View Full Version : Virtumonde Strikes Back
Bluefoot
2008-06-25, 07:59
Well here is the story thus far...After Virtumonde had attacked my system until it was too-far-gone I decided to reformat. Yet after I finally had my set up dialed in...BLAM:devil: Virtumonde was back to its same old nasties.
This time it made it's way around Kaspersky as I have given up on Norton. Next, Kaspersky and Spybot tried to stop Virtumonde to futile ends.
Around this time I had to restore my system due to a poor application installation.
Next I tried updating Kaspersky and let it have another go at eliminating the virus. It reported to have gotten the virus, yet the browser was still acting weird and Kaspersky reported that expoler.exe had been changed.(?)
After the restore Spybot was no longer installed, so rather than reinstall immediately I downloaded HJT and ran the Kaspersky Online Scanner. (while my browser was still functioning)
Both the Online scanner and the trial version of Kaspersky Internet Security found no threats.
Next I made a HJT log.
Then I installed Spybot and it found this...
Virtumonde
1
(SBI $42352499) User settings
HKEY_USERS\S-1-5-21-507921405-57989841-725345543-1003\Software\Microsoft\rdfa
2
(SBI $47E741CD) Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
Virtumonde.dll
1
(SBI $7C99AA97) Library
File: C:\WINDOWS\system32\cbYPlaYr.dll
2
(SBI $B1464014) Browser helper object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio9n\Explorer\Browser Helper Object\{642D4273-6066-428F-85D2-A17CA5DAE356}
3
(SBI $B1464014) Class ID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{642D4273-6066-428F-85D2-A17CA5DAE356}
Strangely Immediately after running the Spybot search I ran another Kaspersky Scan to find positive virus results(unfortuneatly I couldn't get my browser to work again for the online scan.) The Kaspersky Scan found this...
detected: Trojan program Trojan.Win32.Monder.zq
File: C:\WINDOWS\system32\aysabacu.dll
File: C:\WINDOWS\system32\onamxjjq.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0085170.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0086620.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0087441.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0087444.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0088601.dll
File: C:\Documents and Settings\Dragonflower\Local Settings\Temporary Internet Files\Content.IE5\03YVIL2X\KB456456[1]
Oddly neither Spybot's 5 infected discoveries or Kaspersky's 8 infected discoveries had any files in common. (?)
So I decided to run HJT again, just to be sure. Here is the second HJT log followed by the first.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:17 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 9095 bytes
Here is the first [B]HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:54 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b
O4 - HKLM\..\Run: [BMa36de307] Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8564 bytes
The 2 logs apparently are different as they have a differing number of bytes posted at the end of the logs. Perhaps this is due to the belated Spybot installation.(?)
Please help me if you can.
p.s. I had a botch up posting process for my previous infection before reformatting. I apoligise for my earlier forum inadequicies that you may find at this llink here http://forums.spybot.info/showthread.php?=29292
Hello Bluefoot
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll
O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b G
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s
O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
[b]Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Bluefoot
2008-06-27, 07:13
Hi Ken
Thanks for the instructions
here is the Malwarebytes log followed by the newest HJT log
Malwarebytes' Anti-Malware 1.18
Database version: 894
8:59:26 PM 6/26/2008
mbam-log-6-26-2008 (20-59-26).txt
Scan type: Quick Scan
Objects scanned: 42633
Time elapsed: 4 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\aysabacu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXPIaYr.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ynehmprg.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqPhiIY.dll (Trojan.FakeAlert) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d8d6863-a626-44aa-8c18-47edc3d7c112} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d8d6863-a626-44aa-8c18-47edc3d7c112} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqphiiy (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxpiayr -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxpiayr -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\aysabacu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ucabasya.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPIaYr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rYaIPXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rYaIPXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onamxjjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjjxmano.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ynehmprg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\grpmheny.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPhiIY.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\geBqOiFw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnllJaY.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dragonflower\Local Settings\Temporary Internet Files\Content.IE5\6DQVY1EN\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:35 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8810 bytes
Am I clear?:fear:
Good Morning,
You had quite a bit of nasty stuff on this system, your HJT log is clean, but lets make sure we got it all.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Bluefoot
2008-06-27, 19:25
and Good Morning to you!
