PDA

View Full Version : hard to remove malware



cjdavis7
2009-04-02, 01:09
Noticed a slowdown in browsing, found a suspicious startup entry. Manually deleting the registry entry results in it immediately being regenerated. Can't delete the .dll file from a regular windows session.

On my own ran several utilities: ATFCleaner (removes temp files), Windows Defender (didn't detect anything), Ad-Aware (didn't detect anything), Rooter (didn't detect anything), Malwarebytes (which found the startup entry I noticed and the associated .dll file, attempted to remove them during restart, but they always come back with a different randomly generated name), Spybot (doesn't detect anything). I noticed that when I enable Tea-Timer the log shows the following:
"4/1/2009 2:33:23 PM Allowed (based on user decision) value "Etofi" (new data: "rundll32.exe "C:\WINDOWS\uhuwulevefi.dll",e") changed in System Startup global entry!"

I of course haven't allowed any such thing.

The interesting one: Tried running Combofix. It detected a second .dll that it called a parasite: C:\Windows\system32\msrkur.dll. It renamed it and continued, but when that .dll was renamed then I had to click OK like a thousand times to an error "the msrkur.dll file couldn't be found, you may need to reinstall." In the end Combofix didn't fix anything.

Thanks for your help, I'm stuck and I can usually get these things cleaned up!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:15 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (disabled by BHODemon)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Etofi] rundll32.exe "C:\WINDOWS\uhuwulevefi.dll",e
O4 - HKCU\..\Run: [Windows Live Sync] "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: XP Keep Per User Display Settings.lnk = C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229366029812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229366065578
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6751 bytes

pskelley
2009-04-03, 18:22
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Above is an authorized link to combofix, you might want to read what the creator of the tool has to say.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

You are infected, if you still want help please be sure any copy of combofix on the computer is deleted before you proceed.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

cjdavis7
2009-04-04, 05:56
Thanks for your help!

