PDA

View Full Version : virtumode



trvlr3
2009-03-15, 20:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:49 AM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Documents and Settings\Sara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe
O1 - Hosts: 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DDSMEkl - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - C:\WINDOWS\system32\vumer.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55FE53D3-7F84-4B67-B86F-4C7D24185C40} - (no file)
O2 - BHO: (no name) - {661F837B-969F-4C69-9F52-D7DE2562E945} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ADA8C222-95D2-47B5-950B-AEBC0A508839} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-842925246-413027322-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZZ
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1229990113_42a6d4563418e4ece592ffa6b029e379&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: f4a99077517 - C:\WINDOWS\System32\diskcopy32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSC\WLService.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe (file missing)

--
End of file - 7776 bytes

Blade81
2009-03-16, 17:47
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

trvlr3
2009-03-16, 18:53
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Adobe AIR
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 9
Adobe Shockwave Player 11
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
Bonjour
Brother MFL-Pro Suite
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Digital MultiCam Driver
Diskeeper 2007 Pro Premier
ERUNT 1.1j
Google Chrome
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
IEEE 802.11g USB Wireless LAN Adapter
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Nero 7 Ultra Edition
OverDrive Media Console
PaperPort
PowerDVD
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SigmaTel AC97 Audio Drivers
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.2
Tweak UI
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== End Of File ===========================



DDS (Ver_09-03-16.01) - NTFSx86
Run by Sara at 10:50:28.64 on Mon 03/16/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uWindow Title =
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
mWindow Title =
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {55FE53D3-7F84-4B67-B86F-4C7D24185C40} - No File
BHO: {661F837B-969F-4C69-9F52-D7DE2562E945} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &Search - ?p=ZZ
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1229990113_42a6d4563418e4ece592ffa6b029e379&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvusrpn

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-16 10:41 4,897 a------- C:\WUSB54GSC_S2.gif
2009-03-16 10:41 7,379 a------- C:\WUSB54GSC_I1.gif
2009-03-16 09:24 2,139 a------- C:\WUSB54GSC_S1.gif
2009-03-15 20:11 <DIR> --d----- c:\docume~1\sara\applic~1\Malwarebytes
2009-03-15 20:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-15 20:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 20:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 20:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-14 21:48 134,656 a------- c:\windows\awifesufiy.dll
2009-03-14 21:31 24,576 -------- c:\windows\system32\ezvbbkap.rel
2009-03-14 21:00 <DIR> --d----- c:\program files\Trend Micro
2009-03-14 19:54 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-12 22:05 134,656 -------- c:\windows\cbsmvegh.zwx
2009-03-12 21:58 24,576 -------- c:\windows\system32\rgblnwny.qxj

==================== Find3M ====================

2009-02-09 13:31 188 -------- c:\documents and settings\sara\224b90f950e3ddd55dbd83fd8c41131b.bat
2009-02-09 13:31 188 -------- c:\documents and settings\sara\38e70bcf0ac9ab6684fc0645a4ad46a8.bat
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-29 03:14 637 -------- C:\xcrashdump.dat
2009-01-28 13:51 389,120 a------- c:\windows\system32\CF31380.exe
2009-01-24 22:58 188 -------- c:\documents and settings\sara\4eabd1b395c7491069be3000b4e10972.bat
2009-01-24 22:58 188 -------- c:\documents and settings\sara\5be0590c6d39cd4a2690bbc871023569.bat
2009-01-24 22:57 186 -------- c:\documents and settings\sara\754a68ff0240ef721b69705c16d378ba.bat
2009-01-21 01:16 188 -------- c:\documents and settings\sara\c70c1be6d8cf781407b9b3ec60f0c732.bat
2009-01-21 01:16 188 -------- c:\documents and settings\sara\17a9d83904bfb31eafcf44328b04afef.bat
2008-12-22 17:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-09-12 08:42 2,387,480 ac------ c:\program files\SVGView.exe
2008-04-05 13:55 140,800 ac------ c:\program files\ODMediaConsoleSetup.exe
2008-03-25 18:08 4,608,744 ac------ c:\program files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-16 14:05 22 ac------ c:\program files\c310.zip
2008-01-11 12:07 593,556 ac------ c:\program files\regscrubxpsetup_3.2.exe
2007-12-27 12:02 32 ac-sh--- c:\windows\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 12:05 32 ac-sh--- c:\windows\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 12:01 32 ac-sh--- c:\windows\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2008-10-11 14:02 23 ac-sh--- c:\windows\system32\eafba6_z.dll
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 12:05 32 ac-sh--- c:\windows\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 12:01 32 ac-sh--- c:\windows\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-12-09 17:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120920081210\index.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 10:50:55.75 ===============

trvlr3
2009-03-16, 18:55
im sorry I didnt follow instructions I didnt see it until after I posted