here are the requested logs
ComboFix 08-06-20.4 - Dragonflower 2008-06-27 8:38:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -7:00]
Running from: C:\Documents and Settings\Dragonflower\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMa36de307.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AJTwHRqr.ini2
C:\WINDOWS\system32\cbXPIaYr.dll
C:\WINDOWS\system32\ewmkouea.ini
C:\WINDOWS\system32\IlnXIkkj.ini
C:\WINDOWS\system32\IlnXIkkj.ini2
C:\WINDOWS\system32\lvrbkruk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pdfblsbe.ini
C:\WINDOWS\system32\pjtpugvp.ini
C:\WINDOWS\system32\rYaIPXbc.ini
C:\WINDOWS\system32\rYaIPXbc.ini2
C:\WINDOWS\system32\urqPhiIY.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 19:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 15:48 . 2008-06-26 21:20 106,496 --a------ C:\WINDOWS\system32\chosmxpc.dll
2008-06-26 15:47 . 2008-06-26 21:16 91,648 --a------ C:\WINDOWS\system32\coqvkkpf.dll
2008-06-26 15:47 . 2008-06-26 20:59 80,896 --------- C:\WINDOWS\system32\ynehmprg.dll
2008-06-26 15:47 . 2008-06-26 15:47 48 --a------ C:\WINDOWS\wininit.ini
2008-06-26 15:31 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat
2008-06-26 15:31 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat
2008-06-25 23:31 . 2008-06-25 23:31 91,136 --a------ C:\WINDOWS\system32\paqmaief.dll
2008-06-25 20:24 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat.temp
2008-06-25 20:24 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 08:51 . 2008-06-24 08:51 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 23:53 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-23 23:47 . 2008-06-26 20:59 81,408 --------- C:\WINDOWS\system32\aysabacu.dll
2008-06-23 23:24 . 2008-06-23 23:24 91,136 --a------ C:\WINDOWS\system32\nerilaky.dll
2008-06-23 21:31 . 2008-06-23 21:31 1,727,736 --ahs---- C:\WINDOWS\system32\ivjcfwjm.tmp
2008-06-23 17:14 . 2008-06-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-23 17:14 . 2008-06-26 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 15:58 . 2008-06-23 15:58 <DIR> d-------- C:\Program Files\Common Files\HP
2008-06-23 15:39 . 2008-06-23 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-23 15:27 . 2008-06-23 15:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-23 15:14 . 2008-06-23 22:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-23 13:11 . 2008-06-23 23:00 <DIR> d-------- C:\Program Files\HP
2008-06-22 22:00 . 2008-06-22 22:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Ahead
2008-06-22 21:53 . 2008-06-22 21:53 <DIR> d-------- C:\Program Files\Nero
2008-06-22 21:53 . 2008-06-25 16:38 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-22 10:00 . 2008-06-22 10:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Apple Computer
2008-06-22 09:59 . 2008-06-23 23:01 <DIR> d-------- C:\Program Files\iTunes
2008-06-22 09:59 . 2008-06-22 09:59 <DIR> d-------- C:\Program Files\iPod
2008-06-22 09:58 . 2008-06-22 09:58 <DIR> d-------- C:\Program Files\Bonjour
2008-06-22 09:55 . 2008-06-22 09:57 <DIR> d-------- C:\Program Files\QuickTime
2008-06-22 09:55 . 2008-06-22 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-22 09:43 . 2008-06-26 17:38 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-22 09:43 . 2008-06-22 09:43 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Thunderbird
2008-06-21 21:54 . 2008-06-21 21:54 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-21 21:48 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-20 22:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 22:26 . 2008-06-20 22:29 <DIR> d-------- C:\Program Files\Java
2008-06-20 22:25 . 2008-06-20 22:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 20:26 . 2008-06-20 20:26 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-06-20 20:25 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-06-20 20:25 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-06-20 20:25 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-20 17:46 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-20 17:46 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-20 17:46 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-20 17:46 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-20 17:46 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-20 17:46 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-20 17:46 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-20 09:47 . 2004-08-16 17:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-06-20 09:22 . 2008-06-20 09:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Stardock
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-06-19 23:15 . 2008-06-19 23:22 32,256 --a------ C:\Documents and Settings\Dragonflower\winmsd.exe
2008-06-19 22:48 . 2008-06-19 22:48 <DIR> d-------- C:\Program Files\Analog Devices
2008-06-19 22:48 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-06-19 22:40 . 2008-06-20 13:38 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-19 22:22 . 2008-06-19 22:22 <DIR> d-------- C:\Program Files\MediaMonkey
2008-06-19 22:16 . 2008-06-19 22:16 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-06-19 22:16 . 2004-07-14 09:57 2,760,704 --a------ C:\WINDOWS\system32\WacomTablet.cpl
