Jump to content

Virtumondo/prunnet.exe/virus remover - unable to run mbam setup + task manager locked


Recommended Posts

Title explains most of it.

I have similar problems on the infected machine as explained in:

http://www.malwarebytes.org/forums/index.php?showtopic=9847

Basically:

- can't run/update regular virus scanners

- can't install mbam (spams screen with floating point errors)

- can't open task manager (says locked by administrator)

- regular popups that normally lead to virus remover 2009

- my documents folder opens randomly

- desktop background changed to some "warning you have a virus" image

I have been able to run hijack this, so I will post my log file below.

Any help would be greatly appreciated.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:07:44 PM, on 1/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\system32\lkcitdl.exe

F:\WINDOWS\system32\lkads.exe

F:\WINDOWS\system32\lktsrv.exe

F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

F:\Program Files\National Instruments\MAX\nimxs.exe

F:\WINDOWS\system32\nipalsm.exe

F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

F:\WINDOWS\system32\nisvcloc.exe

F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

F:\WINDOWS\system32\HPZipm12.exe

f:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

F:\Program Files\stunnel\stunnel.exe

F:\WINDOWS\system32\nipalsm.exe

F:\WINDOWS\Explorer.EXE

F:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

F:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

F:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

F:\Program Files\QuickTime\qttask.exe

F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

F:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

F:\WINDOWS\system32\frmwrk32.exe

F:\WINDOWS\system32\rundll32.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\ntdll64.exe

F:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - F:\WINDOWS\system32\hgGvwuUO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - F:\WINDOWS\system32\kskekiah.dll

O2 - BHO: (no name) - {B7B4B1DD-C5DB-4D7A-BCE5-506A50214C1C} - F:\WINDOWS\system32\ljJBUKbc.dll

O4 - HKLM\..\Run: [shStatEXE] "F:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "F:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "F:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [niDevMon] F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [VirtualCloneDrive] "F:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe

O4 - HKLM\..\Run: [fcaa559e] rundll32.exe "F:\WINDOWS\system32\vwxoqknl.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll

O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147969174935

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: hgGvwuUO - F:\WINDOWS\SYSTEM32\hgGvwuUO.dll

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: stunnel - Unknown owner - F:\Program Files\stunnel\stunnel.exe

--

End of file - 7812 bytes

Link to post
Share on other sites
  • Root Admin

So which Anti-Virus are you running? The logs show you have McAfee and AVG both installed and running.

You can only have one Anti-Virus program running on the machine at any one time.

Please choose one or the other and remove the other one.

Then remove ALL versions of JAVA from Control Panel, Add/Remove.

Then start HJT and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll (file missing)
  • O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - F:\WINDOWS\system32\hgGvwuUO.dll
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - F:\WINDOWS\system32\kskekiah.dll
  • O2 - BHO: (no name) - {B7B4B1DD-C5DB-4D7A-BCE5-506A50214C1C} - F:\WINDOWS\system32\ljJBUKbc.dll
  • O4 - HKLM\..\Run: [shStatEXE] "F:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
  • O4 - HKLM\..\Run: [McAfeeUpdaterUI] "F:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
  • O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "F:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
  • O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
  • O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
  • O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
  • O4 - HKLM\..\Run: [VirtualCloneDrive] "F:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
  • O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
  • O4 - HKLM\..\Run: [fcaa559e] rundll32.exe "F:\WINDOWS\system32\vwxoqknl.dll",b
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll
  • O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll
  • O20 - Winlogon Notify: hgGvwuUO - F:\WINDOWS\SYSTEM32\hgGvwuUO.dll
    Then Quit ALL browsers including the one your reading this in now.
    Then click on Fix checked and then quit HJT

Then try to run this.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Back when the virus first popped up, I had installed AVG to try to remove it when McAfee wasn't doing anything, but I believe I removed it right after it didn't work either.

In following your steps, I've run into some problems.

First, when running HJT, I got an error and it said it was unable to do anything about the O10, and a second scan showed the majority of the bad files still there.

There have also been issues when running combofix. When it tried to establish a system restore point, I got the spam of "Invalid floating point" application error messages, similar to those seen when trying to install mbam. Next as it was downloading the system recovery console, there were a few lines of "Data error (cyclic redundancy check)", however it was able to proceed with installation and on to the scan. When the scan started I got the following popup:

<--

Rootkit !!

Combofix has detected the presence of rootkit activity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it later

F:\WINDOWS\system32\drivers\senekauwlcirid.sys

F:\WINDOWS\system32\senekaspppsjwi.dll

F:\WINDOWS\system32\senekacwkusfst.dll

F:\WINDOWS\system32\senekaetnbejxu.dat

-->

After clicking ok to this, the computer shut down and though on, it was totally blank, forcing me to manually reboot.

Then I got maybe the most peculiar message i've seen in a while on the next boot sequence "Alert, system battery voltage is low", however I simply pressed F1 as requested and it continued to boot.

Upon re-entering windows, combofix automatically ran, and seemed to do its job deleting a bunch of suspect files and then rebooting the computer again (this time doing so successfully). Combofix then opened again on the reboot and provided me with the log file. Finally I reran HJT.

The log files are contained in the following posts.

Link to post
Share on other sites

ComboFix 09-01-15.01 - gyrotron 2009-01-16 11:17:04.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.718 [GMT -5:00]

Running from: f:\documents and settings\gyrotron\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

f:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

f:\program files\VirusRemover2008

f:\windows\Downloaded Program Files\setup.inf

f:\windows\system32\afxowuov.dll

f:\windows\system32\ahtn.htm

f:\windows\system32\cbKUBJjl.ini

f:\windows\system32\cbKUBJjl.ini2

f:\windows\system32\dDSjGwtr.dll

f:\windows\system32\drivers\seneka.sys

f:\windows\system32\drivers\senekauwlcirid.sys

f:\windows\system32\frmwrk32.exe

f:\windows\system32\hgGvwuUO.dll

f:\windows\system32\ivvahz.dll

f:\windows\system32\kskekiah.dll

f:\windows\system32\lwwqaf.dll

f:\windows\system32\ntdll64.exe

f:\windows\system32\pahpjhwr.dll

f:\windows\system32\senekacwkusfst.dll

f:\windows\system32\senekadf.dat

f:\windows\system32\senekaetnbejxu.dat

f:\windows\system32\senekalog.dat

f:\windows\system32\senekaspppsjwi.dll

f:\windows\system32\test.ttt

f:\windows\system32\uniq.tll

f:\windows\system32\vwxoqknl.dll

f:\windows\system32\warning.gif

f:\windows\system32\win32hlp.cnf

f:\windows\system32\wwrxgkuy.dll

f:\windows\system32\xnivpw.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SENEKA

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))

.

2009-01-16 10:47 . 2009-01-16 10:47 41,984 --a------ f:\windows\system32\chert5-998.exe

2009-01-16 10:47 . 2009-01-16 10:47 41,984 --a------ f:\windows\Sjikologocelozug.dll

2009-01-15 17:07 . 2009-01-15 17:07 <DIR> d-------- f:\program files\Trend Micro

2009-01-15 16:12 . 2009-01-15 15:57 <DIR> d-------- f:\documents and settings\gyrotron\Application Data\HouseCall 6.6

2009-01-15 16:01 . 2009-01-15 15:34 1,375,225 --ahs---- f:\windows\system32\fhhpcotq.ini

2009-01-15 15:57 . 2009-01-15 16:03 <DIR> d-------- f:\documents and settings\gyrotron\.housecall6.6

2009-01-15 15:57 . 2009-01-15 15:57 102,664 --a------ f:\windows\system32\drivers\tmcomm.sys

2009-01-15 15:55 . 2009-01-15 15:55 40,960 --a------ f:\windows\system32\vqriqsoh.dll

2009-01-15 15:37 . 2009-01-15 15:38 1,375,225 --ahs---- f:\windows\system32\lnkqoxwv.ini

2009-01-15 15:35 . 2009-01-15 15:35 40,960 --a------ f:\windows\system32\rwiddmqo.dll

2009-01-14 05:08 . 2009-01-14 05:08 24,064 --a------ f:\windows\system32\pcload.exe