Blade81
2009-03-16, 21:05
Hi again :)

Uninstall this vulnerable Java:
Java(TM) 6 Update 5


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

trvlr3
2009-03-16, 22:17
uninstalled the java file you asked and here is combofix log and dds. thank you

ComboFix 09-03-15.01 - Sara 2009-03-16 13:50:54.1 - NTFSx86
Running from: c:\documents and settings\Sara\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Sara\Application Data\0200000015ada8a3517C.manifest
c:\documents and settings\Sara\Application Data\0200000015ada8a3517O.manifest
c:\documents and settings\Sara\Application Data\0200000015ada8a3517P.manifest
c:\documents and settings\Sara\Application Data\0200000015ada8a3517S.manifest
c:\windows\GnuHashes.ini
c:\windows\IE4 Error Log.txt
c:\windows\system32\dumphive.exe
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-16 13:55 . 2009-03-16 13:55 2,139 --a------ C:\WUSB54GSC_S1.gif
2009-03-15 20:11 . 2009-03-15 20:11 <DIR> d-------- c:\documents and settings\Sara\Application Data\Malwarebytes
2009-03-14 21:48 . 2009-03-14 21:48 134,656 --a------ c:\windows\awifesufiy.dll
2009-03-14 21:31 . 2009-03-14 21:35 24,576 --------- c:\windows\system32\ezvbbkap.rel
2009-03-14 21:00 . 2009-03-14 21:00 <DIR> d-------- c:\program files\Trend Micro
2009-03-14 19:54 . 2009-03-14 21:01 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-12 22:05 . 2009-03-12 22:05 134,656 --------- c:\windows\cbsmvegh.zwx
2009-03-12 21:58 . 2009-03-12 21:58 24,576 --------- c:\windows\system32\rgblnwny.qxj