ComboFix 09-04-03.01 - Chris and Joylyn 2009-04-03 19:33:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1530 [GMT -7:00]
Running from: c:\documents and settings\Chris and Joylyn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-03-31 14:47 . 2009-03-31 14:47 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-31 14:46 . 2009-03-31 14:46 <DIR> d-------- c:\windows\ERUNT
2009-03-31 14:43 . 2009-03-31 15:08 <DIR> d-------- C:\SDFix
2009-03-30 19:59 . 2009-03-30 19:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-30 19:57 . 2009-03-30 19:57 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-03-30 19:20 . 2009-03-30 19:20 <DIR> d--h----- C:\WindowsLiveSyncTemp
2009-03-29 23:23 . 2009-03-29 23:23 <DIR> d--hs---- c:\documents and settings\Ethan\PrivacIE
2009-03-29 23:23 . 2009-03-29 23:23 <DIR> d--hs---- c:\documents and settings\Ethan\IECompatCache
2009-03-29 21:13 . 2009-03-29 21:13 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-29 17:26 . 2009-03-29 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-03-29 17:26 . 2009-03-29 17:26 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-26 17:59 . 2009-03-26 17:59 <DIR> d-------- c:\program files\West Point Bridge Designer 2007
2009-03-23 08:53 . 2009-03-23 08:53 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-20 11:30 . 2009-03-20 11:30 <DIR> d--hs---- c:\documents and settings\Ethan\IETldCache
2009-03-20 11:30 . 2009-03-20 11:30 <DIR> d-------- c:\documents and settings\Ethan\Application Data\ATI
2009-03-19 14:58 . 2009-03-19 14:58 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\IECompatCache
2009-03-19 14:56 . 2009-03-19 14:56 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\PrivacIE
2009-03-19 14:53 . 2009-03-19 14:53 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\IETldCache
2009-03-19 14:29 . 2009-03-19 14:29 <DIR> d-------- c:\windows\ie8updates
2009-03-19 14:28 . 2009-03-19 14:29 <DIR> d--h-c--- c:\windows\ie8
2009-03-19 14:26 . 2009-02-27 21:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-17 15:49 . 2009-03-17 15:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-10 22:18 . 2009-03-10 22:18 934,792 -----c--- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 . 2009-03-10 22:18 239,496 -----c--- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 22:32 --------- d-----w c:\program files\Microsoft Money 2006
2009-03-31 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-30 07:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-30 04:13 --------- d-----w c:\program files\Java
2009-03-30 00:27 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-30 00:27 22,328 ----a-w c:\documents and settings\Chris and Joylyn\Application Data\PnkBstrK.sys
2009-03-27 04:18 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 00:59 737,280 ----a-w c:\windows\iun6002.exe
2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 08:01 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\Move Networks
2009-03-25 06:40 --------- d-----w c:\program files\NOS
2009-03-25 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-17 22:14 --------- d-----w c:\program files\ATI Technologies
2009-03-12 20:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-03 06:51 --------- d-----w c:\program files\AmgenToolbox
2009-02-26 16:22 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 00:14 --------- d-----w c:\program files\Apple Software Update
2009-02-21 00:07 --------- d-----w c:\program files\iTunes
2009-02-21 00:07 --------- d-----w c:\program files\iPod
2009-02-21 00:07 --------- d-----w c:\program files\Common Files\Apple
2009-02-21 00:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-21 00:06 --------- d-----w c:\program files\QuickTime
2009-02-21 00:06 --------- d-----w c:\program files\Bonjour
2009-02-20 04:55 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\.purple
2009-02-19 22:41 --------- d-----w c:\program files\Secunia
2009-02-19 07:34 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\Amazon
2009-02-19 07:33 --------- d-----w c:\program files\Amazon
2009-02-11 22:39 --------- d-----w c:\program files\Microsoft
2009-02-11 03:37 --------- d-----w c:\program files\MozyHome
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2005-04-04 09:45 24,848 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2005-04-04 09:45 74,000 ----a-w c:\program files\mozilla firefox\plugins\cgpcore.dll
2005-04-04 09:45 45,328 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2005-04-04 09:45 28,944 ----a-w c:\program files\mozilla firefox\plugins\pscript.dll
2005-04-04 09:45 69,904 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2005-04-04 09:45 24,848 ----a-w c:\program files\mozilla firefox\plugins\tcppserv.dll
2008-12-15 17:50 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121520081216\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 15:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 15:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2008-12-02 1170256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-26 1601304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Etofi"="c:\windows\uhuwulevefi.dll" [2008-04-13 157184]
"SoundMan"="SOUNDMAN.EXE" [2007-06-27 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Ethan\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2007-09-13 307704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
XP Keep Per User Display Settings.lnk - c:\program files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe [2004-02-02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-26 14:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli cemsfst.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Games\\Battlefield 2142\\BF2142.exe"=
"c:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\Games\\Starcraft\\StarCraft.exe"=
"c:\\Games\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Games\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Games\\COH Opposing Fronts\\RelicCOH.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaws.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\Games\\Steam\\steamapps\\common\\buccaneer demo\\Buccaneer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-02-11 16640]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-14 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-26 325128]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2007-09-16 53752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-09-12 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-07 46112]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2008-05-07 12288]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2008-05-07 22656]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48ee0c3d-6146-11dc-910d-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-03-22 c:\windows\Tasks\Address Book.job
- c:\progra~1\OUTLOO~1\wab.exe [2008-04-13 17:12]

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
Notify-LMIinit - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npican.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 19:38:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1604221776-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,7a,c1,5f,9c,79,43,d9,8a,6d,c4,73,ca,1d,25,34,68,99,d2,80,cb,81,84,
84,aa,78,4c,e8,ba,28,7c,86,c7,45,85,db,dd,74,ec,dc,37,da,a6,16,b3,89,ac,5e,\
"??"=hex:f8,c8,a4,59,cd,68,a4,f9,4c,0f,81,32,79,43,f5,df
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\cemsfst.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\MozyHome\mozybackup.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-03 19:44:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 02:44:32