2009-01-13 18:26 . 2009-01-14 01:13 <DIR> d--h----- F:\$AVG8.VAULT$

2009-01-13 17:03 . 2009-01-14 11:22 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8

2009-01-13 16:37 . 2009-01-16 11:20 1,104 --a------ f:\windows\olocxhrn

2009-01-13 16:32 . 2009-01-13 16:32 46,592 --a------ f:\windows\system32\qoMGXRhe.dll

2009-01-12 15:09 . 2006-06-03 21:29 48,640 --a------ f:\windows\system32\hpzll4pi.dll

2009-01-12 15:08 . 1998-10-29 16:45 306,688 --a------ f:\windows\IsUninst.exe

2009-01-12 15:08 . 2006-03-03 21:03 282,680 --a------ f:\windows\system32\HPZidr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 204,800 --a------ f:\windows\system32\HPZipr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 94,208 --a------ f:\windows\system32\HPZipt12.dll

2009-01-12 15:08 . 2006-03-03 21:03 69,632 --a------ f:\windows\system32\HPZipm12.exe

2009-01-12 15:08 . 2006-03-03 21:03 65,536 --a------ f:\windows\system32\HPZinw12.exe

2009-01-12 15:08 . 2006-03-03 21:02 57,344 --a------ f:\windows\system32\HPZisn12.dll

2009-01-12 15:04 . 2009-01-12 15:10 123,131 --a------ f:\windows\HPHins12.dat

2009-01-12 15:04 . 2006-05-16 15:25 77,824 --a------ f:\windows\system32\hpzids01.dll

2009-01-12 15:04 . 2006-07-17 14:39 14,916 --------- f:\windows\hphmdl12.dat

2009-01-12 14:40 . 2009-01-12 14:40 <DIR> d-------- f:\windows\Downloaded Installations

2009-01-12 14:40 . 2009-01-12 15:08 <DIR> d-------- f:\program files\HP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-14 16:37 --------- d--h--w f:\program files\InstallShield Installation Information

2009-01-14 16:37 --------- d-----w f:\program files\Common Files\InstallShield

2009-01-14 16:37 --------- d-----w f:\program files\Andor iStar

2004-03-15 21:51 114,688 -c--a-w f:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 13:36 114,688 -c--a-w f:\program files\internet explorer\plugins\LV7ActiveXControl.dll

2006-01-23 14:32 131,072 -c--a-w f:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 133,920 ----a-w f:\program files\internet explorer\plugins\LV82ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"niDevMon"="f:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-02-24 92960]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"Dnorahoze"="f:\windows\Sjikologocelozug.dll" [2009-01-16 41984]

f:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"f:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;f:\windows\system32\drivers\nipbcfk.sys [2007-02-15 15136]

R1 NaiAvTdi1;NaiAvTdi1;f:\windows\system32\drivers\mvstdi5x.sys [2006-05-18 58464]

R3 nidimk;nidimk;f:\windows\system32\drivers\nidimkl.sys [2007-02-21 11552]

R3 nimru2k;nimru2k;f:\windows\system32\drivers\nimru2kl.sys [2007-02-21 11552]

R3 nimstsk;nimstsk;f:\windows\system32\drivers\nimstskl.sys [2007-02-25 11552]

R4 ni488enumsvc;NI-488.2 Enumeration Service;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nidevldu;NI Device Loader;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nipxirmk;nipxirmk;f:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]

R4 NiViPxiK;NI-VISA PXI Driver;f:\windows\system32\drivers\NiViPxiKl.sys [2007-02-23 11552]

S0 olocxhrn;olocxhrn;f:\windows\system32\drivers\yieuduqx.sys []

S3 gpibprtk;gpibprtk;f:\windows\system32\drivers\gpibprtk.sys [2007-08-30 215840]

S3 lvalarmk;lvalarmk;f:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]

S3 ni1006k;NI PXI-1006 Chassis Pilot;f:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;f:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]

S3 ni488lock;NI-488.2 Locking Service;f:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]

S3 nicdrk;nicdrk;f:\windows\system32\drivers\nicdrkl.sys [2007-02-22 11552]

S3 nidmxfk;nidmxfk;f:\windows\system32\drivers\nidmxfkl.sys [2007-02-25 11552]

S3 nidsark;nidsark;f:\windows\system32\drivers\nidsarkl.sys [2007-02-23 11552]

S3 niemrk;niemrk;f:\windows\system32\drivers\niemrkl.sys [2007-02-25 11552]

S3 niesrk;niesrk;f:\windows\system32\drivers\niesrkl.sys [2007-02-25 11552]

S3 nifslk;nifslk;f:\windows\system32\drivers\nifslkl.sys [2007-02-22 11552]

S3 nimsdrk;nimsdrk;f:\windows\system32\drivers\nimsdrkl.sys [2007-02-25 11552]

S3 nimslk;nimslk;f:\windows\system32\drivers\nimslk.dll [2006-12-18 14464]

S3 nimsrlk;nimsrlk;f:\windows\system32\drivers\nimsrlk.dll [2006-12-18 151683]

S3 nimxpk;nimxpk;f:\windows\system32\drivers\nimxpkl.sys [2007-02-22 11552]

S3 ninshsdk;ninshsdk;f:\windows\system32\drivers\ninshsdkl.sys [2007-02-23 11552]

S3 nipalfwedl;nipalfwedl;f:\windows\system32\drivers\nipalfwedl.sys [2007-02-15 11552]

S3 nipalusb;NI-PAL USB Driver;f:\windows\system32\drivers\nipalusb.sys [2007-02-15 10528]

S3 nipalusbedl;nipalusbedl;f:\windows\system32\drivers\nipalusbedl.sys [2007-02-15 11552]

S3 nipxigpk;NI PXI Generic Chassis Pilot;f:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]

S3 niscdk;niscdk;f:\windows\system32\drivers\niscdkl.sys [2007-02-26 11552]

S3 nisdigk;nisdigk;f:\windows\system32\drivers\nisdigkl.sys [2007-02-25 11552]

S3 nisftk;nisftk;f:\windows\system32\drivers\nisftkl.sys [2007-02-23 11552]

S3 nismbusk;nismbusk;f:\windows\system32\drivers\nismbusk.sys [2007-02-22 86304]

S3 nispdk;nispdk;f:\windows\system32\drivers\nispdkl.sys [2007-02-26 11552]

S3 nissrk;nissrk;f:\windows\system32\drivers\nissrkl.sys [2007-02-25 11552]

S3 nistc2k;nistc2k;f:\windows\system32\drivers\nistc2kl.sys [2007-02-22 11552]

S3 nistcrk;nistcrk;f:\windows\system32\drivers\nistcrkl.sys [2007-02-23 11552]

S3 niswdk;niswdk;f:\windows\system32\drivers\niswdkl.sys [2007-02-23 11552]

S3 nitiork;nitiork;f:\windows\system32\drivers\nitiorkl.sys [2007-02-23 11552]

S3 NiViFWK;NI-VISA FireWire Driver;f:\windows\system32\drivers\NiViFWKl.sys [2007-02-22 11552]

S3 NiViPciK;NI-VISA PCI Driver;f:\windows\system32\drivers\NiViPciKl.sys [2007-02-23 11552]

S3 niwfrk;niwfrk;f:\windows\system32\drivers\niwfrkl.sys [2007-02-25 11552]

S3 nixsrk;nixsrk;f:\windows\system32\drivers\nixsrkl.sys [2007-02-25 11552]

S3 usb6xxxk;usb6xxxk;f:\windows\system32\drivers\usb6xxxk.sys [2007-02-25 27936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

.

Contents of the 'Scheduled Tasks' folder

2009-01-15 f:\windows\Tasks\yhhpujxz.job

- f:\windows\system32\rundll32.exe [2008-04-13 19:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{5CE72687-003A-4137-BE08-077D26279A99} - f:\windows\system32\ljJBUKbc.dll

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - f:\windows\system32\hgGvwuUO.dll

ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - f:\windows\system32\hgGvwuUO.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://web.mit.edu/

IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: f:\windows\TEMP\ntdll64.dll

O16 -: Microsoft XML Parser for Java - file://f:\windows\Java\classes\xmldso.cab

f:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

FF - ProfilePath - f:\documents and settings\gyrotron\Application Data\Mozilla\Firefox\Profiles\wawlxq1h.default\

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-16 11:21:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

f:\windows\system32\drivers\yieuduqx.sys 25088 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(848)

f:\windows\system32\ljJBUKbc.dll

.

