View Full Version : Trying to remove cmdservice
Techtodd
2008-12-02, 03:18
Hello,
I'm having a heck of a time trying to remove cmdservice.
Here is my HJT log. Is there anything else you need at this point?
TIA,
Techtodd
Logfile of HijackThis v1.99.1
Scan saved at 11:23:11 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\My Documents\My Downloads\HijackThis\analyse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221613772359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221614254984
O20 - AppInit_DLLs: acdobq.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O21 - SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - C:\WINDOWS\System32\sqligmon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Hi Techtodd
Your HijackThis is outdated.
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Techtodd
2008-12-05, 04:43
Hello,
Here is the updated HJT post. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:55 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221613772359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221614254984
O20 - AppInit_DLLs: acdobq.dll
O21 - SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - C:\WINDOWS\System32\sqligmon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7027 bytes
Thank you :)
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Post:
- mbam log
- rsit logs (taken after mbam run)
Techtodd
2008-12-06, 06:54
Here is the MBAM log:
Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2
12/5/2008 11:36:17 PM
mbam-log-2008-12-05 (23-36-17).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 90144
Time elapsed: 19 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Lauren\Application Data\gadcom\gadcom.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\R2lybHM\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\R2lybHM\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\acdobq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bpyqobja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gpaqsbvb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\naiexbhf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsvcwlph.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uctqay.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dPI19\dPI191065.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP81\A0011441.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP85\A0013683.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP85\A0013684.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013737.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013739.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013744.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013747.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013750.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013752.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1169EDB4-CFFD-4430-8D0C-17F398E02FEB}\RP87\A0013754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skelhhxnypijred.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
NOTE:
When running RSIT I receive the following error.
Line -1:
Error: Subscript used with non-Array variable
I'll keep trying. It almost looks like you are having me run HJT. Is that correct?
Please run then this instead:
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------
Please copy/paste the contents of the following reports in your next reply:
DDS.txt
Attach.txt
Techtodd
2008-12-06, 16:04
Hello,
DDS1
DDS (Version 1.0) - NTFSx86
Run by Todd at 9:00:30.71 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.156 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\Desktop\Todd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Todd\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: acdobq.dll
SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - c:\windows\system32\sqligmon.dll
============= SERVICES / DRIVERS ===============
R0 KmxStart;KmxStart;c:\windows\system32\drivers\kmxstart.sys [2008-6-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\kmxagent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\kmxfw.sys [2008-6-24 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\VET-FILT.sys [2008-11-19 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\VET-REC.sys [2008-11-19 21128]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VETEFILE.sys [2008-11-19 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VETFDDNT.sys [2008-11-19 21512]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\VETMONNT.sys [2008-11-19 32264]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\ISafe.exe [2008-11-19 144960]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 UmxAgent;HIPS Event Manager;"c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe" [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe" [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;"c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe" [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\VetMsg.exe [2008-11-19 242952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-9-16 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\kmxcfg.sys [2008-6-24 88816]
R3 PPCtlPriv;PPCtlPriv;"c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe" [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VETEBOOT.sys [2008-11-19 108368]
=============== Created Last 30 ================
2008-12-05 23:09 <DIR> --d----- c:\docume~1\todd\applic~1\Malwarebytes
2008-12-05 23:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-05 23:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-05 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 03:00 <DIR> --d----- c:\program files\MSXML 4.0
2008-11-30 23:07 <DIR> --d----- C:\Lop SD
2008-11-30 21:14 <DIR> --d----- C:\Combo-Fix
2008-11-30 21:13 <DIR> --d----- C:\cmdcons
2008-11-30 21:04 161,792 a------- c:\windows\SWREG.exe
2008-11-30 21:04 98,816 a------- c:\windows\sed.exe
2008-11-29 17:13 <DIR> --d----- c:\docume~1\todd\applic~1\Auslogics
2008-11-29 17:13 <DIR> --d----- c:\program files\Auslogics
2008-11-29 16:50 <DIR> --d----- c:\program files\CCleaner
2008-11-29 15:26 31,928 a------- c:\windows\system32\rrMon.sys
2008-11-29 15:26 <DIR> --d----- c:\program files\Registrar Registry Manager
2008-11-20 22:06 <DIR> --d----- c:\windows\LQfix
2008-11-20 21:59 176,128 a------- c:\windows\system32\irdxoccs.exe
2008-11-20 21:57 <DIR> --d----- c:\windows\system32\appmgmt
2008-11-19 22:02 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-19 21:40 <DIR> --d----- c:\docume~1\todd\applic~1\IUpd721
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-19 21:07 132,030 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-19 21:07 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-19 20:07 <DIR> --d----- c:\windows\CAVTemp
2008-11-19 19:47 880,560 a------- c:\windows\system32\drivers\vetefile.sys
2008-11-19 19:47 108,368 a------- c:\windows\system32\drivers\veteboot.sys
2008-11-19 19:45 32,264 a------- c:\windows\system32\drivers\vetmonnt.sys
2008-11-19 19:45 26,376 a------- c:\windows\system32\drivers\vet-filt.sys
2008-11-19 19:45 21,512 a------- c:\windows\system32\drivers\vetfddnt.sys
2008-11-19 19:45 21,128 a------- c:\windows\system32\drivers\vet-rec.sys
2008-11-19 19:45 99,592 a------- c:\windows\system32\isafeif.dll
2008-11-19 19:45 79,424 a------- c:\windows\system32\vetredir.dll
2008-11-19 19:45 75,016 a------- c:\windows\system32\isafprod.dll
2008-11-19 19:44 <DIR> --d----- c:\program files\common files\Scanner
2008-11-19 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2008-11-19 19:44 <DIR> --d----- c:\program files\CA
2008-11-19 19:16 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-19 19:16 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-19 19:16 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-19 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-19 19:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-19 18:59 153,522 a------- c:\windows\system32\g51.exe
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\vim
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\hdx
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\fip
2008-11-19 18:59 <DIR> --d----- c:\windows\system32\d
2008-11-19 18:59 <DIR> --d----- c:\temp\FT62
2008-11-19 18:59 <DIR> --d----- C:\Temp
2008-11-12 03:10 <DIR> --dsh--- C:\found.000
2008-11-11 15:36 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
==================== Find3M ====================
2008-11-18 13:36 7,478 a------- c:\windows\system32\errutcpy.dll
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 15:39 50,772 a---h--- c:\windows\system32\mlfcache.dat
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-16 20:59 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-16 19:51 187,392 a------- c:\windows\system32\mapupbot.dll
2008-09-15 22:01 558,142 a------- c:\windows\java\packages\EVB9RR3T.ZIP
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\CH7LVP3H.DAT
2008-09-15 22:01 155,995 a------- c:\windows\java\packages\7J1JVXZJ.ZIP
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\E5BZZ7JB.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\R3JZP7HZ.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\9BZRXNZ9.DAT
2008-09-15 22:01 2,678 a------- c:\windows\java\packages\data\7Z7H3NVJ.DAT
2008-09-15 21:59 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
============= FINISH: 9:01:16.62 ===============
DDS2
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Version 1.0)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/15/2008 11:03:07 PM
System Uptime: 12/1/2008 7:07:14 PM (110 hours ago)
Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 63 GiB total, 45.023 GiB free.