Pre-Run: 62,354,296,832 bytes free
Post-Run: 62,819,409,920 bytes free

228
********************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:17 PM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (disabled by BHODemon)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Etofi] rundll32.exe "C:\WINDOWS\uhuwulevefi.dll",e
O4 - HKCU\..\Run: [Windows Live Sync] "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: XP Keep Per User Display Settings.lnk = C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229366029812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229366065578
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6790 bytes
*************************
Uninstall List:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3DMark03
3DMark05
3DMark06
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.3
Amazon Unbox Video
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATITool Overclocking Utility
Audacity 1.2.6
AVG Free 8.0
Battlefield 2142
BOINC
Bonjour
Boulevard 2006
Buccaneer: The Pursuit of Infamy Demo
Canon CanoScan Toolbox 5.0
CanoScan LiDE 600F
Catalyst Control Center - Branding
Citrix Program Neighborhood
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Critical Update for Windows Media Player 11 (KB959772)
DeepBurner v1.8.0.224
Ditto 3.15.4.0
Earthsim
Enemy Territory - QUAKE Wars(TM) Demo 1.1 Patch
ERUNT 1.1j
Eschalon: Book I - Demo
FireTune
Fraps
Free YouTube to Mp3 Converter version 3.1
Futuremark SystemInfo
GIMP 2.4.5
Google Earth
GPGNet
GTK+ Runtime 2.10.13 rev a (remove only)
Half-Life 2: Lost Coast
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hoyle Board Games
hp LaserJet 1010 Series
ICS Viewer 6.0
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Logger Pro 3.5.0
LogMeIn
LogonStudio
MadOnion.com/3DMark2000
MadOnion.com/3DMark2001 SE
MadOnion.com/PCMark2002
Malwarebytes' Anti-Malware
Maple 11
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Design
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft WorldWide Telescope
MLB.TV NexDef Plug-in
Mozilla Firefox (3.0.8)
MozyHome Remote Backup
Mr. Robot Demo
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Multimedia Card Reader
Netflix Movie Viewer
NVIDIA Drivers
OpenAL
Panda ActiveScan 2.0
PCMark04
PCMark05
PDFCreator
Phun beta 3.12
Picasa 2
Picasa 3
Pidgin
Pingus
PowerDVD
PunkBuster Services
Quake Live Mozilla Plugin
QuickGamma 2.0.0.3
QuickTime
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
Secunia PSI
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sierra Utilities
Spybot - Search & Destroy
Star Wars Jedi Knight Jedi Academy
Starcraft
Steam
The Last Remnant Demo
Time Zone Data Update Tool for Microsoft Office Outlook
Uninstall 1.0.0.1
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VGA USB Camera
West Point Bridge Designer 2007
Windows Defender
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Live Sync
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XNResourceEditor 3.0.0.1
XP Keep Per User Display Settings 1.1

pskelley
2009-04-04, 13:22
Follow the directions carefully and in the numbered order.

**are you using a USB or Flash Drive?

1) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\uhuwulevefi.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48ee0c3d-6146-11dc-910d-806d6172696f}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

Folder::
C:\SDFix

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave the first item if you set IE that way)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - AutorunsDisabled - (disabled by BHODemon)
O4 - HKLM\..\Run: [Etofi] rundll32.exe "C:\WINDOWS\uhuwulevefi.dll",e

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

You have MBAM, no need to download but do update and run it as instructed: (Database version: 1939 4/2/2009)

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running?

Thanks

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
I see Secunia PSI, if you are using it your programs should be up to date, check these:

Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Java(TM) 6 Update 3 <<< uninstall old versions, unsafe.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Seems PSI makes sure you are up to date, but the old Java programs have to be uninstalled manually.

cjdavis7
2009-04-07, 09:00
Yes, I am using a USB drive. I keep mounted all the time for backing up my MS Money file.

I do choose to have IE open with a blank page.