------------------------ Other Running Processes ------------------------

.

f:\windows\system32\lkads.exe

f:\windows\system32\lktsrv.exe

f:\program files\Network Associates\Common Framework\FrameworkService.exe

f:\program files\Network Associates\VirusScan\vstskmgr.exe

f:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

f:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

f:\program files\National Instruments\MAX\nimxs.exe

f:\program files\National Instruments\Shared\Security\nidmsrv.exe

f:\windows\system32\nisvcloc.exe

f:\program files\National Instruments\Shared\Tagger\tagsrv.exe

f:\windows\system32\HPZipm12.exe

f:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

f:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

f:\program files\stunnel\stunnel.exe

f:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-16 11:24:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-16 16:24:09

Pre-Run: 218,417,704,960 bytes free

Post-Run: 218,563,850,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

223 --- E O F --- 2008-12-19 08:00:52

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:28:41 AM, on 1/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\system32\lkads.exe

F:\WINDOWS\system32\lktsrv.exe

F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

F:\Program Files\National Instruments\MAX\nimxs.exe

F:\WINDOWS\system32\nipalsm.exe

F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

F:\WINDOWS\system32\rundll32.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\nisvcloc.exe

F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

F:\WINDOWS\system32\HPZipm12.exe

f:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

F:\Program Files\stunnel\stunnel.exe

F:\WINDOWS\system32\nipalsm.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\explorer.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {5CE72687-003A-4137-BE08-077D26279A99} - F:\WINDOWS\system32\ljJBUKbc.dll

O4 - HKLM\..\Run: [niDevMon] F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Dnorahoze] rundll32.exe "F:\WINDOWS\Sjikologocelozug.dll",e

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll

O10 - Unknown file in Winsock LSP: f:\windows\temp\ntdll64.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147969174935

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: stunnel - Unknown owner - F:\Program Files\stunnel\stunnel.exe

--

End of file - 5495 bytes

Link to post
Share on other sites
  • Root Admin

Please run the following

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.33

Database version: 1654

Windows 5.1.2600 Service Pack 3

1/16/2009 2:23:53 PM

mbam-log-2009-01-16 (14-23-48).txt

Scan type: Quick Scan

Objects scanned: 53149

Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 8

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

F:\WINDOWS\system32\ljJBUKbc.dll (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{231ba2cf-5f06-44e6-b89d-90af57def02c} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{231ba2cf-5f06-44e6-b89d-90af57def02c} (Trojan.Vundo.H) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{231ba2cf-5f06-44e6-b89d-90af57def02c} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\olocxhrn (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\olocxhrn (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\olocxhrn (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dnorahoze (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

F:\WINDOWS\system32\ljJBUKbc.dll (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\system32\ljJBUKbc.dllbox (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\system32\f:\windows\system32\ljjbukbc.dll (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\system32\cbKUBJjl.ini (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\system32\cbKUBJjl.ini2 (Trojan.Vundo.H) -> No action taken.

F:\WINDOWS\system32\rwiddmqo.dll (Trojan.Vundo) -> No action taken.

F:\WINDOWS\system32\vqriqsoh.dll (Trojan.Vundo) -> No action taken.

F:\WINDOWS\system32\Drivers\yieuduqx.sys (Rootkit.Agent) -> No action taken.

F:\WINDOWS\Sjikologocelozug.dll (Trojan.Agent) -> No action taken.

F:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:33:20 PM, on 1/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\system32\lkads.exe

F:\WINDOWS\system32\lktsrv.exe

F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

F:\Program Files\National Instruments\MAX\nimxs.exe

F:\WINDOWS\system32\nipalsm.exe

F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

F:\WINDOWS\system32\nisvcloc.exe

F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

F:\WINDOWS\system32\HPZipm12.exe

f:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

F:\Program Files\stunnel\stunnel.exe

F:\WINDOWS\system32\nipalsm.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\wscntfy.exe

F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F:\WINDOWS\system32\NOTEPAD.EXE

F:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O4 - HKLM\..\Run: [niDevMon] F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147969174935

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: stunnel - Unknown owner - F:\Program Files\stunnel\stunnel.exe

--

End of file - 5447 bytes

Link to post
Share on other sites
  • Root Admin

Please remove your current version of Combofix. You should be able to run START - RUN and type in Combofix /U

Then if still there or an error, delete it from your Desktop and delete the folder C:\QOOBOX and download a new fresh copy.

Then run through all these steps in the exact order given. Make sure you disable any screen saver and power saver

and make sure you also disable your current Anti-Virus as it will try to stop some of these tools from working.

Also disable any programs like Tea Timer or other security tools that try to stop Registry changes.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member
virusproblem001 only

. If you are a lurker, do NOT try this on your system!

If you are not
virusproblem001
and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

    Download and install
    CCleaner
  • CCleaner

  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and under SYSTEM uncheck the Memory Dumps and Windows Log Files

  • Click on
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To
disable the Resident Shield
, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

STEP05

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

STEP07

icon_arrow.gif

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware
    applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt
in your next reply.

-------------------------------------------------------

A caution -
Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

STEP08

IF

and only
IF
the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:

I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download
The Avenger
by Swandog46 from
here
.
  • Unzip/extract it to a folder on your desktop.
  • Double click on
    avenger.exe
    to run
    The Avenger
    .

  • Click
    OK
    .

  • Make sure that the box next to
    Scan for rootkits
    has a tick in it and that the box next to
    Automatically disable any rootkits found
    does
    not
    have a tick in it.

  • Copy
    all
    of the text in the below textbox to the clibpboard by highlighting it and then pressing
    Ctrl+C
    .

    Files to delete:

    C:\WINDOWS\system32\brsvc01a.exe

    C:\WINDOWS\system32\brss01a.exe

    C:\WINDOWS\SYSTEM32\TDSSixgp.dll

    C:\WINDOWS\SYSTEM32\TDSSproc.log

    C:\WINDOWS\SYSTEM32\TDSSwkod.log

    C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp

    c:\windows\system32\drivers\msqpdxserv.sys

    C:\resycled

    D:\resycled

    e:\resycled

    f:\resycled

    g:\resycled

    c:\windows\system32\TDSSweat.dat

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\TDSSfpmp.dll

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    c:\windows\system32\TDSSmtve.dat

    c:\windows\system32\TDSSnirj.dat


    Drivers to delete:

    tdss

    tdssserv

    TDSSserv.SYS

    Service_TDSSSERV.SYS

    Legacy_TDSSSERV.SYS

    msqpdxserv.sys

    msqpdxserv


    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the
    Paste Script from Clipboard
    icon,
    pastets4.png
    button.

  • :!:
    Make sure that what appears in Avenger
    matches exactly
    what you were asked to Copy/Paste from the Code box above.

  • Click the
    Execute
    button.

  • You will be asked
    Are you sure you want to execute the current script?
    .

  • Click
    Yes
    .

  • You will now be asked
    First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
    .

  • Click
    Yes
    .

  • Your PC will now be rebooted.

  • Note:
    If the above script contains Drivers to delete: or Drivers to disable:, then
    The Avenger
    will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of
    c:\avenger.txt
    into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

STEP09

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Please then reply with a copy of
C:\Combofix.txt
,
C:\Avenger.txt
, and a new
HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.
Link to post
Share on other sites

Sorry for the delay, long weekend here, so I was away.

I ran the steps as indicated, without problem. When I ran ComboFix, it did ask to install a newer version and when I clicked No, it said that it would run in reduced functionality mode, so hopefully this didn't affect it's effectiveness, but it did run fully.

Logs below.