2008-06-19 22:16 . 2004-07-13 14:51 679,936 --a------ C:\WINDOWS\system32\Tablet.exe
2008-06-19 22:16 . 2004-07-13 14:50 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-06-19 22:16 . 2004-07-13 14:40 44,544 --a------ C:\WINDOWS\system32\TabHook.dll
2008-06-19 22:16 . 1999-05-07 09:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-06-19 22:16 . 2001-04-09 13:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-06-19 22:04 . 2008-06-19 22:07 <DIR> d-------- C:\Program Files\Azureus
2008-06-19 21:49 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-19 21:49 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-19 21:21 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-19 21:18 . 2008-06-19 21:18 <DIR> d-------- C:\kav
2008-06-19 21:16 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-19 21:09 . 2007-05-14 22:03 445,696 -ra------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-19 21:08 . 2008-06-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-17 17:00 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 16:58 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Macromedia
2008-06-17 16:46 . 2008-06-21 21:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-17 16:44 . 2008-06-17 16:44 <DIR> dr-h----- C:\MSOCache
2008-06-17 15:59 . 2008-06-19 20:36 <DIR> d-------- C:\Program Files\Analog Devices(2)
2008-06-17 15:12 . 2008-06-26 17:29 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\U3
2008-06-17 09:04 . 2008-06-21 15:40 <DIR> d-------- C:\WINDOWS\system32\images
2008-06-17 09:03 . 2008-06-17 09:03 <DIR> d-------- C:\Program Files\ATI FGL
2008-06-17 08:59 . 2008-06-17 08:59 <DIR> d-------- C:\Program Files\Intel
2008-06-17 08:11 . 2008-06-17 13:05 <DIR> d-------- C:\swsetup
2008-06-17 08:11 . 2008-06-17 08:11 <DIR> d-------- C:\Compaq
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.l0
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.ko
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ja
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.j0
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ip
2008-06-16 21:46 . 2008-06-20 22:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.n0
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mp
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.me
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mc
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lv
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lt
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.l0
2008-06-16 21:38 . 2008-06-16 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-16 21:34 . 2008-06-20 09:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-16 21:30 . 2008-06-20 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 17:34 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 17:34 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-16 16:59 . 2008-06-16 16:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 16:18 . 2004-08-03 18:07 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv
2008-06-16 16:18 . 2004-08-03 18:07 9,585 -----c--- C:\WINDOWS\system32\dllcache\controls.css
2008-06-16 16:18 . 2004-08-03 18:07 8,298 -----c--- C:\WINDOWS\system32\dllcache\contents.htm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 04:32 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 06:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34 69632]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"frxmxins"="frxmxins" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HydraVisionDesktopManager"="desk95.exe" [2003-03-21 11:25 507904 C:\WINDOWS\system32\Desk95.exe]
"HydraVisionViewport"="viewport.exe" [2002-10-30 14:20 503808 C:\WINDOWS\system32\ViewPort.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
C:\Documents and Settings\Dragonflower\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-06-19 23:18:58 3581680]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-20 10:09:58 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-06-19 22:16:43 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R2 FGLRXUtil;FGLRXUTIL;C:\WINDOWS\system32\frxhser.exe [2003-05-07 18:46]
R3 atifglrx;atifglrx;C:\WINDOWS\system32\DRIVERS\fglrxm.sys [2003-05-07 18:46]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bbdbe9-4203-11dd-8a48-00d041ac5a86}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 04:02:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 08:44:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-27 8:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 15:52:11
Pre-Run: 19,138,043,904 bytes free
Post-Run: 19,066,040,320 bytes free
239 --- E O F --- 2008-06-21 02:01:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:45 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8551 bytes
Thanks again
what's next boss:snorkle:
No, I am not the boss, my wife is the boss :lip:
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\coqvkkpf.dll
C:\WINDOWS\system32\ynehmprg.dll
C:\WINDOWS\system32\aysabacu.dll
C:\WINDOWS\system32\nerilaky.dll
C:\WINDOWS\system32\ivjcfwjm.tmp
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
The rest of your log looks fine :bigthumb: How is your system running now??