D: is FIXED (NTFS) - 33 GiB total, 33.356 GiB free.
E: is FIXED (NTFS) - 33 GiB total, 12.016 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 18.841 GiB free.
G: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01811028&REV_04\3&172E68DD&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2582&SUBSYS_01811028&REV_04\3&172E68DD&0&10
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01811028&REV_04\3&172E68DD&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01811028&REV_04\3&172E68DD&0&11
Service:
==== System Restore Points ===================
RP1: 11/20/2008 9:53:29 PM - System Checkpoint
RP2: 11/20/2008 9:53:29 PM - Installed Broadcom 440x Driver Installer
RP3: 11/20/2008 9:53:29 PM - Installed Microsoft Office Professional Edition 2003
RP4: 11/20/2008 9:53:29 PM - Installed Dell System Software
RP5: 11/20/2008 9:53:30 PM - Installed Desktop System Software
RP6: 11/20/2008 9:53:30 PM - Installed Windows XP KB838989.
RP7: 11/20/2008 9:53:30 PM - Software Distribution Service 3.0
RP8: 11/20/2008 9:53:30 PM - Installed Windows XP KB842773.
RP9: 11/20/2008 9:53:31 PM - Installed Windows Installer KB893803v2.
RP10: 11/20/2008 9:53:31 PM - Installed Windows XP KB892130.
RP11: 11/20/2008 9:53:31 PM - Installed Windows XP KB898461.
RP12: 11/20/2008 9:53:31 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP13: 11/20/2008 9:53:31 PM - Software Distribution Service 3.0
RP14: 11/20/2008 9:53:31 PM - Installed Windows XP Service Pack 2.
RP15: 11/20/2008 9:53:33 PM - Installed iTunes
RP16: 11/20/2008 9:53:33 PM - Software Distribution Service 3.0
RP17: 11/20/2008 9:53:33 PM - System Checkpoint
RP18: 11/20/2008 9:53:33 PM - Software Distribution Service 3.0
RP19: 11/20/2008 9:53:33 PM - System Checkpoint
RP20: 11/20/2008 9:53:34 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP21: 11/20/2008 9:53:34 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP22: 11/20/2008 9:53:34 PM - Installed Dell Driver Reset Tool
RP23: 11/20/2008 9:53:34 PM - Installed Dell System Software
RP24: 11/20/2008 9:53:34 PM - Installed Desktop System Software
RP25: 11/20/2008 9:53:34 PM - System Checkpoint
RP26: 11/20/2008 9:53:34 PM - System Checkpoint
RP27: 11/20/2008 9:53:34 PM - System Checkpoint
RP28: 11/20/2008 9:53:34 PM - System Checkpoint
RP29: 11/20/2008 9:53:34 PM - System Checkpoint
RP30: 11/20/2008 9:53:34 PM - System Checkpoint
RP31: 11/20/2008 9:53:34 PM - System Checkpoint
RP32: 11/20/2008 9:53:34 PM - System Checkpoint
RP33: 11/20/2008 9:53:34 PM - System Checkpoint
RP34: 11/20/2008 9:53:34 PM - System Checkpoint
RP35: 11/20/2008 9:53:34 PM - System Checkpoint
RP36: 11/20/2008 9:53:35 PM - System Checkpoint
RP37: 11/20/2008 9:53:35 PM - System Checkpoint
RP38: 11/20/2008 9:53:35 PM - System Checkpoint
RP39: 11/20/2008 9:53:35 PM - System Checkpoint
RP40: 11/20/2008 9:53:35 PM - System Checkpoint
RP41: 11/20/2008 9:53:35 PM - System Checkpoint
RP42: 11/20/2008 9:53:35 PM - System Checkpoint
RP43: 11/20/2008 9:53:35 PM - System Checkpoint
RP44: 11/20/2008 9:53:35 PM - System Checkpoint
RP45: 11/20/2008 9:53:35 PM - System Checkpoint
RP46: 11/20/2008 9:53:35 PM - Software Distribution Service 3.0
RP47: 11/20/2008 9:53:35 PM - Removed Apple Mobile Device Support
RP48: 11/20/2008 9:53:36 PM - System Checkpoint
RP49: 11/20/2008 9:53:36 PM - System Checkpoint
RP50: 11/20/2008 9:53:36 PM - System Checkpoint
RP51: 11/20/2008 9:53:36 PM - System Checkpoint
RP52: 11/20/2008 9:53:36 PM - System Checkpoint
RP53: 11/20/2008 9:53:36 PM - System Checkpoint
RP54: 11/20/2008 9:53:36 PM - System Checkpoint
RP55: 11/20/2008 9:53:36 PM - Software Distribution Service 3.0
RP56: 11/20/2008 9:53:36 PM - System Checkpoint
RP57: 11/20/2008 9:53:37 PM - System Checkpoint
RP58: 11/20/2008 9:53:37 PM - System Checkpoint
RP59: 11/20/2008 9:53:37 PM - System Checkpoint
RP60: 11/20/2008 9:53:37 PM - System Checkpoint
RP61: 11/20/2008 9:53:37 PM - System Checkpoint
RP62: 11/20/2008 9:53:37 PM - System Checkpoint
RP63: 11/20/2008 9:53:37 PM - System Checkpoint
RP64: 11/20/2008 9:53:37 PM - System Checkpoint
RP65: 11/20/2008 9:53:37 PM - System Checkpoint
RP66: 11/20/2008 9:53:37 PM - System Checkpoint
RP67: 11/20/2008 9:53:37 PM - System Checkpoint
RP68: 11/20/2008 9:53:37 PM - System Checkpoint