Link to post
Share on other sites

ComboFix 09-01-10.01 - gyrotron 2009-01-20 11:28:06.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.712 [GMT -5:00]

Running from: f:\documents and settings\gyrotron\Desktop\Combo-Fix.exe

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

f:\windows\system32\msrdo20.dll

f:\windows\system32\rdocurs.dll

f:\windows\system32\win32hlp.cnf

.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-20 11:06 . 2009-01-20 11:06 <DIR> d-------- f:\program files\CCleaner

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\documents and settings\gyrotron\Application Data\Malwarebytes

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-16 11:35 . 2009-01-14 16:11 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 11:35 . 2009-01-14 16:11 15,504 --a------ f:\windows\system32\drivers\mbam.sys

2009-01-16 10:47 . 2009-01-16 10:47 41,984 --a------ f:\windows\system32\chert5-998.exe

2009-01-15 17:07 . 2009-01-15 17:07 <DIR> d-------- f:\program files\Trend Micro

2009-01-15 16:12 . 2009-01-15 15:57 <DIR> d-------- f:\documents and settings\gyrotron\Application Data\HouseCall 6.6

2009-01-15 16:01 . 2009-01-15 15:34 1,375,225 --ahs---- f:\windows\system32\fhhpcotq.ini

2009-01-15 15:57 . 2009-01-15 16:03 <DIR> d-------- f:\documents and settings\gyrotron\.housecall6.6

2009-01-15 15:57 . 2009-01-15 15:57 102,664 --a------ f:\windows\system32\drivers\tmcomm.sys

2009-01-15 15:37 . 2009-01-15 15:38 1,375,225 --ahs---- f:\windows\system32\lnkqoxwv.ini

2009-01-14 05:08 . 2009-01-14 05:08 24,064 --a------ f:\windows\system32\pcload.exe

2009-01-13 17:03 . 2009-01-16 14:06 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8

2009-01-13 16:37 . 2009-01-16 14:26 1,104 --a------ f:\windows\olocxhrn

2009-01-12 15:09 . 2006-06-03 21:29 48,640 --a------ f:\windows\system32\hpzll4pi.dll

2009-01-12 15:08 . 1998-10-29 16:45 306,688 --a------ f:\windows\IsUninst.exe

2009-01-12 15:08 . 2006-03-03 21:03 282,680 --a------ f:\windows\system32\HPZidr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 204,800 --a------ f:\windows\system32\HPZipr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 94,208 --a------ f:\windows\system32\HPZipt12.dll

2009-01-12 15:08 . 2006-03-03 21:03 69,632 --a------ f:\windows\system32\HPZipm12.exe

2009-01-12 15:08 . 2006-03-03 21:03 65,536 --a------ f:\windows\system32\HPZinw12.exe

2009-01-12 15:08 . 2006-03-03 21:02 57,344 --a------ f:\windows\system32\HPZisn12.dll

2009-01-12 15:04 . 2009-01-12 15:10 123,131 --a------ f:\windows\HPHins12.dat

2009-01-12 15:04 . 2006-05-16 15:25 77,824 --a------ f:\windows\system32\hpzids01.dll

2009-01-12 15:04 . 2006-07-17 14:39 14,916 --------- f:\windows\hphmdl12.dat

2009-01-12 14:40 . 2009-01-12 14:40 <DIR> d-------- f:\windows\Downloaded Installations

2009-01-12 14:40 . 2009-01-12 15:08 <DIR> d-------- f:\program files\HP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-14 16:37 --------- d--h--w f:\program files\InstallShield Installation Information

2009-01-14 16:37 --------- d-----w f:\program files\Common Files\InstallShield

2009-01-14 16:37 --------- d-----w f:\program files\Andor iStar

2008-10-23 12:36 286,720 ----a-w f:\windows\system32\gdi32.dll

2004-03-15 21:51 114,688 -c--a-w f:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 13:36 114,688 -c--a-w f:\program files\internet explorer\plugins\LV7ActiveXControl.dll

2006-01-23 14:32 131,072 -c--a-w f:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 133,920 ----a-w f:\program files\internet explorer\plugins\LV82ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"niDevMon"="f:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-02-24 92960]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

f:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 f:\windows\system32\ljJBUKbc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"f:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;f:\windows\system32\drivers\nipbcfk.sys [2007-02-15 15136]

R1 NaiAvTdi1;NaiAvTdi1;f:\windows\system32\drivers\mvstdi5x.sys [2006-05-18 58464]

R3 nidimk;nidimk;f:\windows\system32\drivers\nidimkl.sys [2007-02-21 11552]

R3 nimru2k;nimru2k;f:\windows\system32\drivers\nimru2kl.sys [2007-02-21 11552]

R3 nimstsk;nimstsk;f:\windows\system32\drivers\nimstskl.sys [2007-02-25 11552]

R4 ni488enumsvc;NI-488.2 Enumeration Service;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nidevldu;NI Device Loader;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nipxirmk;nipxirmk;f:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]

R4 NiViPxiK;NI-VISA PXI Driver;f:\windows\system32\drivers\NiViPxiKl.sys [2007-02-23 11552]

S3 gpibprtk;gpibprtk;f:\windows\system32\drivers\gpibprtk.sys [2007-08-30 215840]

S3 lvalarmk;lvalarmk;f:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]

S3 ni1006k;NI PXI-1006 Chassis Pilot;f:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;f:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]

S3 ni488lock;NI-488.2 Locking Service;f:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]

S3 nicdrk;nicdrk;f:\windows\system32\drivers\nicdrkl.sys [2007-02-22 11552]

S3 nidmxfk;nidmxfk;f:\windows\system32\drivers\nidmxfkl.sys [2007-02-25 11552]

S3 nidsark;nidsark;f:\windows\system32\drivers\nidsarkl.sys [2007-02-23 11552]

S3 niemrk;niemrk;f:\windows\system32\drivers\niemrkl.sys [2007-02-25 11552]

S3 niesrk;niesrk;f:\windows\system32\drivers\niesrkl.sys [2007-02-25 11552]

S3 nifslk;nifslk;f:\windows\system32\drivers\nifslkl.sys [2007-02-22 11552]

S3 nimsdrk;nimsdrk;f:\windows\system32\drivers\nimsdrkl.sys [2007-02-25 11552]

S3 nimslk;nimslk;f:\windows\system32\drivers\nimslk.dll [2006-12-18 14464]

S3 nimsrlk;nimsrlk;f:\windows\system32\drivers\nimsrlk.dll [2006-12-18 151683]

S3 nimxpk;nimxpk;f:\windows\system32\drivers\nimxpkl.sys [2007-02-22 11552]

S3 ninshsdk;ninshsdk;f:\windows\system32\drivers\ninshsdkl.sys [2007-02-23 11552]

S3 nipalfwedl;nipalfwedl;f:\windows\system32\drivers\nipalfwedl.sys [2007-02-15 11552]

S3 nipalusb;NI-PAL USB Driver;f:\windows\system32\drivers\nipalusb.sys [2007-02-15 10528]

S3 nipalusbedl;nipalusbedl;f:\windows\system32\drivers\nipalusbedl.sys [2007-02-15 11552]

S3 nipxigpk;NI PXI Generic Chassis Pilot;f:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]

S3 niscdk;niscdk;f:\windows\system32\drivers\niscdkl.sys [2007-02-26 11552]

S3 nisdigk;nisdigk;f:\windows\system32\drivers\nisdigkl.sys [2007-02-25 11552]

S3 nisftk;nisftk;f:\windows\system32\drivers\nisftkl.sys [2007-02-23 11552]

S3 nismbusk;nismbusk;f:\windows\system32\drivers\nismbusk.sys [2007-02-22 86304]

S3 nispdk;nispdk;f:\windows\system32\drivers\nispdkl.sys [2007-02-26 11552]

S3 nissrk;nissrk;f:\windows\system32\drivers\nissrkl.sys [2007-02-25 11552]

S3 nistc2k;nistc2k;f:\windows\system32\drivers\nistc2kl.sys [2007-02-22 11552]

S3 nistcrk;nistcrk;f:\windows\system32\drivers\nistcrkl.sys [2007-02-23 11552]

S3 niswdk;niswdk;f:\windows\system32\drivers\niswdkl.sys [2007-02-23 11552]

S3 nitiork;nitiork;f:\windows\system32\drivers\nitiorkl.sys [2007-02-23 11552]

S3 NiViFWK;NI-VISA FireWire Driver;f:\windows\system32\drivers\NiViFWKl.sys [2007-02-22 11552]

S3 NiViPciK;NI-VISA PCI Driver;f:\windows\system32\drivers\NiViPciKl.sys [2007-02-23 11552]

S3 niwfrk;niwfrk;f:\windows\system32\drivers\niwfrkl.sys [2007-02-25 11552]

S3 nixsrk;nixsrk;f:\windows\system32\drivers\nixsrkl.sys [2007-02-25 11552]

S3 usb6xxxk;usb6xxxk;f:\windows\system32\drivers\usb6xxxk.sys [2007-02-25 27936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

.