ComboFix 09-04-03.01 - Chris and Joylyn 2009-04-06 20:45:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1519 [GMT -7:00]
Running from: c:\documents and settings\Chris and Joylyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris and Joylyn\Desktop\cfscript
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\uhuwulevefi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\backupreg.zip
c:\sdfix\backups\backups.zip
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
c:\windows\uhuwulevefi.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-03-31 14:47 . 2009-03-31 14:47 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-31 14:46 . 2009-03-31 14:46 <DIR> d-------- c:\windows\ERUNT
2009-03-30 19:59 . 2009-03-30 19:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-30 19:57 . 2009-03-30 19:57 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-03-30 19:20 . 2009-03-30 19:20 <DIR> d--h----- C:\WindowsLiveSyncTemp
2009-03-29 23:23 . 2009-03-29 23:23 <DIR> d--hs---- c:\documents and settings\Ethan\PrivacIE
2009-03-29 23:23 . 2009-03-29 23:23 <DIR> d--hs---- c:\documents and settings\Ethan\IECompatCache
2009-03-29 21:13 . 2009-03-29 21:13 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-29 17:26 . 2009-03-29 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-03-29 17:26 . 2009-03-29 17:26 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-03-26 17:59 . 2009-03-26 17:59 <DIR> d-------- c:\program files\West Point Bridge Designer 2007
2009-03-23 08:53 . 2009-03-23 08:53 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-03-20 11:30 . 2009-03-20 11:30 <DIR> d--hs---- c:\documents and settings\Ethan\IETldCache
2009-03-20 11:30 . 2009-03-20 11:30 <DIR> d-------- c:\documents and settings\Ethan\Application Data\ATI
2009-03-19 14:58 . 2009-03-19 14:58 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\IECompatCache
2009-03-19 14:56 . 2009-03-19 14:56 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\PrivacIE
2009-03-19 14:53 . 2009-03-19 14:53 <DIR> d--hs---- c:\documents and settings\Chris and Joylyn\IETldCache
2009-03-19 14:29 . 2009-03-19 14:29 <DIR> d-------- c:\windows\ie8updates
2009-03-19 14:28 . 2009-03-19 14:29 <DIR> d--h-c--- c:\windows\ie8
2009-03-19 14:26 . 2009-02-27 21:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-17 15:49 . 2009-03-17 15:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-10 22:18 . 2009-03-10 22:18 934,792 -----c--- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 . 2009-03-10 22:18 239,496 -----c--- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 05:19 --------- d-----w c:\program files\Microsoft Money 2006
2009-03-31 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-30 07:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-30 04:13 --------- d-----w c:\program files\Java
2009-03-30 00:27 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-30 00:27 22,328 ----a-w c:\documents and settings\Chris and Joylyn\Application Data\PnkBstrK.sys
2009-03-27 04:18 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 00:59 737,280 ----a-w c:\windows\iun6002.exe
2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 08:01 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\Move Networks
2009-03-25 06:40 --------- d-----w c:\program files\NOS
2009-03-25 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-17 22:14 --------- d-----w c:\program files\ATI Technologies
2009-03-12 20:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-03 06:51 --------- d-----w c:\program files\AmgenToolbox
2009-02-26 16:22 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 00:14 --------- d-----w c:\program files\Apple Software Update
2009-02-21 00:07 --------- d-----w c:\program files\iTunes
2009-02-21 00:07 --------- d-----w c:\program files\iPod
2009-02-21 00:07 --------- d-----w c:\program files\Common Files\Apple
2009-02-21 00:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-21 00:06 --------- d-----w c:\program files\QuickTime
2009-02-21 00:06 --------- d-----w c:\program files\Bonjour
2009-02-20 04:55 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\.purple
2009-02-19 22:41 --------- d-----w c:\program files\Secunia
2009-02-19 07:34 --------- d-----w c:\documents and settings\Chris and Joylyn\Application Data\Amazon
2009-02-19 07:33 --------- d-----w c:\program files\Amazon
2009-02-11 22:39 --------- d-----w c:\program files\Microsoft
2009-02-11 03:37 --------- d-----w c:\program files\MozyHome
2005-04-04 09:45 24,848 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2005-04-04 09:45 74,000 ----a-w c:\program files\mozilla firefox\plugins\cgpcore.dll
2005-04-04 09:45 45,328 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2005-04-04 09:45 28,944 ----a-w c:\program files\mozilla firefox\plugins\pscript.dll
2005-04-04 09:45 69,904 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2005-04-04 09:45 24,848 ----a-w c:\program files\mozilla firefox\plugins\tcppserv.dll
2008-12-15 17:50 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121520081216\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-03_19.43.37.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-31 02:19:10 271,224 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 21:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
+ 2009-04-07 03:49:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 15:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 15:05 2788152 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2008-12-02 1170256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-26 1601304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SoundMan"="SOUNDMAN.EXE" [2007-06-27 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Ethan\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2007-09-13 307704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
XP Keep Per User Display Settings.lnk - c:\program files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe [2004-02-02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-26 14:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli cemsfst.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Games\\Battlefield 2142\\BF2142.exe"=
"c:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\Games\\Starcraft\\StarCraft.exe"=
"c:\\Games\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Games\\Supreme Commander\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Games\\COH Opposing Fronts\\RelicCOH.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaws.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\Games\\Steam\\steamapps\\common\\buccaneer demo\\Buccaneer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-02-11 16640]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-14 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-26 325128]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2007-09-16 53752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-09-12 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-07 46112]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2008-05-07 12288]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2008-05-07 22656]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2008-03-22 c:\windows\Tasks\Address Book.job
- c:\progra~1\OUTLOO~1\wab.exe [2008-04-13 17:12]