RP69: 11/20/2008 9:53:37 PM - System Checkpoint
RP70: 11/20/2008 9:53:37 PM - System Checkpoint
RP71: 11/20/2008 9:53:38 PM - System Checkpoint
RP72: 11/20/2008 9:53:38 PM - System Checkpoint
RP73: 11/20/2008 9:53:38 PM - System Checkpoint
RP74: 11/20/2008 9:53:38 PM - Software Distribution Service 3.0
RP75: 11/20/2008 9:53:38 PM - System Checkpoint
RP76: 11/20/2008 9:53:38 PM - System Checkpoint
RP77: 11/20/2008 9:53:38 PM - System Checkpoint
RP78: 11/20/2008 9:53:38 PM - System Checkpoint
RP79: 11/20/2008 9:53:38 PM - System Checkpoint
RP80: 11/20/2008 9:53:38 PM - System Checkpoint
RP81: 11/20/2008 9:53:38 PM - Last known good configuration
RP82: 11/20/2008 9:53:38 PM - System Checkpoint
RP83: 11/20/2008 9:53:39 PM - Last known good configuration
RP84: 11/20/2008 9:53:46 PM - Last known good configuration
RP85: 11/29/2008 9:57:22 AM - System Checkpoint
RP86: 11/30/2008 12:53:24 PM - System Checkpoint
RP87: 11/30/2008 9:06:11 PM - ComboFix created restore point
RP88: 12/1/2008 3:00:17 AM - Software Distribution Service 3.0
RP89: 12/2/2008 3:11:29 AM - System Checkpoint
RP90: 12/3/2008 4:35:29 AM - System Checkpoint
RP91: 12/4/2008 5:35:29 AM - System Checkpoint
RP92: 12/5/2008 6:35:28 AM - System Checkpoint
RP93: 12/6/2008 8:11:30 AM - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player ActiveX
AIM 6
AIM Search
AIM Toolbar 5.0
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
B44Inst
Bonjour
Broadcom 440x Driver Installer
CA Anti-Spam
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Personal Firewall
CCleaner (remove only)
Dell Driver Reset Tool
Dell ResourceCD
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
iTunes
LQfix 2.1
Malwarebytes' Anti-Malware
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB954430)
QuickTime
Registrar Registry Manager 5.62
Safari
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB951072-v2)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB890859
Windows XP Service Pack 2
==== Event Viewer Messages ===================
11/29/2008 4:25:48 PM, error: NetBT [4321] - The name "HOME :1d" could not be registered on the Interface with IP address 192.168.1.4. The machine with the IP address 192.168.1.3 did not allow the name to be claimed by this machine.
11/30/2008 2:57:35 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TAS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1BE1B0AF-B6A8-4DEE-9BCE. The master browser is stopping or an election is being forced.
11/30/2008 9:14:47 PM, error: NetBT [4321] - The name "HOME :1d" could not be registered on the Interface with IP address 192.168.1.4. The machine with the IP address 192.168.1.5 did not allow the name to be claimed by this machine.
==== End Of File ===========================
I see that you have ran combofix.
Please post next contents of c:\ComboFix.txt if available.
Techtodd
2008-12-06, 22:17
ComboFixLog
ComboFix 08-11-30.01 - Todd 2008-11-30 21:15:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -5:00]
Running from: c:\documents and settings\Todd\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lauren\Application Data\gadcom
c:\documents and settings\Lauren\Application Data\gadcom\gadcom.exe
c:\documents and settings\Lauren\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Lauren\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Lauren\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\R2lybHM\
c:\windows\R2lybHM\\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_
c:\windows\R2lybHM\\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_
c:\windows\system32\acdobq.dll
c:\windows\system32\aiiljjnu.dll
c:\windows\system32\bpyqobja.dll
c:\windows\system32\bvbsqapg.ini
c:\windows\system32\cqqrel.dll
c:\windows\system32\dPI19
c:\windows\system32\dPI19\dPI191065.exe
c:\windows\system32\gpaqsbvb.dll
c:\windows\system32\hplwcvsr.ini
c:\windows\system32\mlJDwXrR.dll
c:\windows\system32\naiexbhf.dll
c:\windows\system32\nsktmylq.ini
c:\windows\system32\pac.txt
c:\windows\system32\RrXwDJlm.ini
c:\windows\system32\RrXwDJlm.ini2
c:\windows\system32\rsvcwlph.dll
c:\windows\system32\srmgdxyf.ini
c:\windows\system32\uctqay.dll
c:\windows\system32\winpfz33.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.