Contents of the 'Scheduled Tasks' folder

2009-01-20 f:\windows\Tasks\yhhpujxz.job

- f:\windows\system32\rundll32.exe [2008-04-13 19:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://web.mit.edu/

IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://f:\windows\Java\classes\xmldso.cab

f:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

FF - ProfilePath - f:\documents and settings\gyrotron\Application Data\Mozilla\Firefox\Profiles\wawlxq1h.default\

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 11:28:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-01-20 11:29:31

ComboFix-quarantined-files.txt 2009-01-20 16:29:11

ComboFix2.txt 2009-01-16 16:24:16

Pre-Run: 218,656,489,472 bytes free

Post-Run: 218,645,917,696 bytes free

156 --- E O F --- 2008-12-19 08:00:52

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\brsvc01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brsvc01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\brss01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brss01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp"

Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!

Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\resycled" not found!

Deletion of file "C:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "D:\resycled"

Deletion of file "D:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "e:\resycled"

Deletion of file "e:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "f:\resycled" not found!

Deletion of file "f:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "g:\resycled"

Deletion of file "g:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\TDSSweat.dat" not found!

Deletion of file "c:\windows\system32\TDSSweat.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSmtve.dat" not found!

Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnirj.dat" not found!

Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!

Deletion of driver "tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!

Deletion of driver "TDSSserv.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!

Deletion of driver "Service_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!

Deletion of driver "Legacy_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!

Deletion of driver "msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!

Deletion of driver "msqpdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

DDS (Ver_09-01-18.01) - NTFSx86

Run by gyrotron at 11:45:59.82 on Tue 01/20/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.665 [GMT -5:00]

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

F:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\lkcitdl.exe

F:\WINDOWS\system32\lkads.exe

F:\WINDOWS\system32\lktsrv.exe

F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

F:\Program Files\National Instruments\MAX\nimxs.exe

F:\WINDOWS\system32\nipalsm.exe

F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

F:\WINDOWS\system32\nisvcloc.exe

F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

F:\WINDOWS\system32\HPZipm12.exe

f:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

F:\Program Files\stunnel\stunnel.exe

F:\WINDOWS\system32\nipalsm.exe

F:\WINDOWS\system32\wuauclt.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\system32\wuauclt.exe

F:\Documents and Settings\gyrotron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://web.mit.edu/

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll

uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe

mRun: [niDevMon] f:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe

mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe

LSA: Authentication Packages = msv1_0 f:\windows\system32\ljJBUKbc

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\gyrotron\applic~1\mozilla\firefox\profiles\wawlxq1h.default\

FF - plugin: f:\program files\mozilla firefox\plugins\NPLV80Win32.dll

FF - plugin: f:\program files\mozilla firefox\plugins\NPLV82Win32.dll

============= SERVICES / DRIVERS ===============

R0 nipbcfk;National Instruments Class Upper Filter Driver;f:\windows\system32\drivers\nipbcfk.sys [2007-2-15 15136]

R1 NaiAvTdi1;NaiAvTdi1;f:\windows\system32\drivers\mvstdi5x.sys [2006-5-18 58464]

R3 nidimk;nidimk;f:\windows\system32\drivers\nidimkl.sys [2007-2-21 11552]

R3 nimru2k;nimru2k;f:\windows\system32\drivers\nimru2kl.sys [2007-2-21 11552]

R3 nimstsk;nimstsk;f:\windows\system32\drivers\nimstskl.sys [2007-2-25 11552]

R4 McAfeeFramework;McAfee Framework Service;f:\program files\network associates\common framework\FrameworkService.exe [2006-5-18 102463]

R4 McTaskManager;Network Associates Task Manager;f:\program files\network associates\virusscan\vstskmgr.exe [2005-8-22 29184]

R4 ni488enumsvc;NI-488.2 Enumeration Service;f:\windows\system32\nipalsm.exe [2007-2-16 12696]

R4 nidevldu;NI Device Loader;f:\windows\system32\nipalsm.exe [2007-2-16 12696]

R4 nipxirmk;nipxirmk;f:\windows\system32\drivers\nipxirmkl.sys [2007-2-22 11552]

R4 NiViPxiK;NI-VISA PXI Driver;f:\windows\system32\drivers\NiViPxiKl.sys [2007-2-23 11552]

S3 gpibprtk;gpibprtk;f:\windows\system32\drivers\gpibprtk.sys [2007-8-30 215840]

S3 lvalarmk;lvalarmk;f:\windows\system32\drivers\lvalarmk.sys [2007-1-11 20256]

S3 McShield;Network Associates McShield;f:\program files\network associates\virusscan\mcshield.exe [2005-8-22 221191]

S3 NaiAvFilter1;NaiAvFilter1;f:\windows\system32\drivers\naiavf5x.sys [2006-5-18 114624]

S3 ni1006k;NI PXI-1006 Chassis Pilot;f:\windows\system32\drivers\ni1006k.sys [2007-2-22 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;f:\windows\system32\drivers\ni1045kl.sys [2007-2-22 11552]

S3 ni488lock;NI-488.2 Locking Service;f:\windows\system32\drivers\ni488lock.sys [2007-2-26 16672]

S3 nicdrk;nicdrk;f:\windows\system32\drivers\nicdrkl.sys [2007-2-22 11552]

S3 nidmxfk;nidmxfk;f:\windows\system32\drivers\nidmxfkl.sys [2007-2-25 11552]

S3 nidsark;nidsark;f:\windows\system32\drivers\nidsarkl.sys [2007-2-23 11552]

S3 niemrk;niemrk;f:\windows\system32\drivers\niemrkl.sys [2007-2-25 11552]

S3 niesrk;niesrk;f:\windows\system32\drivers\niesrkl.sys [2007-2-25 11552]

S3 nifslk;nifslk;f:\windows\system32\drivers\nifslkl.sys [2007-2-22 11552]

S3 nimsdrk;nimsdrk;f:\windows\system32\drivers\nimsdrkl.sys [2007-2-25 11552]

S3 nimslk;nimslk;f:\windows\system32\drivers\nimslk.dll [2006-12-18 14464]

S3 nimsrlk;nimsrlk;f:\windows\system32\drivers\nimsrlk.dll [2006-12-18 151683]

S3 nimxpk;nimxpk;f:\windows\system32\drivers\nimxpkl.sys [2007-2-22 11552]

S3 ninshsdk;ninshsdk;f:\windows\system32\drivers\ninshsdkl.sys [2007-2-23 11552]

S3 nipalfwedl;nipalfwedl;f:\windows\system32\drivers\nipalfwedl.sys [2007-2-15 11552]

S3 nipalusb;NI-PAL USB Driver;f:\windows\system32\drivers\nipalusb.sys [2007-2-15 10528]

S3 nipalusbedl;nipalusbedl;f:\windows\system32\drivers\nipalusbedl.sys [2007-2-15 11552]

S3 nipxigpk;NI PXI Generic Chassis Pilot;f:\windows\system32\drivers\nipxigpk.sys [2007-2-22 20768]

S3 niscdk;niscdk;f:\windows\system32\drivers\niscdkl.sys [2007-2-26 11552]

S3 nisdigk;nisdigk;f:\windows\system32\drivers\nisdigkl.sys [2007-2-25 11552]

S3 nisftk;nisftk;f:\windows\system32\drivers\nisftkl.sys [2007-2-23 11552]