Bluefoot
2008-06-27, 23:07
Hi Ken :santa:
Well the system seems to be working but I'm not really sure :scratch:
Kaspersky reported A0089722.dll as being infected between the last postings
also
OT Move it reported ynehmprg.dll & aysabacu as not being proper files (or some such statement)
Then upon restart after posting the following log OTMoveit was forced to quit and I "sent error report" to MS
here's the OTMoveIt log
LoadLibrary failed for C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\chosmxpc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\chosmxpc.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\coqvkkpf.dll
C:\WINDOWS\system32\coqvkkpf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\coqvkkpf.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\ynehmprg.dll
C:\WINDOWS\system32\ynehmprg.dll NOT unregistered.
C:\WINDOWS\system32\ynehmprg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\aysabacu.dll
C:\WINDOWS\system32\aysabacu.dll NOT unregistered.
C:\WINDOWS\system32\aysabacu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nerilaky.dll
C:\WINDOWS\system32\nerilaky.dll NOT unregistered.
C:\WINDOWS\system32\nerilaky.dll moved successfully.
C:\WINDOWS\system32\ivjcfwjm.tmp moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06272008_124340
Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\chosmxpc.dll NOT unregistered.
It sure is a mean little virus :devilpoin:
___________________________:clown:
p.s. do you want another HJT log?
Wha I would like you to do is to run Combofix again and post the log
Bluefoot
2008-06-28, 04:05
Here is
ComboFix 08-06-20.4 - Dragonflower 2008-06-27 17:38:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -7:00]
Running from: C:\Documents and Settings\Dragonflower\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\msssc.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.
2008-06-27 13:47 . 2008-06-27 13:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-27 12:43 . 2008-06-27 12:43 <DIR> d-------- C:\_OTMoveIt
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 19:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 15:47 . 2008-06-26 15:47 48 --a------ C:\WINDOWS\wininit.ini
2008-06-26 15:31 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat
2008-06-26 15:31 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat
2008-06-25 23:31 . 2008-06-25 23:31 91,136 --a------ C:\WINDOWS\system32\paqmaief.dll
2008-06-25 20:24 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat.temp
2008-06-25 20:24 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 08:51 . 2008-06-24 08:51 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 23:53 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-23 17:14 . 2008-06-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-23 17:14 . 2008-06-26 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 15:58 . 2008-06-23 15:58 <DIR> d-------- C:\Program Files\Common Files\HP
2008-06-23 15:39 . 2008-06-23 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-23 15:27 . 2008-06-23 15:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-23 15:14 . 2008-06-23 22:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-23 13:11 . 2008-06-23 23:00 <DIR> d-------- C:\Program Files\HP
2008-06-22 22:00 . 2008-06-22 22:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Ahead
2008-06-22 21:53 . 2008-06-22 21:53 <DIR> d-------- C:\Program Files\Nero
2008-06-22 21:53 . 2008-06-25 16:38 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-22 10:00 . 2008-06-22 10:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Apple Computer
2008-06-22 09:59 . 2008-06-23 23:01 <DIR> d-------- C:\Program Files\iTunes
2008-06-22 09:59 . 2008-06-22 09:59 <DIR> d-------- C:\Program Files\iPod
2008-06-22 09:58 . 2008-06-22 09:58 <DIR> d-------- C:\Program Files\Bonjour
2008-06-22 09:55 . 2008-06-22 09:57 <DIR> d-------- C:\Program Files\QuickTime
2008-06-22 09:55 . 2008-06-22 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-22 09:43 . 2008-06-26 17:38 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-22 09:43 . 2008-06-22 09:43 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Thunderbird
2008-06-21 21:54 . 2008-06-21 21:54 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-21 21:48 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-20 22:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 22:26 . 2008-06-20 22:29 <DIR> d-------- C:\Program Files\Java