2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\program files\Auslogics
2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\documents and settings\Todd\Application Data\Auslogics
2008-11-29 16:50 . 2008-11-29 16:50 <DIR> d-------- c:\program files\CCleaner
2008-11-29 15:26 . 2008-11-29 17:01 <DIR> d-------- c:\program files\Registrar Registry Manager
2008-11-29 15:26 . 2008-11-21 15:26 31,928 --a------ c:\windows\system32\rrMon.sys
2008-11-20 22:06 . 2008-11-29 17:02 <DIR> d-------- c:\windows\LQfix
2008-11-20 21:59 . 2008-11-20 21:59 176,128 --a------ c:\windows\system32\irdxoccs.exe
2008-11-19 22:02 . 2008-11-19 22:02 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-19 21:40 . 2008-11-19 21:40 <DIR> d-------- c:\documents and settings\Todd\Application Data\IUpd721
2008-11-19 21:07 . 2008-11-30 21:20 210,770 --a------ c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-19 21:07 . 2008-11-30 21:20 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-19 20:07 . 2008-11-30 20:54 <DIR> d-------- c:\windows\CAVTemp
2008-11-19 19:47 . 2008-11-19 19:47 880,560 --a------ c:\windows\system32\drivers\vetefile.sys
2008-11-19 19:47 . 2008-11-19 19:47 108,368 --a------ c:\windows\system32\drivers\veteboot.sys
2008-11-19 19:45 . 2007-08-20 13:37 99,592 --a------ c:\windows\system32\isafeif.dll
2008-11-19 19:45 . 2007-08-20 13:26 79,424 --a------ c:\windows\system32\vetredir.dll
2008-11-19 19:45 . 2007-08-20 13:37 75,016 --a------ c:\windows\system32\isafprod.dll
2008-11-19 19:45 . 2007-08-20 13:38 32,264 --a------ c:\windows\system32\drivers\vetmonnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 26,376 --a------ c:\windows\system32\drivers\vet-filt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,512 --a------ c:\windows\system32\drivers\vetfddnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,128 --a------ c:\windows\system32\drivers\vet-rec.sys
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\CA
2008-11-19 19:44 . 2008-11-19 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-19 19:12 . 2008-11-19 19:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-19 19:12 . 2008-11-19 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-19 19:08 . 2008-11-19 19:08 <DIR> d-------- c:\documents and settings\Lauren\Application Data\IUpd721
2008-11-19 19:02 . 2008-11-19 23:05 <DIR> d-------- c:\documents and settings\Lauren\Application Data\NI.GSCNS
2008-11-19 18:59 . 2008-11-19 21:01 <DIR> d-------- c:\windows\system32\vim
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\windows\system32\hdx
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\windows\system32\fip
2008-11-19 18:59 . 2008-11-19 21:00 <DIR> d-------- c:\windows\system32\d
2008-11-19 18:59 . 2008-11-19 18:59 <DIR> d-------- c:\temp\FT62
2008-11-19 18:59 . 2008-11-19 23:06 <DIR> d-------- C:\Temp
2008-11-19 18:59 . 2008-11-19 18:59 153,522 --a------ c:\windows\system32\g51.exe
2008-11-19 18:59 . 2008-11-19 18:59 64,859 --a------ c:\windows\system32\skelhhxnypijred.exe
2008-11-12 03:10 . 2008-11-12 03:10 <DIR> d--hs---- C:\found.000
2008-11-11 15:36 . 2008-09-04 11:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-03 08:38 . 2008-11-03 08:38 <DIR> d-------- c:\documents and settings\Todd\Application Data\acccore
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 19:17 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 19:29 --------- d-----w c:\documents and settings\Lauren\Application Data\Apple Computer
2008-10-16 01:25 --------- d-----w c:\program files\iTunes
2008-10-16 01:25 --------- d-----w c:\program files\iPod
2008-10-16 01:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 01:20 --------- d-----w c:\program files\Safari
2008-10-11 14:59 --------- d-----w c:\documents and settings\Danielle\Application Data\acccore
2008-10-10 12:31 --------- d-----w c:\documents and settings\Lauren\Application Data\Viewpoint
2008-09-16 03:01 558,142 ----a-w c:\windows\java\Packages\EVB9RR3T.ZIP
2008-09-16 03:01 155,995 ----a-w c:\windows\java\Packages\7J1JVXZJ.ZIP
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-11-19 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-11-19 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-11-19 259312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disodime"= {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - c:\windows\System32\sqligmon.dll [2002-09-03 864256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acdobq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-06-24 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-16 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 189704]
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\CAAntiSpywareScan_Daily as Lauren at 7 45 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 21:10]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3AB526D9-6653-47CC-8372-52F9D385275D} - c:\windows\system32\mlJDwXrR.dll
BHO-{4679b228-d53e-4f01-a48a-efc2bacc3875} - c:\windows\system32\acdobq.dll
BHO-{872199c0-38ca-dc8f-f966-213dcedc7c2f} - (no file)
BHO-{F7DDD2AE-8B7F-3C7E-AC75-62EFC898E4AC} - (no file)
Notify-ddcBQiif - ddcBQiif.dll
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 22:36:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
- - - - - - - > 'explorer.exe'(2772)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\rundll32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-11-30 22:39:17 - machine was rebooted [Todd]
ComboFix-quarantined-files.txt 2008-12-01 03:39:11
Pre-Run: 48,436,158,464 bytes free
Post-Run: 48,413,376,512 bytes free
223 --- E O F --- 2008-11-12 08:02:01
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\irdxoccs.exe
c:\windows\system32\g51.exe
c:\windows\system32\errutcpy.dll
Folder::
c:\windows\system32\vim
c:\windows\system32\hdx
c:\windows\system32\fip
c:\windows\system32\d
c:\temp\FT62
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Techtodd
2008-12-09, 03:54
Here is the combofix log. Thanks.