S3 nismbusk;nismbusk;f:\windows\system32\drivers\nismbusk.sys [2007-2-22 86304]

S3 nispdk;nispdk;f:\windows\system32\drivers\nispdkl.sys [2007-2-26 11552]

S3 nissrk;nissrk;f:\windows\system32\drivers\nissrkl.sys [2007-2-25 11552]

S3 nistc2k;nistc2k;f:\windows\system32\drivers\nistc2kl.sys [2007-2-22 11552]

S3 nistcrk;nistcrk;f:\windows\system32\drivers\nistcrkl.sys [2007-2-23 11552]

S3 niswdk;niswdk;f:\windows\system32\drivers\niswdkl.sys [2007-2-23 11552]

S3 nitiork;nitiork;f:\windows\system32\drivers\nitiorkl.sys [2007-2-23 11552]

S3 NiViFWK;NI-VISA FireWire Driver;f:\windows\system32\drivers\NiViFWKl.sys [2007-2-22 11552]

S3 NiViPciK;NI-VISA PCI Driver;f:\windows\system32\drivers\NiViPciKl.sys [2007-2-23 11552]

S3 niwfrk;niwfrk;f:\windows\system32\drivers\niwfrkl.sys [2007-2-25 11552]

S3 nixsrk;nixsrk;f:\windows\system32\drivers\nixsrkl.sys [2007-2-25 11552]

S3 usb6xxxk;usb6xxxk;f:\windows\system32\drivers\usb6xxxk.sys [2007-2-25 27936]

=============== Created Last 30 ================

2009-01-20 11:27 161,792 a------- f:\windows\SWREG.exe

2009-01-20 11:27 98,816 a------- f:\windows\sed.exe

2009-01-20 11:26 <DIR> --d----- F:\Combo-Fix

2009-01-20 11:06 <DIR> --d----- f:\program files\CCleaner

2009-01-16 11:35 <DIR> --d----- f:\docume~1\gyrotron\applic~1\Malwarebytes

2009-01-16 11:35 15,504 a------- f:\windows\system32\drivers\mbam.sys

2009-01-16 11:35 38,496 a------- f:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 11:35 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware

2009-01-16 11:35 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-16 10:47 41,984 a------- f:\windows\system32\chert5-998.exe

2009-01-15 17:07 <DIR> --d----- f:\program files\Trend Micro

2009-01-15 16:12 <DIR> --d----- f:\docume~1\gyrotron\applic~1\HouseCall 6.6

2009-01-15 16:01 1,375,225 a--sh--- f:\windows\system32\fhhpcotq.ini

2009-01-15 15:57 102,664 a------- f:\windows\system32\drivers\tmcomm.sys

2009-01-15 15:57 <DIR> --d----- f:\documents and settings\gyrotron\.housecall6.6

2009-01-15 15:37 1,375,225 a--sh--- f:\windows\system32\lnkqoxwv.ini

2009-01-14 05:08 24,064 a------- f:\windows\system32\pcload.exe

2009-01-13 17:03 <DIR> --d----- f:\docume~1\alluse~1\applic~1\avg8

2009-01-13 16:37 1,104 a------- f:\windows\olocxhrn

2009-01-12 15:09 48,640 a------- f:\windows\system32\hpzll4pi.dll

2009-01-12 15:08 94,208 a------- f:\windows\system32\HPZipt12.dll

2009-01-12 15:08 57,344 a------- f:\windows\system32\HPZisn12.dll

2009-01-12 15:08 282,680 a------- f:\windows\system32\HPZidr12.dll

2009-01-12 15:08 204,800 a------- f:\windows\system32\HPZipr12.dll

2009-01-12 15:08 69,632 a------- f:\windows\system32\HPZipm12.exe

2009-01-12 15:08 65,536 a------- f:\windows\system32\HPZinw12.exe

2009-01-12 15:08 306,688 a------- f:\windows\IsUninst.exe

2009-01-12 15:04 123,131 a------- f:\windows\HPHins12.dat

2009-01-12 15:04 14,916 -------- f:\windows\hphmdl12.dat

2009-01-12 15:04 77,824 a------- f:\windows\system32\hpzids01.dll

2009-01-12 14:40 <DIR> --d----- f:\program files\HP

2009-01-12 14:40 <DIR> --d----- f:\windows\Downloaded Installations

==================== Find3M ====================

2008-12-02 13:25 87,263 a------- f:\windows\pchealth\helpctr\offlinecache\index.dat

2008-10-23 07:36 286,720 a------- f:\windows\system32\gdi32.dll

============= FINISH: 11:46:16.29 ===============

Link to post
Share on other sites

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-18.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 5/18/2006 12:03:42 PM

System Uptime: 1/20/2009 11:41:35 AM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0W2562

Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 63.569 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 233 GiB total, 203.632 GiB free.

G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:

Description: Other PCI Bridge Device

Device ID: PCI\VEN_12FC&DEV_5CEC&SUBSYS_905010B5&REV_01\4&1C660DD6&0&08F0

Manufacturer:

Name: Other PCI Bridge Device

PNP Device ID: PCI\VEN_12FC&DEV_5CEC&SUBSYS_905010B5&REV_01\4&1C660DD6&0&08F0

Service:

Class GUID:

Description: Multimedia Audio Controller

Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01571028&REV_02\3&172E68DD&0&FD

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01571028&REV_02\3&172E68DD&0&FD

Service:

==== System Restore Points ===================

RP1: 1/20/2009 10:58:58 AM - System Checkpoint

==== Installed Programs ======================

ActiveDSO

Adobe Flash Player 10 ActiveX

Adobe Reader 8.1.1

BufferChm

CCleaner (remove only)

CutePDF Writer 2.7

DeviceManagementQFolder

GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)

GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)

GPL Ghostscript 8.60

GPL Ghostscript Fonts

GSview 4.9

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB952287)

HouseCall 6.6

HP Imaging Device Functions 7.0

HP Photosmart and Deskjet 7.0 Software

HP Product Detection

hph_software_req

Intel® PRO Network Adapters and Drivers

Malwarebytes' Anti-Malware

MATLAB R2007a

McAfee VirusScan Enterprise

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft MSDN 2005 Express Edition - ENU

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Professional

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

Microsoft SQL Server 2005 Tools Express Edition

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft Visual Basic 2005 Express Edition - ENU

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.0.5)

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 6 Service Pack 2 (KB954459)