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-16 17:15 --------- d-----w c:\program files\CCleaner
2009-03-16 16:15 --------- d-----w c:\documents and settings\Sara\Application Data\SolSuite
2009-03-15 05:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-15 03:00 --------- d-----w c:\program files\Yahoo!
2009-03-15 03:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-15 03:00 --------- d-----w c:\program files\RegScrubXP
2009-02-09 19:31 188 ------w c:\documents and settings\Sara\38e70bcf0ac9ab6684fc0645a4ad46a8.bat
2009-02-09 19:31 188 ------w c:\documents and settings\Sara\224b90f950e3ddd55dbd83fd8c41131b.bat
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-25 04:58 188 ------w c:\documents and settings\Sara\5be0590c6d39cd4a2690bbc871023569.bat
2009-01-25 04:58 188 ------w c:\documents and settings\Sara\4eabd1b395c7491069be3000b4e10972.bat
2009-01-25 04:57 186 ------w c:\documents and settings\Sara\754a68ff0240ef721b69705c16d378ba.bat
2009-01-25 03:22 --------- d-----w c:\program files\ERUNT
2009-01-21 07:16 188 ------w c:\documents and settings\Sara\c70c1be6d8cf781407b9b3ec60f0c732.bat
2009-01-21 07:16 188 ------w c:\documents and settings\Sara\17a9d83904bfb31eafcf44328b04afef.bat
2009-01-19 19:27 --------- d-----w c:\documents and settings\Sara\Application Data\AVG7
2008-12-22 23:55 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-12 14:42 2,387,480 -c--a-w c:\program files\SVGView.exe
2008-04-05 19:55 140,800 -c--a-w c:\program files\ODMediaConsoleSetup.exe
2008-03-26 00:08 4,608,744 -c--a-w c:\program files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-16 20:05 22 -c--a-w c:\program files\c310.zip
2008-01-11 18:07 593,556 -c--a-w c:\program files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 -csha-w c:\windows\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 -csha-w c:\windows\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 -csha-w c:\windows\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 -csha-w c:\windows\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 -csha-w c:\windows\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 -csha-w c:\windows\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 -csha-w c:\windows\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2008-10-11 20:02 23 -csha-w c:\windows\system32\eafba6_z.dll
2007-12-27 18:02 32 -csha-w c:\windows\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 -csha-w c:\windows\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 -csha-w c:\windows\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 -csha-w c:\windows\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 -csha-w c:\windows\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 -csha-w c:\windows\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 -csha-w c:\windows\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
2008-12-09 23:20 32,768 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-12-09 23:20 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-12-09 23:19 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
2008-12-09 23:20 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-30 4891984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\diskcopy32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Sara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d2aa802a2b4263ed0bbcb5143ef5c326;d2aa802a2b4263ed0bbcb5143ef5c326; [x]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC; [x]
R3 Bcfilter;Jetico Personal Firewall Network Monitor; [x]
R3 BcfilterMP;BcfilterMP; [x]
R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
R3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-06-27 450560]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2002-01-08 36368]
S2 WUSB54GSC;WUSB54GSC; [x]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - Alerter
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Avg7Alrt
*Deregistered* - Avg7Core
*Deregistered* - Avg7RsW
*Deregistered* - Avg7RsXP
*Deregistered* - Avg7UpdSvc
*Deregistered* - AvgClean
*Deregistered* - AVGEMS
*Deregistered* - AvgTdi
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Diskeeper
*Deregistered* - dmadmin
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - GTNDIS5
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Modem
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RecAgent
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - ShellHWDetection
*Deregistered* - SimpTcp
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - tmcomm
*Deregistered* - tmpreflt
*Deregistered* - tmxpflt
*Deregistered* - tunmp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - VSS
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WmdmPmSN
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WUSB54GSC
*Deregistered* - WZCSVC
*Deregistered* - xmlprov

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-01-29 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe []

2009-03-16 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe []

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-413027322-839522115-1003.job
- c:\documents and settings\Sara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-14 22:40]

2009-03-16 c:\windows\Tasks\User_Feed_Synchronization-{2D78FBBF-0698-4472-8D03-6BDD7D91B0B0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{55FE53D3-7F84-4B67-B86F-4C7D24185C40} - (no file)
BHO-{661F837B-969F-4C69-9F52-D7DE2562E945} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.msn.com
mWindow Title =
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZZ
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 13:54:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\vssvc.exe
c:\program files\Linksys\WUSB54GSC\WLService.exe
c:\program files\Linksys\WUSB54GSC\WUSB54GSC.exe
.
**************************************************************************
.
Completion time: 2009-03-16 13:58:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 19:58:55

Pre-Run: 5,938,909,184 bytes free
Post-Run: 5,865,316,352 bytes free

301 --- E O F --- 2009-03-15 05:59:48


dds

DDS (Ver_09-03-16.01) - NTFSx86
Run by Sara at 14:01:50.82 on Mon 03/16/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.msn.com
mWindow Title =
uInternet Settings,ProxyOverride = *.local
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
c:\docume~1\sara\locals~1\temp\rarsfx0\temp00
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\diskcopy32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-16 13:56 4,897 a------- C:\WUSB54GSC_S2.gif
2009-03-16 13:56 7,379 a------- C:\WUSB54GSC_I1.gif
2009-03-16 13:55 2,139 a------- C:\WUSB54GSC_S1.gif
2009-03-16 13:50 161,792 a------- c:\windows\SWREG.exe
2009-03-16 13:50 98,816 a------- c:\windows\sed.exe
2009-03-16 13:50 <DIR> --d----- C:\ComboFix
2009-03-15 20:11 <DIR> --d----- c:\docume~1\sara\applic~1\Malwarebytes
2009-03-14 21:48 134,656 a------- c:\windows\awifesufiy.dll
2009-03-14 21:31 24,576 -------- c:\windows\system32\ezvbbkap.rel
2009-03-14 21:00 <DIR> --d----- c:\program files\Trend Micro
2009-03-14 19:54 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-12 22:05 134,656 -------- c:\windows\cbsmvegh.zwx
2009-03-12 21:58 24,576 -------- c:\windows\system32\rgblnwny.qxj