ComboFix 08-12-07.04 - Todd 2008-12-08 20:47:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: c:\documents and settings\Todd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Todd\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\errutcpy.dll
c:\windows\system32\g51.exe
c:\windows\system32\irdxoccs.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lauren\Application Data\IUpd721
c:\documents and settings\Lauren\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Todd\Application Data\IUpd721
c:\documents and settings\Todd\Application Data\IUpd721\Logs\scns.log
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.
2008-12-05 23:38 . 2008-12-05 23:38 <DIR> d-------- C:\rsit
2008-12-05 23:09 . 2008-12-05 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 23:09 . 2008-12-05 23:09 <DIR> d-------- c:\documents and settings\Todd\Application Data\Malwarebytes
2008-12-05 23:09 . 2008-12-05 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 23:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 23:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 03:00 . 2008-12-01 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-30 23:07 . 2008-11-30 23:11 <DIR> d-------- C:\Lop SD
2008-11-30 21:14 . 2008-11-30 22:39 <DIR> d-------- C:\Combo-Fix
2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\program files\Auslogics
2008-11-29 17:13 . 2008-11-29 17:13 <DIR> d-------- c:\documents and settings\Todd\Application Data\Auslogics
2008-11-29 16:50 . 2008-11-29 16:50 <DIR> d-------- c:\program files\CCleaner
2008-11-29 15:26 . 2008-11-29 17:01 <DIR> d-------- c:\program files\Registrar Registry Manager
2008-11-29 15:26 . 2008-11-21 15:26 31,928 --a------ c:\windows\system32\rrMon.sys
2008-11-20 22:06 . 2008-11-29 17:02 <DIR> d-------- c:\windows\LQfix
2008-11-19 22:02 . 2008-11-19 22:02 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-19 21:07 . 2008-12-01 19:07 132,030 --a------ c:\windows\system32\drivers\kmxcfg.u2k0
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k7
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k6
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k5
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k4
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k3
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k2
2008-11-19 21:07 . 2008-12-01 19:07 64 --a------ c:\windows\system32\drivers\kmxcfg.u2k1
2008-11-19 20:07 . 2008-11-30 20:54 <DIR> d-------- c:\windows\CAVTemp
2008-11-19 19:47 . 2008-11-19 19:47 880,560 --a------ c:\windows\system32\drivers\vetefile.sys
2008-11-19 19:47 . 2008-11-19 19:47 108,368 --a------ c:\windows\system32\drivers\veteboot.sys
2008-11-19 19:45 . 2007-08-20 13:37 99,592 --a------ c:\windows\system32\isafeif.dll
2008-11-19 19:45 . 2007-08-20 13:26 79,424 --a------ c:\windows\system32\vetredir.dll
2008-11-19 19:45 . 2007-08-20 13:37 75,016 --a------ c:\windows\system32\isafprod.dll
2008-11-19 19:45 . 2007-08-20 13:38 32,264 --a------ c:\windows\system32\drivers\vetmonnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 26,376 --a------ c:\windows\system32\drivers\vet-filt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,512 --a------ c:\windows\system32\drivers\vetfddnt.sys
2008-11-19 19:45 . 2007-08-20 13:38 21,128 --a------ c:\windows\system32\drivers\vet-rec.sys
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-19 19:44 . 2008-11-19 19:44 <DIR> d-------- c:\program files\CA
2008-11-19 19:44 . 2008-11-19 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\CA
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-19 19:16 . 2008-11-19 19:16 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-19 19:12 . 2008-11-19 19:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-19 19:12 . 2008-11-19 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-19 18:59 . 2008-12-07 07:35 <DIR> d-------- C:\Temp
2008-11-12 03:10 . 2008-11-12 03:10 <DIR> d--hs---- C:\found.000
2008-11-11 15:36 . 2008-09-04 11:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 19:17 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-11-03 13:38 --------- d-----w c:\documents and settings\Todd\Application Data\acccore
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 19:29 --------- d-----w c:\documents and settings\Lauren\Application Data\Apple Computer
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:25 --------- d-----w c:\program files\iTunes
2008-10-16 01:25 --------- d-----w c:\program files\iPod
2008-10-16 01:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 01:20 --------- d-----w c:\program files\Safari
2008-10-11 14:59 --------- d-----w c:\documents and settings\Danielle\Application Data\acccore
2008-10-10 12:31 --------- d-----w c:\documents and settings\Lauren\Application Data\Viewpoint
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-17 00:51 187,392 ----a-w c:\windows\system32\mapupbot.dll
2008-09-16 03:01 558,142 ----a-w c:\windows\java\Packages\EVB9RR3T.ZIP
2008-09-16 03:01 155,995 ----a-w c:\windows\java\Packages\7J1JVXZJ.ZIP
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((( snapshot@2008-11-30_22.38.28.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-01 08:00:30 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-08-04 07:56:42 242,322 ----a-w c:\windows\system32\cfgipin32.dll
+ 2004-08-04 07:56:42 249,458 ----a-w c:\windows\system32\cfgipin32.dll
- 2008-12-01 02:25:41 44,664 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-02 00:12:05 45,128 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-01 02:25:41 324,672 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-02 00:12:05 325,904 ----a-w c:\windows\system32\perfh009.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-11-19 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-11-19 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-11-19 259312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disodime"= {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - c:\windows\System32\sqligmon.dll [2002-09-03 864256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 13:30 79368 c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 KmxStart;KmxStart;c:\windows\system32\DRIVERS\kmxstart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;"c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;"c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2008-06-24 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-16 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 189704]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\CAAntiSpywareScan_Daily as Lauren at 7 45 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-16 21:10]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 20:50:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2008-12-08 20:51:45
ComboFix-quarantined-files.txt 2008-12-09 01:51:42
ComboFix2.txt 2008-12-07 12:39:05
ComboFix3.txt 2008-12-01 03:39:19
Pre-Run: 48,327,737,344 bytes free
Post-Run: 48,329,019,392 bytes free
197 --- E O F --- 2008-12-01 08:00:31
Please post also a fresh HijackThis log :)
Techtodd
2008-12-10, 06:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:12 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221613772359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221614254984
O21 - SSODL: Disodime - {E3B662AD-D13A-461A-ACA7-39DB1B953A7E} - C:\WINDOWS\System32\sqligmon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6862 bytes
I'd like you to check a file for malware.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
C:\WINDOWS\System32\sqligmon.dll
Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Post back results here, please.