National Instruments Software

NI-488.2 2.5

NI-488.2 Provider for MAX

NI-653x Installer 1.6.0

NI-APAL Error Files 1.2.0f0

NI-DAQ C and VB6 API

NI-DAQ Document Set

NI-DAQ INF Files

NI-DAQmx - LabVIEW shared documentation

NI-DAQmx 8.5

NI-DAQmx Documentation

NI-DAQmx MAX Support 1.8.0

NI-DAQmx OPC Support

NI-DAQmx support for LabVIEW

NI-DAQmx Switch Core 1.11.0

NI-DIM 1.6.0f0

NI-IVI Provider for MAX

NI-MDBG 1.6.0f0

NI-MRU 2.7.0f0

NI-MXDF 1.7.0f0

NI-ORB 1.6.0f0

NI-PAL 2.0.0f0

NI-RPC 3.1.1f0 for PharLap

NI-RPC 3.2.1f0 for Phar Lap ETS

NI-RPC 3.3.1f0

NI-RPC 3.3.1f0 for Phar Lap ETS

NI-VISA 4.1

NI-VISA 4.1 MAX Provider

NI-VISA Runtime 4.1

NI-VISA Server 4.1

NI AFW Channel Configuration Tool

NI Assistant Framework

NI Assistant Framework LabVIEW Code Generator 6.1

NI Assistant Framework LabVIEW Code Generator 7.0

NI Assistant Framework LabVIEW Code Generator 7.1

NI Assistant Framework LabVIEW Code Generator 8.0

NI Assistant Framework LabVIEW Code Generator 8.2

NI Calibration Provider for MAX

NI Certificates Deployment Support

NI Common Digital 1.7.0

NI DAQ Assistant 1.6.0

NI DataSocket 4.3.0

NI DN 2.0 installer

NI Dynamic Signal Acquisition Installer 1.9.0

NI EULA Depot

NI Example Finder 8.0

NI ExpressWorkbench 2.0

NI ExpressWorkbench 2.0 LabVIEW Support

NI Fusion Standard Library Installer 1.5.0

NI Help Assistant

NI Instrument I/O Assistant

NI Instrument IO Assistant for LabVIEW 8.0

NI IVI Class Driver LabVIEW 8.0 Support

NI IVI Class Drivers

NI IVI Class Simulation Drivers

NI IVI Compliance Package 3.0

NI IVI Engine

NI IVI lcltxxxx Driver

NI IVI Specific Drivers

NI LabVIEW 8.0

NI LabVIEW 8.0 Activity

NI LabVIEW 8.0 Applibs

NI LabVIEW 8.0 CINtools

NI LabVIEW 8.0 Device Detection and Deployment Support

NI LabVIEW 8.0 Examples

NI LabVIEW 8.0 gMath

NI LabVIEW 8.0 Help

NI LabVIEW 8.0 Help File

NI LabVIEW 8.0 iMath

NI LabVIEW 8.0 Instr.lib

NI LabVIEW 8.0 Manuals

NI LabVIEW 8.0 MeasAppChm File

NI LabVIEW 8.0 Menus

NI LabVIEW 8.0 Project

NI LabVIEW 8.0 Resource

NI LabVIEW 8.0 Simulation

NI LabVIEW 8.0 Templates

NI LabVIEW 8.0 User.lib

NI LabVIEW 8.0 VI.lib

NI LabVIEW 8.0 WWW

NI LabVIEW Broker

NI LabVIEW C Interface

NI LabVIEW Deployable License 8.0

NI LabVIEW MAX XML

NI LabVIEW Real-Time Error Dialog

NI LabVIEW Real-Time FIFO for Runtime

NI LabVIEW Run-Time Engine 7.0

NI LabVIEW Run-Time Engine 7.1.1

NI LabVIEW Run-Time Engine 8.0.1

NI LabVIEW Run-Time Engine 8.2.1

NI LabVIEW SignalExpress 2.0

NI LabVIEW SignalExpress 2.0 Licenses

NI LabWindows/CVI 7.0 Code Generator

NI LabWindows/CVI 8.1 Run-Time Engine

NI LabWindows/CVI Code Generator

NI Legacy DAQmxRF

NI License Manager

NI Logos 4.7

NI Logos LabVIEW 8.0 Support

NI LVBrokerAux 8.2.1

NI LVBrokerAux1071

NI LVBrokerAux70

NI LVBrokerAux71

NI LVBrokerAux8.0

NI Math Kernel Libraries

NI MAX LabVIEW Support

NI MDF Support

NI Measurement & Automation Explorer 4.2.1

NI Measurement Studio 8.1 Enterprise RunTime for VS2005

NI Measurement Studio Common .NET Language Assemblies for the .NET Framework 1.1

NI Measurement Studio Common .NET Language Assemblies for the .NET Framework 2.0

NI Measurement Studio Recipe Processor

NI Measurements eXtensions for PAL 1.6.0

NI MIO Device Drivers 1.12.0

NI MXS

NI OPC Support

NI Portable Configuration

NI PXI Platform Services for Windows 2.3.0

NI PXI Platform Services Provider for MAX 2.3.0

NI Registration Wizard

NI Remote Provider for MAX

NI Remote PXI Provider for MAX

NI SCXI 1.8.0

NI Service Locator

NI SignalExpress 2.0 Datatypes

NI SignalExpress 2.0 LabVIEW Support

NI SignalExpress 2.0 Tools

NI SignalExpress 2.0.0 Steps

NI Software Provider for MAX

NI Sound and Vibration Frequency Analysis 5.0

NI Spy 2.5.0

NI STC 1.2.0

NI TDMS

NI Timing Installer 1.9.0

NI Uninstaller

NI USI 1.2.0

NI Variable Engine

NI Variable Engine LabVIEW 8.0 Support

NI Variable Manager

NI VC2005MSMs x86

NI Web Pipeline

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

stunnel

Toolbox

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

VirtualCloneDrive

WebFldrs XP

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool

Windows Internet Explorer 7

Windows XP Service Pack 3

WinRAR archiver

==== Event Viewer Messages From Past Week ========

1/14/2009 11:35:26 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

1/14/2009 11:33:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: olocxhrn PCIIde

1/13/2009 9:05:12 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

1/13/2009 4:32:20 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

1/14/2009 4:13:10 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

1/14/2009 4:13:10 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).

1/20/2009 10:58:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

1/20/2009 11:42:08 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.

1/14/2009 11:35:00 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:51:48 AM, on 1/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\lkcitdl.exe

F:\WINDOWS\system32\lkads.exe

F:\WINDOWS\system32\lktsrv.exe

F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

F:\Program Files\National Instruments\MAX\nimxs.exe

F:\WINDOWS\system32\nipalsm.exe

F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

F:\WINDOWS\system32\nisvcloc.exe

F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

F:\WINDOWS\system32\HPZipm12.exe

f:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

F:\Program Files\stunnel\stunnel.exe

F:\WINDOWS\system32\nipalsm.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\system32\wuauclt.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O4 - HKLM\..\Run: [niDevMon] F:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147969174935

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - F:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - F:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - F:\WINDOWS\system32\lktsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - F:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - F:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - F:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - F:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - F:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: stunnel - Unknown owner - F:\Program Files\stunnel\stunnel.exe

--

End of file - 5413 bytes

Link to post
Share on other sites

One other thing, and hopefully it's not a sign of continued trouble. I enabled my virusscan enterprise on-access scanner prior to installing the windows update, which of course forced me to reboot. After the reboot, I got the security center bubble that my virusscan enterprise was turned off....does this mean that there is still remnants of the virus or was it just the program not saving the setting?

I will run MBAM and HJT again now to see if they find anything now that it is up to date.

Link to post
Share on other sites
  • Root Admin

The reason you got the error message on CF is that you have an old version. The program is updated quite often.

To uninstall ComboFix.exe
  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox\LastRun if the uninstall instructions don't work.

Please download a NEW version and run it again. Then when it's done update MBAM and run it again.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW Combofix, MBAM and HJT logs in that order please.

Link to post
Share on other sites

ComboFix 09-01-19.05 - gyrotron 2009-01-20 16:03:50.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.483 [GMT -5:00]

Running from: f:\documents and settings\gyrotron\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

f:\windows\Tasks\yhhpujxz.job

.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-20 11:06 . 2009-01-20 11:06 <DIR> d-------- f:\program files\CCleaner

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\documents and settings\gyrotron\Application Data\Malwarebytes

2009-01-16 11:35 . 2009-01-16 11:35 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-16 11:35 . 2009-01-14 16:11 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 11:35 . 2009-01-14 16:11 15,504 --a------ f:\windows\system32\drivers\mbam.sys

2009-01-16 10:47 . 2009-01-16 10:47 41,984 --a------ f:\windows\system32\chert5-998.exe

2009-01-15 17:07 . 2009-01-15 17:07 <DIR> d-------- f:\program files\Trend Micro

2009-01-15 16:12 . 2009-01-15 15:57 <DIR> d-------- f:\documents and settings\gyrotron\Application Data\HouseCall 6.6

2009-01-15 15:57 . 2009-01-15 16:03 <DIR> d-------- f:\documents and settings\gyrotron\.housecall6.6

2009-01-15 15:57 . 2009-01-15 15:57 102,664 --a------ f:\windows\system32\drivers\tmcomm.sys

2009-01-14 05:08 . 2009-01-14 05:08 24,064 --a------ f:\windows\system32\pcload.exe

2009-01-13 17:03 . 2009-01-16 14:06 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8

2009-01-13 16:37 . 2009-01-16 14:26 1,104 --a------ f:\windows\olocxhrn

2009-01-12 15:09 . 2006-06-03 21:29 48,640 --a------ f:\windows\system32\hpzll4pi.dll