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Etofi - c:\windows\uhuwulevefi.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Chris and Joylyn\Application Data\Mozilla\Firefox\Profiles\jrfr5ky7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npican.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:49:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1604221776-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,7a,c1,5f,9c,79,43,d9,8a,6d,c4,73,ca,1d,25,34,68,99,d2,80,cb,81,84,
84,aa,78,4c,e8,ba,28,7c,86,c7,45,85,db,dd,74,ec,dc,37,da,a6,16,b3,89,ac,5e,\
"??"=hex:f8,c8,a4,59,cd,68,a4,f9,4c,0f,81,32,79,43,f5,df
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\cemsfst.dll

- - - - - - - > 'explorer.exe'(368)
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\osiwitafab.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\MozyHome\mozybackup.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-06 20:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 03:55:18
ComboFix2.txt 2009-04-04 02:44:59

Pre-Run: 62,732,795,904 bytes free
Post-Run: 62,719,410,176 bytes free

337 --- E O F --- 2009-04-04 06:02:19
_______________________________________________________________
After running ComboFix, the following item was no longer present in HijackThis:
"O4 - HKLM\..\Run: [Etofi] rundll32.exe "C:\WINDOWS\uhuwulevefi.dll",e"
In it's place is:
"O4 - HKLM\..\Run: [Etofi] rundll32.exe "C:\WINDOWS\osiwitafab.dll",e"

This new item was NOT able to be removed using the "Fix Checked" button of HijackThis (all windows were closed). Later on though, Malwarebytes seemed to work...see below.

Ran ATMCleaner as instructed.

Malwarebytes' Anti-Malware 1.36
Database version: 1946
Windows 5.1.2600 Service Pack 3

4/6/2009 10:39:30 PM
mbam-log-2009-04-06 (22-39-30).txt

Scan type: Full Scan (C:\|G:\|H:\|)
Objects scanned: 188908
Time elapsed: 55 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etofi (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: cemsfst.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cemsfst.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\osiwitafab.dll (Trojan.Agent) -> Delete on reboot.
______________________________________________________

Hijackthis log from after malwarebytes did it's thing as detailed above:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:14 PM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Windows Live Sync] "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: XP Keep Per User Display Settings.lnk = C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229366029812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229366065578
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/software/ImageUploader4.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 7064 bytes

****The computer has been having problems recently. Mostly with IE and ****Firefox crashing. Longer startups sometimes, glitchy typing in IE.
****I've updated Flash in both browsers and removed that older version of ****Java.

I currently do not see the evidence of infection, but I'd like to watch it a couple days and through a few reboots to be sure. How do the logs look to you?

Thanks for your help!

pskelley
2009-04-07, 14:17
Everything looks good to me but you are in a better position to tell, let's continue like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG 8 and scan the system, to be sure it is running right and scanning clean.
Some AVG information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

cjdavis7
2009-04-10, 07:12
All is well now!

Thanks for all your help, I really appreciate it. The computer's back to its usual speedy self.

Chris

pskelley
2009-04-10, 13:11
Hey Chris, thanks for taking the time to let me know:bigthumb: safe surfing.

Phil