2008-06-20 22:25 . 2008-06-20 22:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 20:26 . 2008-06-20 20:26 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-06-20 20:25 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-06-20 20:25 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-06-20 20:25 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-20 17:46 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-20 17:46 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-20 17:46 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-20 17:46 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-20 17:46 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-20 17:46 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-20 17:46 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-20 09:47 . 2004-08-16 17:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-06-20 09:22 . 2008-06-20 09:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Stardock
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-06-19 23:15 . 2008-06-19 23:22 32,256 --a------ C:\Documents and Settings\Dragonflower\winmsd.exe
2008-06-19 22:48 . 2008-06-19 22:48 <DIR> d-------- C:\Program Files\Analog Devices
2008-06-19 22:48 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-06-19 22:40 . 2008-06-20 13:38 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-19 22:22 . 2008-06-19 22:22 <DIR> d-------- C:\Program Files\MediaMonkey
2008-06-19 22:16 . 2008-06-19 22:16 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-06-19 22:16 . 2004-07-14 09:57 2,760,704 --a------ C:\WINDOWS\system32\WacomTablet.cpl
2008-06-19 22:16 . 2004-07-13 14:51 679,936 --a------ C:\WINDOWS\system32\Tablet.exe
2008-06-19 22:16 . 2004-07-13 14:50 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-06-19 22:16 . 2004-07-13 14:40 44,544 --a------ C:\WINDOWS\system32\TabHook.dll
2008-06-19 22:16 . 1999-05-07 09:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-06-19 22:16 . 2001-04-09 13:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-06-19 22:04 . 2008-06-19 22:07 <DIR> d-------- C:\Program Files\Azureus
2008-06-19 21:49 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-19 21:49 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-19 21:21 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-19 21:18 . 2008-06-19 21:18 <DIR> d-------- C:\kav
2008-06-19 21:16 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-19 21:09 . 2007-05-14 22:03 445,696 -ra------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-19 21:08 . 2008-06-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-17 17:00 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 16:58 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Macromedia
2008-06-17 16:46 . 2008-06-21 21:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-17 16:44 . 2008-06-17 16:44 <DIR> dr-h----- C:\MSOCache
2008-06-17 15:59 . 2008-06-19 20:36 <DIR> d-------- C:\Program Files\Analog Devices(2)
2008-06-17 15:12 . 2008-06-26 17:29 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\U3
2008-06-17 09:04 . 2008-06-21 15:40 <DIR> d-------- C:\WINDOWS\system32\images
2008-06-17 09:03 . 2008-06-17 09:03 <DIR> d-------- C:\Program Files\ATI FGL
2008-06-17 08:59 . 2008-06-17 08:59 <DIR> d-------- C:\Program Files\Intel
2008-06-17 08:11 . 2008-06-17 13:05 <DIR> d-------- C:\swsetup
2008-06-17 08:11 . 2008-06-17 08:11 <DIR> d-------- C:\Compaq
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.l0
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.ko
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ja
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.j0
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ip
2008-06-16 21:46 . 2008-06-20 22:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.n0
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mp
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.me
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mc
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lv
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lt
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.l0
2008-06-16 21:38 . 2008-06-16 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-16 21:34 . 2008-06-20 09:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-16 21:30 . 2008-06-20 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 17:34 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 17:34 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-16 16:59 . 2008-06-16 16:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 16:18 . 2004-08-03 18:07 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv
2008-06-16 16:18 . 2004-08-03 18:07 9,585 -----c--- C:\WINDOWS\system32\dllcache\controls.css
2008-06-16 16:18 . 2004-08-03 18:07 8,298 -----c--- C:\WINDOWS\system32\dllcache\contents.htm
2008-06-16 16:18 . 2004-08-03 18:07 6,878 -----c--- C:\WINDOWS\system32\dllcache\controls.js
2008-06-16 16:18 . 2004-08-03 18:07 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-06-16 16:18 . 2004-08-03 18:07 773 -----c--- C:\WINDOWS\system32\dllcache\cnth.gif
2008-06-16 16:18 . 2004-08-03 18:07 773 -----c--- C:\WINDOWS\system32\dllcache\cnt.gif
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 04:32 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 06:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\advpack(3).dll