2009-01-12 15:08 . 1998-10-29 16:45 306,688 --a------ f:\windows\IsUninst.exe

2009-01-12 15:08 . 2006-03-03 21:03 282,680 --a------ f:\windows\system32\HPZidr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 204,800 --a------ f:\windows\system32\HPZipr12.dll

2009-01-12 15:08 . 2006-03-03 21:02 94,208 --a------ f:\windows\system32\HPZipt12.dll

2009-01-12 15:08 . 2006-03-03 21:03 69,632 --a------ f:\windows\system32\HPZipm12.exe

2009-01-12 15:08 . 2006-03-03 21:03 65,536 --a------ f:\windows\system32\HPZinw12.exe

2009-01-12 15:08 . 2006-03-03 21:02 57,344 --a------ f:\windows\system32\HPZisn12.dll

2009-01-12 15:04 . 2009-01-12 15:10 123,131 --a------ f:\windows\HPHins12.dat

2009-01-12 15:04 . 2006-05-16 15:25 77,824 --a------ f:\windows\system32\hpzids01.dll

2009-01-12 15:04 . 2006-07-17 14:39 14,916 --------- f:\windows\hphmdl12.dat

2009-01-12 14:40 . 2009-01-12 14:40 <DIR> d-------- f:\windows\Downloaded Installations

2009-01-12 14:40 . 2009-01-12 15:08 <DIR> d-------- f:\program files\HP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-14 16:37 --------- d--h--w f:\program files\InstallShield Installation Information

2009-01-14 16:37 --------- d-----w f:\program files\Common Files\InstallShield

2009-01-14 16:37 --------- d-----w f:\program files\Andor iStar

2008-12-11 10:57 333,952 ----a-w f:\windows\system32\drivers\srv.sys

2004-03-15 21:51 114,688 -c--a-w f:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 13:36 114,688 -c--a-w f:\program files\internet explorer\plugins\LV7ActiveXControl.dll

2006-01-23 14:32 131,072 -c--a-w f:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 133,920 ----a-w f:\program files\internet explorer\plugins\LV82ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"niDevMon"="f:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-02-24 92960]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

f:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"f:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;f:\windows\system32\drivers\nipbcfk.sys [2007-02-15 15136]

R1 NaiAvTdi1;NaiAvTdi1;f:\windows\system32\drivers\mvstdi5x.sys [2006-05-18 58464]

R3 nidimk;nidimk;f:\windows\system32\drivers\nidimkl.sys [2007-02-21 11552]

R3 nimru2k;nimru2k;f:\windows\system32\drivers\nimru2kl.sys [2007-02-21 11552]

R3 nimstsk;nimstsk;f:\windows\system32\drivers\nimstskl.sys [2007-02-25 11552]

R4 ni488enumsvc;NI-488.2 Enumeration Service;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nidevldu;NI Device Loader;f:\windows\system32\nipalsm.exe [2007-02-16 12696]

R4 nipxirmk;nipxirmk;f:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]

R4 NiViPxiK;NI-VISA PXI Driver;f:\windows\system32\drivers\NiViPxiKl.sys [2007-02-23 11552]

S3 gpibprtk;gpibprtk;f:\windows\system32\drivers\gpibprtk.sys [2007-08-30 215840]

S3 lvalarmk;lvalarmk;f:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]

S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2009-01-16 38496]

S3 ni1006k;NI PXI-1006 Chassis Pilot;f:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;f:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]

S3 ni488lock;NI-488.2 Locking Service;f:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]

S3 nicdrk;nicdrk;f:\windows\system32\drivers\nicdrkl.sys [2007-02-22 11552]

S3 nidmxfk;nidmxfk;f:\windows\system32\drivers\nidmxfkl.sys [2007-02-25 11552]

S3 nidsark;nidsark;f:\windows\system32\drivers\nidsarkl.sys [2007-02-23 11552]

S3 niemrk;niemrk;f:\windows\system32\drivers\niemrkl.sys [2007-02-25 11552]

S3 niesrk;niesrk;f:\windows\system32\drivers\niesrkl.sys [2007-02-25 11552]

S3 nifslk;nifslk;f:\windows\system32\drivers\nifslkl.sys [2007-02-22 11552]

S3 nimsdrk;nimsdrk;f:\windows\system32\drivers\nimsdrkl.sys [2007-02-25 11552]

S3 nimslk;nimslk;f:\windows\system32\drivers\nimslk.dll [2006-12-18 14464]

S3 nimsrlk;nimsrlk;f:\windows\system32\drivers\nimsrlk.dll [2006-12-18 151683]

S3 nimxpk;nimxpk;f:\windows\system32\drivers\nimxpkl.sys [2007-02-22 11552]

S3 ninshsdk;ninshsdk;f:\windows\system32\drivers\ninshsdkl.sys [2007-02-23 11552]

S3 nipalfwedl;nipalfwedl;f:\windows\system32\drivers\nipalfwedl.sys [2007-02-15 11552]

S3 nipalusb;NI-PAL USB Driver;f:\windows\system32\drivers\nipalusb.sys [2007-02-15 10528]

S3 nipalusbedl;nipalusbedl;f:\windows\system32\drivers\nipalusbedl.sys [2007-02-15 11552]

S3 nipxigpk;NI PXI Generic Chassis Pilot;f:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]

S3 niscdk;niscdk;f:\windows\system32\drivers\niscdkl.sys [2007-02-26 11552]

S3 nisdigk;nisdigk;f:\windows\system32\drivers\nisdigkl.sys [2007-02-25 11552]

S3 nisftk;nisftk;f:\windows\system32\drivers\nisftkl.sys [2007-02-23 11552]

S3 nismbusk;nismbusk;f:\windows\system32\drivers\nismbusk.sys [2007-02-22 86304]

S3 nispdk;nispdk;f:\windows\system32\drivers\nispdkl.sys [2007-02-26 11552]

S3 nissrk;nissrk;f:\windows\system32\drivers\nissrkl.sys [2007-02-25 11552]

S3 nistc2k;nistc2k;f:\windows\system32\drivers\nistc2kl.sys [2007-02-22 11552]

S3 nistcrk;nistcrk;f:\windows\system32\drivers\nistcrkl.sys [2007-02-23 11552]

S3 niswdk;niswdk;f:\windows\system32\drivers\niswdkl.sys [2007-02-23 11552]

S3 nitiork;nitiork;f:\windows\system32\drivers\nitiorkl.sys [2007-02-23 11552]

S3 NiViFWK;NI-VISA FireWire Driver;f:\windows\system32\drivers\NiViFWKl.sys [2007-02-22 11552]

S3 NiViPciK;NI-VISA PCI Driver;f:\windows\system32\drivers\NiViPciKl.sys [2007-02-23 11552]

S3 niwfrk;niwfrk;f:\windows\system32\drivers\niwfrkl.sys [2007-02-25 11552]

S3 nixsrk;nixsrk;f:\windows\system32\drivers\nixsrkl.sys [2007-02-25 11552]

S3 usb6xxxk;usb6xxxk;f:\windows\system32\drivers\usb6xxxk.sys [2007-02-25 27936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://web.mit.edu/

IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://f:\windows\Java\classes\xmldso.cab

FF - ProfilePath - f:\documents and settings\gyrotron\Application Data\Mozilla\Firefox\Profiles\wawlxq1h.default\

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: f:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 16:06:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

f:\windows\system32\lkads.exe

f:\windows\system32\lktsrv.exe

f:\program files\Network Associates\Common Framework\FrameworkService.exe

f:\program files\Network Associates\VirusScan\vstskmgr.exe

f:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

f:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

f:\program files\National Instruments\MAX\nimxs.exe

f:\program files\National Instruments\Shared\Security\nidmsrv.exe

f:\windows\system32\nisvcloc.exe

f:\program files\National Instruments\Shared\Tagger\tagsrv.exe

f:\windows\system32\HPZipm12.exe

f:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

f:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

f:\program files\stunnel\stunnel.exe

f:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-20 16:08:20 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-20 21:08:17

ComboFix2.txt 2009-01-20 16:29:32

Pre-Run: 218,573,463,552 bytes free

Post-Run: 218,585,108,480 bytes free

166 --- E O F --- 2009-01-20 16:58:08

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.