Techtodd
2008-12-11, 04:22
This scan has been running for more than an hour.
Antivirus Version Last Update Result
CAT-QuickHeal 10.00 2008.12.10 -
Comodo 718 2008.12.10 -
eTrust-Vet 31.6.6255 2008.12.11 -
F-Secure 8.0.14332.0 2008.12.11 -
Fortinet 3.117.0.0 2008.12.10 suspicious
Norman 5.80.02 2008.12.10 -
PCTools 4.4.2.0 2008.12.10 -
Symantec 10 2008.12.11 -
VBA32 3.12.8.10 2008.12.09 -
Additional information
File size: 864256 bytes
MD5...: 685b17821c7cb33b20a2448958b043af
SHA1..: cfdd959ff4eb4eab4609651fa7a4f8666c362515
SHA256: 4f7402dd2df18dc360d3bbf2e9d32581d3041b6c453ad1e31a15f16e2f58a53c
SHA512: 087859d23b8c2c64d71058389c6106a9e9cb28983cd1eb63eb3b1fe1aa798573
a21dcf7b29aad401555fbf59c9bca5345a3336a8f862236857a5ca5eb5ea4f47
ssdeep: 12288:qzCTTSzLSBDSTWlLPdiJzlBNWYTbouqjyeElf:VTTSzL6P0VlBNhTM2L
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10001b1d
timedatestamp.....: 0x48af2f4c (Fri Aug 22 21:27:40 2008)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7b812 0x7c000 6.74 f0ca54c870c5de965d3a2625f9f22de0
.rdata 0x7d000 0x3a4e4 0x3b000 4.16 ba8b00a050b4badb7b0334a8be1240fc
.data 0xb8000 0xeda8 0xf000 0.87 c88d8fe5b96adee68568e8bfc592bbfc
.shared 0xc7000 0x460 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xc8000 0x15f8 0x2000 5.90 40c16015525f41c9ca7fba534b16e031
.reloc 0xca000 0x861c 0x9000 6.46 f72d2735eb6eb48b032541bfbafecbed
( 9 imports )
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
> RPCRT4.dll: NdrClientCall2, RpcBindingFree, RpcStringBindingComposeA, RpcStringFreeA, RpcBindingFromStringBindingA
> KERNEL32.dll: OpenFileMappingA, HeapAlloc, HeapFree, HeapCreate, HeapDestroy, GetCurrentProcess, GetLocalTime, GetTimeZoneInformation, GetComputerNameA, GetACP, OpenProcess, TerminateProcess, DuplicateHandle, GetCurrentThread, CreateMutexA, ReleaseMutex, FlushFileBuffers, CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, FormatMessageA, WaitForMultipleObjects, OpenEventA, ExpandEnvironmentStringsA, GetVolumeInformationA, GetVersionExA, RemoveDirectoryA, DeviceIoControl, FileTimeToSystemTime, CreateDirectoryA, GetWindowsDirectoryA, GetProcessHeap, GetFullPathNameA, GetShortPathNameA, GetNumberFormatA, GetLocaleInfoA, lstrlenA, GetStartupInfoA, GetFileType, SetHandleCount, GetStringTypeW, GetStringTypeA, HeapSize, GetStdHandle, ExitProcess, HeapReAlloc, VirtualAlloc, VirtualFree, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetCommandLineA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetDateFormatA, GetTimeFormatA, RaiseException, GetDriveTypeA, FileTimeToLocalFileTime, CreateThread, ExitThread, GetSystemTimeAsFileTime, RtlUnwind, WideCharToMultiByte, InterlockedDecrement, DisableThreadLibraryCalls, GetCurrentProcessId, SetLastError, ResetEvent, GetModuleHandleA, SetThreadPriority, TerminateThread, GetFileTime, GetConsoleMode, SetFileTime, OutputDebugStringA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, GetFileSize, GetCurrentDirectoryA, SetCurrentDirectoryA, FindFirstFileA, GetFileAttributesA, SetFileAttributesA, FindNextFileA, FindClose, InitializeCriticalSection, CreateEventA, ResumeThread, SetEvent, InterlockedIncrement, GetCurrentThreadId, EnterCriticalSection, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LeaveCriticalSection, WaitForSingleObject, DeleteCriticalSection, GetDiskFreeSpaceA, FreeLibrary, GetLastError, LoadLibraryA, GetProcAddress, LocalFree, MoveFileA, DeleteFileA, GetVersion, GetSystemDirectoryA, GetTickCount, MultiByteToWideChar, WriteFile, CreateFileA, Sleep, ReadFile, SetFilePointer, CloseHandle, VirtualProtect, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetConsoleCP, WriteConsoleW, CompareStringA, CompareStringW, SetEnvironmentVariableA
> USER32.dll: CallNextHookEx, UnregisterHotKey, RegisterHotKey, LoadIconA, LoadCursorA, ToAsciiEx, GetKeyboardLayout, AppendMenuA, TrackPopupMenu, DestroyMenu, PostQuitMessage, SetTimer, EnumWindows, GetKeyNameTextA, GetKeyState, GetAsyncKeyState, GetKeyboardLayoutNameA, FindWindowA, GetWindowThreadProcessId, OpenDesktopA, OpenInputDesktop, UnhookWindowsHookEx, SetWindowsHookExA, EnumDisplaySettingsA, GetSystemMetrics, LoadImageA, GetProcessWindowStation, OpenWindowStationA, GetUserObjectInformationA, SetThreadDesktop, SetProcessWindowStation, ExitWindowsEx, CloseDesktop, CloseWindowStation, MessageBoxA, LoadStringA, SendMessageA, DialogBoxParamA, SetWindowTextA, SetDlgItemTextA, SetPropA, SetForegroundWindow, EndDialog, PostThreadMessageA, GetClassNameA, GetWindowRect, GetDC, ReleaseDC, GetMessageA, TranslateMessage, DispatchMessageA, KillTimer, DestroyWindow, UnregisterClassA, RegisterClassA, CreateWindowExA, GetWindowLongA, DefWindowProcA, IsWindow, SetWindowLongA, GetCursorPos, PostMessageA, wsprintfA, GetForegroundWindow, GetThreadDesktop, CreatePopupMenu
> GDI32.dll: GetDeviceCaps, DeleteObject, DeleteDC, CreateDIBSection, CreateCompatibleDC, GdiFlush, BitBlt, SelectObject, CreateCompatibleBitmap, CreateDCA, GetStockObject
> ADVAPI32.dll: RegCloseKey, InitiateSystemShutdownA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, DeleteService, LogonUserA, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA, RegDeleteValueA, RegSetKeySecurity, RegOpenKeyExA, RegGetKeySecurity, RevertToSelf, GetSidLengthRequired, GetTokenInformation, LookupAccountSidA, ImpersonateLoggedOnUser, DuplicateToken, GetSecurityInfo, SetEntriesInAclA, SetSecurityInfo, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, GetUserNameA, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA
> SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListA, ShellExecuteA, Shell_NotifyIconA, SHLoadInProc
> ole32.dll: StringFromCLSID, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, IAlloc, QueueMemory
Those are incomplete results.