2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\advpack(2).dll
2008-04-14 00:11 516,768 ----a-w C:\WINDOWS\system32\ativvaxx(2)(2).dll
2008-04-14 00:11 229,376 ----a-w C:\WINDOWS\system32\ati2cqag(2)(2).dll
2008-04-14 00:11 201,728 ----a-w C:\WINDOWS\system32\ati2dvag(2)(2).dll
2008-04-14 00:11 1,888,992 ----a-w C:\WINDOWS\system32\ati3duag(2)(2).dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-27_ 8.50.12.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 15:43:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 19:46:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-11 08:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-28 00:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-11 08:45:06 2,362,104 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2008-06-27 15:42:38 18,018,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
+ 2008-06-27 19:45:44 18,018,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
- 2008-06-27 15:42:38 1,707,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
+ 2008-06-27 19:45:44 1,707,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
- 2004-08-11 08:45:04 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-28 00:40:06 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2004-08-11 08:45:06 2,362,104 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 ----a-w C:\WINDOWS\system32\wmvcore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34 69632]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"frxmxins"="frxmxins" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HydraVisionDesktopManager"="desk95.exe" [2003-03-21 11:25 507904 C:\WINDOWS\system32\Desk95.exe]
"HydraVisionViewport"="viewport.exe" [2002-10-30 14:20 503808 C:\WINDOWS\system32\ViewPort.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
C:\Documents and Settings\Dragonflower\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-06-19 23:18:58 3581680]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-20 10:09:58 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-06-19 22:16:43 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R2 FGLRXUtil;FGLRXUTIL;C:\WINDOWS\system32\frxhser.exe [2003-05-07 18:46]
R3 atifglrx;atifglrx;C:\WINDOWS\system32\DRIVERS\fglrxm.sys [2003-05-07 18:46]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bbdbe9-4203-11dd-8a48-00d041ac5a86}]
\Shell\AutoRun\command - H:\LaunchU3.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 04:02:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 17:47:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-27 17:51:17
ComboFix-quarantined-files.txt 2008-06-28 00:51:09
ComboFix2.txt 2008-06-27 15:52:32
Pre-Run: 19,058,700,288 bytes free
Post-Run: 19,042,156,544 bytes free
234 --- E O F --- 2008-06-27 20:48:14
:popcorn:
Your fine , OTMoveIt got rid of those files :bigthumb:
How are things running now ?
Bluefoot
2008-06-28, 07:20
Things are running... but then again I haven't tried to do much at all. (I'm still kinda afraid to)
Kaspersky found two infected dll's in a "critical areas" scan.
paqmaief.dll & A0089722.dll
yet the second of the two was not included in the scan log, though it did inform me of it's presence while the scan was running
(good thing I wrote it down :euro: )
:spider: What can I do next?
Thanks Ken
Hello,
Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
Bluefoot
2008-06-28, 21:56
Hi Ken
I am again unable to get online to run the kaspersky scan.
My computer shows that it is connected yet browser and email are unable to find the server. :spider:
On top of that when I tried to open the browser the window resized itself (possibly hijacked?)
Also to answer your question as to how my system is running, it won't allow me to access my USB flash drive :mad: I havn't been able to install my printer software since this all started, and I suspect the USB flash won't work because it tries to automatically install it's sandisk U3 program when its plugged in. Previous to our virus purge a window popped up during installation attempts reporting a problem with the infected file aysanacu.dll
So here I am :coffee:
Any ideas?
Do you have your windows CD ? If not look on your C:\ Drive for a folder named I386, if its present you may not need the disk.
Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.
Click Start>Run
Type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things.
You won't see this do anything , it will just close when done. Then reboot and see if things are better. If not post one last HJT log and lets make sure we have not missed anything.
Bluefoot
2008-06-29, 04:06
The sfc /scannow fixed by USB flash problem but I still have a connection that can't find the server.
So instead of the online scan here are the results from a kaspersky rootkit scan as well as another HJT log.
The first two listed files were reported by kaspersky prior to the scan but did not turn up in the rootkit scan itself.(?)