==================== Find3M ====================

2009-02-09 13:31 188 -------- c:\documents and settings\sara\224b90f950e3ddd55dbd83fd8c41131b.bat
2009-02-09 13:31 188 -------- c:\documents and settings\sara\38e70bcf0ac9ab6684fc0645a4ad46a8.bat
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-24 22:58 188 -------- c:\documents and settings\sara\4eabd1b395c7491069be3000b4e10972.bat
2009-01-24 22:58 188 -------- c:\documents and settings\sara\5be0590c6d39cd4a2690bbc871023569.bat
2009-01-24 22:57 186 -------- c:\documents and settings\sara\754a68ff0240ef721b69705c16d378ba.bat
2009-01-21 01:16 188 -------- c:\documents and settings\sara\c70c1be6d8cf781407b9b3ec60f0c732.bat
2009-01-21 01:16 188 -------- c:\documents and settings\sara\17a9d83904bfb31eafcf44328b04afef.bat
2008-12-22 17:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-09-12 08:42 2,387,480 ac------ c:\program files\SVGView.exe
2008-04-05 13:55 140,800 ac------ c:\program files\ODMediaConsoleSetup.exe
2008-03-25 18:08 4,608,744 ac------ c:\program files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-16 14:05 22 ac------ c:\program files\c310.zip
2008-01-11 12:07 593,556 ac------ c:\program files\regscrubxpsetup_3.2.exe
2007-12-27 12:02 32 ac-sh--- c:\windows\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 12:05 32 ac-sh--- c:\windows\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 12:01 32 ac-sh--- c:\windows\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2008-10-11 14:02 23 ac-sh--- c:\windows\system32\eafba6_z.dll
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 12:04 32 ac-sh--- c:\windows\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 12:05 32 ac-sh--- c:\windows\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 12:01 32 ac-sh--- c:\windows\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 12:02 32 ac-sh--- c:\windows\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-12-09 17:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120920081210\index.dat
2008-12-09 17:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 14:02:05.76 ===============

trvlr3
2009-03-16, 22:20
im sorry i dont know how to zip the dds. attach log. 2884 Did I do this right? Thank you

Blade81
2009-03-17, 09:59
Hi

Yes, file attachment worked :)

It's recommended to uninstall Spybot 1.2 and get the latest one. It seems that you don't have any antivirus programs installed. Is that so?


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following files to http://www.virustotal.com and post back the results:
c:\windows\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
c:\windows\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
c:\windows\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
c:\windows\system32\eafba6_z.dll
c:\windows\System32\diskcopy32.dll


Are following files stored there by yourself:
C:\WUSB54GSC_S2.gif
C:\WUSB54GSC_I1.gif
C:\WUSB54GSC_S1.gif



Open notepad and copy/paste the text in the quotebox below into it:



Driver::
d2aa802a2b4263ed0bbcb5143ef5c326

File::
c:\windows\awifesufiy.dll
c:\windows\system32\ezvbbkap.rel
c:\windows\cbsmvegh.zwx
c:\windows\system32\rgblnwny.qxj
c:\documents and settings\Sara\38e70bcf0ac9ab6684fc0645a4ad46a8.bat
c:\documents and settings\Sara\224b90f950e3ddd55dbd83fd8c41131b.bat
c:\documents and settings\Sara\5be0590c6d39cd4a2690bbc871023569.bat
c:\documents and settings\Sara\4eabd1b395c7491069be3000b4e10972.bat
c:\documents and settings\Sara\754a68ff0240ef721b69705c16d378ba.bat
c:\documents and settings\Sara\c70c1be6d8cf781407b9b3ec60f0c732.bat
c:\documents and settings\Sara\17a9d83904bfb31eafcf44328b04afef.bat



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

trvlr3
2009-03-17, 18:47
Yes Norton and AVG. I had to disable them to run Spybot.

Blade81
2009-03-17, 19:43
Hi

Ok. You have to decide between those and uninstall one of them.

I'll wait for the reports. Post back when ready :)

Blade81
2009-03-23, 23:12
Hi,

Any progress made?

Blade81
2009-03-29, 23:31
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.