Please try jotti instead; it should be faster.
Techtodd
2008-12-12, 06:05
Service load: 0% 100%
File: sqligmon.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 685b17821c7cb33b20a2448958b043af
Packers detected: -
Scanner results
Scan taken on 12 Dec 2008 03:32:32 (GMT)
A-Squared Found Backdoor.Ulrbot!IK
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
I think this one is complete.
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found Backdoor.Ulrbot.C
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Scanner Malware name
A-Squared X
AntiVir TR/Crypt.ULPM.Gen
ArcaVir X
Avast Win32:Oliga
AVG Antivirus Win32/PolyCrypt
BitDefender Packer.Malware.Crypter.C
ClamAV X
CPsecure X
Dr.Web Trojan.Packed.166
F-Prot Antivirus W32/Heuristic-210!Eldorado
F-Secure Anti-Virus Packed.Win32.PolyCrypt.d
G DATA Win32:Oliga
Ikarus X
Kaspersky Anti-Virus Packed.Win32.PolyCrypt.d
NOD32 X
Norman Virus Control W32/PolyCrypt.A
Panda Antivirus X
Sophos Antivirus Mal/Behav-164
VirusBuster Trojan.DR.Cimuz.Gen.1
VBA32 Malware-Cryptor.Win32.RPoly
Techtodd
2008-12-12, 06:15
Virus total finished this time.
Thanks so much for your help. Are we making progress?
File sqligmon.dll received on 12.12.2008 04:58:37 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/38 (7.9%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.0 2008.12.11 -
AntiVir 7.9.0.45 2008.12.11 -
Authentium 5.1.0.4 2008.12.11 -
Avast 4.8.1281.0 2008.12.11 -
AVG 8.0.0.199 2008.12.12 -
BitDefender 7.2 2008.12.12 -
CAT-QuickHeal 10.00 2008.12.11 -
ClamAV 0.94.1 2008.12.11 -
Comodo 733 2008.12.11 -
DrWeb 4.44.0.09170 2008.12.12 -
eSafe 7.0.17.0 2008.12.11 -
eTrust-Vet 31.6.6256 2008.12.11 -
Ewido 4.0 2008.12.11 -
F-Prot 4.4.4.56 2008.12.11 -
F-Secure 8.0.14332.0 2008.12.12 -
Fortinet 3.117.0.0 2008.12.12 suspicious
GData 19 2008.12.12 -
Ikarus T3.1.1.45.0 2008.12.12 Backdoor.Ulrbot
K7AntiVirus 7.10.551 2008.12.11 -
Kaspersky 7.0.0.125 2008.12.12 -
McAfee 5461 2008.12.11 -
McAfee+Artemis 5460 2008.12.10 -
Microsoft 1.4205 2008.12.12 -
NOD32 3685 2008.12.12 -
Norman 5.80.02 2008.12.11 -
Panda 9.0.0.4 2008.12.11 -
PCTools 4.4.2.0 2008.12.11 -
Prevx1 V2 2008.12.12 -
Rising 21.07.32.00 2008.12.11 -
SecureWeb-Gateway 6.7.6 2008.12.11 -
Sophos 4.36.0 2008.12.12 -
Sunbelt 3.2.1801.2 2008.12.10 Spector (v)
Symantec 10 2008.12.12 -
TheHacker 6.3.1.2.184 2008.12.11 -
TrendMicro 8.700.0.1004 2008.12.11 -
VBA32 3.12.8.10 2008.12.11 -
ViRobot 2008.12.12.1514 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.11 -
Additional information
File size: 864256 bytes
MD5...: 685b17821c7cb33b20a2448958b043af
SHA1..: cfdd959ff4eb4eab4609651fa7a4f8666c362515
SHA256: 4f7402dd2df18dc360d3bbf2e9d32581d3041b6c453ad1e31a15f16e2f58a53c
SHA512: 087859d23b8c2c64d71058389c6106a9e9cb28983cd1eb63eb3b1fe1aa798573
a21dcf7b29aad401555fbf59c9bca5345a3336a8f862236857a5ca5eb5ea4f47
ssdeep: 12288:qzCTTSzLSBDSTWlLPdiJzlBNWYTbouqjyeElf:VTTSzL6P0VlBNhTM2L
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10001b1d
timedatestamp.....: 0x48af2f4c (Fri Aug 22 21:27:40 2008)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7b812 0x7c000 6.74 f0ca54c870c5de965d3a2625f9f22de0
.rdata 0x7d000 0x3a4e4 0x3b000 4.16 ba8b00a050b4badb7b0334a8be1240fc
.data 0xb8000 0xeda8 0xf000 0.87 c88d8fe5b96adee68568e8bfc592bbfc
.shared 0xc7000 0x460 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xc8000 0x15f8 0x2000 5.90 40c16015525f41c9ca7fba534b16e031
.reloc 0xca000 0x861c 0x9000 6.46 f72d2735eb6eb48b032541bfbafecbed
( 9 imports )
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
> RPCRT4.dll: NdrClientCall2, RpcBindingFree, RpcStringBindingComposeA, RpcStringFreeA, RpcBindingFromStringBindingA