Kaspersky
detected: Trojan program Trojan.Win32.Monder.wf
File: C:\System Volume Information\_restore{1A4B95E1-45F6-4231-AB92-0C9C641BB653}\RP61\A0089722.dll
detected: virus EICAR-Test-File
File: C:\DOCUME~1\DRAGON~1\LOCALS~1\Temp\Av-test.txt
detected: Trojan program Trojan.Win32.Monderc.gen
File: C:\WINDOWS\system32\paqmaief.dll
detected: virus Heur.Invader (modification)
File: c:\docume~1\dragon~1\desktop\underh~1\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
detected: Trojan program Trojan-Dropper.Win32.Agent.tgj
File: C:\Documents and Settings\Dragonflower\winmsd.exe
detected: Trojan program Trojan.Win32.Monderc.gen
File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-193052-100.dll
detected: Trojan program Trojan.Win32.Monder.wf
File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-193052-394.dll
detected: Trojan program Trojan.Win32.Monderc.gen
File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-193052-477.dll
detected: Trojan program Trojan.Win32.Monder.wf
File: C:\_OTMoveIt\MovedFiles\06272008_124340\WINDOWS\system32\chosmxpc.dll
detected: Trojan program Trojan.Win32.Monder.aeo
File: C:\_OTMoveIt\MovedFiles\06272008_124340\WINDOWS\system32\coqvkkpf.dll
detected: Trojan program Trojan.Win32.Monderc.gen
File: C:\_OTMoveIt\MovedFiles\06272008_124340\WINDOWS\system32\nerilaky.dll
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:18 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\DRAGON~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\DRAGON~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213935383911
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD07A2A-B1BC-4F1F-ACEF-78CA13F438CC}: NameServer = 192.168.1.254
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8990 bytes
:sad: what will become of my system files? :sad:
Lets try a few things.
C:\WINDOWS\system32\paqmaief.dll <-- This was the only thing bad on your Kaspersky Rootkit scan that we need to remove so delete this file.
You also had some bad files in your Kaspersky Quarantine so go to that folder and empty it out
You also had some bad files in your System Restore program so lets flush that all out. A0089722.dll <--This is where this file is located
Be sure to follow this to the letter and create a new restore point when your done
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Remove this entry with HJT.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD07A2A-B1BC-4F1F-ACEF-78CA13F438CC}: NameServer = 192.168.1.254
If still no internet, then try this.
You can download this program and transfer it to your disabled computer and run it
Winsockxpfix (http://www.snapfiles.com/get/winsockxpfix.html)
Let me know how your doing??
Bluefoot
2008-06-29, 06:46
:blink:
If I had a little meditating monk smiley being distracted by a fly I would insert it here.
Otherwise with out the meditation I would be this guy. :banghead:
I had kaspersky delete paqmaief.dll , and that seems good
yet kaspersky still wants me to disinfect. (?)
and no I can not find a server though there is supposedly a connection...
:angel:
Hey,
Lets flush out your DNS Cache
Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter
Lets reset your hosts files
Download the HostsXpert 4.2.0.0. - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Bluefoot
2008-06-29, 22:22
Alas I have followed your instruction to little avail.
no net/yet connected?
What now good sir?
p.s. How might I convince Kaspersky of the virtue of Combofix so that I might appease its request to disinfect.
:cleaning:
You might try opening Kaspersky and disable the firewall and see if that makes a difference.
Are you using a Router??
If not try posting in one of these forums for windows issues and lets see what they come up with.
http://forums.whatthetech.com/Networking_f128.html
http://www.bleepingcomputer.com/forums/forum14.html
Link me to your thread when you post so I can follow along in case they need any information
Ken
Bluefoot
2008-06-30, 03:06
:wav:
Twas the firewall
I'm sorry I didn't realize I had set it to high security...:red:
It seems as if all systems are go :bigthumb:
so... is that it? :spider:
am I really clear?
if so cheers :beerbeerb:
or is there still more to be done?
if so, I'm ready :ninja:
Thats great, sometimes the simple things are overlooked :lip:
Your good to go, here are some tips and free tools to install to help keep you more secure.
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help
Safe Surfn
Ken