01 20:43 . 2011-04-01 20:43 16384 c:\windows\Temp\Perflib_Perfdata_110.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

"QuickBooksDB19"="c:\program files\Intuit\QuickBooks 2010-11\QBDBMgrN.exe" [2010-03-02 126016]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nlsf"="move" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

.

c:\documents and settings\tewhe\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\adminian\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\wes\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

WinampAgent.lnk - c:\program files\Winamp\winampa.exe [2004-12-20 33792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

MessagePal.lnk - c:\program files\MessagePal\MessagePal.exe [2010-11-1 1220608]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-2 969792]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-12 00:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-07-12 00:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-07-12 00:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\18.tmp [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

*NewlyCreated* - SECLOGON

*Deregistered* - uphcleanhlp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.nz/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\tewhe\Application Data\Mozilla\Firefox\Profiles\1w0wjrvq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/

FF - prefs.js: network.proxy.ftp - 192.168.0.249

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.0.249

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.0.249

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.0.249

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-02 12:47

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\18.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3368)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\msi.dll

.

Completion time: 2011-04-02 12:48:19

ComboFix-quarantined-files.txt 2011-04-01 23:48

ComboFix2.txt 2011-04-01 20:46

ComboFix3.txt 2011-03-30 19:28

.

Pre-Run: 66,799,878,144 bytes free

Post-Run: 66,791,235,584 bytes free

.

- - End Of File - - CE59FE4979FD84A5E0A6BA21A4B44F91

Link to post
Share on other sites

Good! :)

Last steps:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS and RKill.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.