> KERNEL32.dll: OpenFileMappingA, HeapAlloc, HeapFree, HeapCreate, HeapDestroy, GetCurrentProcess, GetLocalTime, GetTimeZoneInformation, GetComputerNameA, GetACP, OpenProcess, TerminateProcess, DuplicateHandle, GetCurrentThread, CreateMutexA, ReleaseMutex, FlushFileBuffers, CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, FormatMessageA, WaitForMultipleObjects, OpenEventA, ExpandEnvironmentStringsA, GetVolumeInformationA, GetVersionExA, RemoveDirectoryA, DeviceIoControl, FileTimeToSystemTime, CreateDirectoryA, GetWindowsDirectoryA, GetProcessHeap, GetFullPathNameA, GetShortPathNameA, GetNumberFormatA, GetLocaleInfoA, lstrlenA, GetStartupInfoA, GetFileType, SetHandleCount, GetStringTypeW, GetStringTypeA, HeapSize, GetStdHandle, ExitProcess, HeapReAlloc, VirtualAlloc, VirtualFree, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetCommandLineA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetDateFormatA, GetTimeFormatA, RaiseException, GetDriveTypeA, FileTimeToLocalFileTime, CreateThread, ExitThread, GetSystemTimeAsFileTime, RtlUnwind, WideCharToMultiByte, InterlockedDecrement, DisableThreadLibraryCalls, GetCurrentProcessId, SetLastError, ResetEvent, GetModuleHandleA, SetThreadPriority, TerminateThread, GetFileTime, GetConsoleMode, SetFileTime, OutputDebugStringA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, GetFileSize, GetCurrentDirectoryA, SetCurrentDirectoryA, FindFirstFileA, GetFileAttributesA, SetFileAttributesA, FindNextFileA, FindClose, InitializeCriticalSection, CreateEventA, ResumeThread, SetEvent, InterlockedIncrement, GetCurrentThreadId, EnterCriticalSection, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LeaveCriticalSection, WaitForSingleObject, DeleteCriticalSection, GetDiskFreeSpaceA, FreeLibrary, GetLastError, LoadLibraryA, GetProcAddress, LocalFree, MoveFileA, DeleteFileA, GetVersion, GetSystemDirectoryA, GetTickCount, MultiByteToWideChar, WriteFile, CreateFileA, Sleep, ReadFile, SetFilePointer, CloseHandle, VirtualProtect, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetConsoleCP, WriteConsoleW, CompareStringA, CompareStringW, SetEnvironmentVariableA
> USER32.dll: CallNextHookEx, UnregisterHotKey, RegisterHotKey, LoadIconA, LoadCursorA, ToAsciiEx, GetKeyboardLayout, AppendMenuA, TrackPopupMenu, DestroyMenu, PostQuitMessage, SetTimer, EnumWindows, GetKeyNameTextA, GetKeyState, GetAsyncKeyState, GetKeyboardLayoutNameA, FindWindowA, GetWindowThreadProcessId, OpenDesktopA, OpenInputDesktop, UnhookWindowsHookEx, SetWindowsHookExA, EnumDisplaySettingsA, GetSystemMetrics, LoadImageA, GetProcessWindowStation, OpenWindowStationA, GetUserObjectInformationA, SetThreadDesktop, SetProcessWindowStation, ExitWindowsEx, CloseDesktop, CloseWindowStation, MessageBoxA, LoadStringA, SendMessageA, DialogBoxParamA, SetWindowTextA, SetDlgItemTextA, SetPropA, SetForegroundWindow, EndDialog, PostThreadMessageA, GetClassNameA, GetWindowRect, GetDC, ReleaseDC, GetMessageA, TranslateMessage, DispatchMessageA, KillTimer, DestroyWindow, UnregisterClassA, RegisterClassA, CreateWindowExA, GetWindowLongA, DefWindowProcA, IsWindow, SetWindowLongA, GetCursorPos, PostMessageA, wsprintfA, GetForegroundWindow, GetThreadDesktop, CreatePopupMenu
> GDI32.dll: GetDeviceCaps, DeleteObject, DeleteDC, CreateDIBSection, CreateCompatibleDC, GdiFlush, BitBlt, SelectObject, CreateCompatibleBitmap, CreateDCA, GetStockObject
> ADVAPI32.dll: RegCloseKey, InitiateSystemShutdownA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, DeleteService, LogonUserA, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA, RegDeleteValueA, RegSetKeySecurity, RegOpenKeyExA, RegGetKeySecurity, RevertToSelf, GetSidLengthRequired, GetTokenInformation, LookupAccountSidA, ImpersonateLoggedOnUser, DuplicateToken, GetSecurityInfo, SetEntriesInAclA, SetSecurityInfo, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, GetUserNameA, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA
> SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListA, ShellExecuteA, Shell_NotifyIconA, SHLoadInProc
> ole32.dll: StringFromCLSID, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, IAlloc, QueueMemory
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.