PDA

View Full Version : Malware Help "third hands"; D.D.S. included


Mofogo
2010-05-01, 19:01
Sorry Blade81 for not getting back to you in a timely manner. I was in the process of getting married last weekend so I couldn't get the stuff up and running quickly.

My ultimate goal is to be able to get this computer basically back to factory settings without having the install CD. I can't run a recovery at this point and the dell restore partition does not exist.



Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
* Save both reports to your desktop. Post them back to your topic.


---

Download GMER here by clicking download exe -button and then saving it your desktop:

* Double-click .exe that you downloaded
* Click rootkit-tab, uncheck files option and then click scan.
* Don't check
Show All
box while scanning in progress!
* When scanning is ready, click Copy.
* This copies log to clipboard
* Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.


====================================

D.D.S LOG


DDS (Ver_10-03-17.01) - NTFSx86
Run by Penny at 11:42:24.15 on Sat 05/01/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.202 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Penny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: c:\windows\system32\hs78344kjkfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs78344kjkfd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [gls5764m8zbbhqqvtuo39ny8zy8vh51j] c:\docume~1\penny\locals~1\temp\xgwdga0.exe
uRun: [ol69ou5fzt7m7vz45nelmg4okduaj8s8] c:\docume~1\penny\locals~1\temp\t4gyaekw6t3.exe
uRun: [ebw6vrl4rzvo9i] c:\docume~1\penny\locals~1\temp\ka2h4zg.exe
uRun: [shutzpg3kb7kdiz] c:\docume~1\penny\locals~1\temp\qwf5z1osf3gck.exe
uRun: [t6hh4bq3n59npa2qm0vxs8r3eeg30yd89d35vnk60uz35i] c:\docume~1\penny\locals~1\temp\iiwyc9jn9u4yo.exe
uRun: [u55d1n0jy2] c:\docume~1\penny\locals~1\temp\pe85xl1thwqh.exe
uRun: [c825jropl1ubec5djr0hhwsy33nu0mqayhjjl7y07bv26gg4] c:\docume~1\penny\locals~1\temp\a5gzjydd.exe
uRun: [phmw5k7xcbih4u0j8jz7at4n8jcu8izb666on6g] c:\docume~1\penny\locals~1\temp\cgltkycli5s.exe
uRun: [v0xv9cmmolhfohmulc5] c:\docume~1\penny\locals~1\temp\v6b6pkzpktb.exe
uRun: [op5rbtzkedvvxo7q565sozu5nemtk4i] c:\docume~1\penny\locals~1\temp\n1po3x3zbpq7.exe
uRun: [rjmd4lrznub5cfjt92cdtyatjpiacy2hn97mb16] c:\docume~1\penny\locals~1\temp\irec25an.exe
uRun: [lx4nrbpuqv6dz47qqiiyzsrmk1upq2bxhe] c:\docume~1\penny\locals~1\temp\wuhm9x0w.exe
uRun: [xfujz5oe8gw9] c:\docume~1\penny\locals~1\temp\l38upsig.exe
uRun: [v4ngkgl44v1bnjtnyauoc1e39ep00hs44dw954] c:\docume~1\penny\locals~1\temp\uebdjnz0kn.exe
uRun: [vetypmkt4r4gkyb8lnbgb14i6] c:\docume~1\penny\locals~1\temp\z7vz41mq30kmo.exe
uRun: [i0l6050d0045p65ikob841d2g5ukc9bv2t3ofujrle370] c:\docume~1\penny\locals~1\temp\jmitfbse7zg.exe
mRun: [Kboqucocali] rundll32.exe "c:\windows\Kragus.dll",e
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\penny\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\docume~1\penny\locals~1\temp\ntdll64.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.capella.edu/lib/capella/support/plugins/ebraryRdr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {BA11E984-66D3-11D3-9196-006008105FA5} - hxxps://remote.precysesolutions.com/SDClientTools.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: crypt - crypts.dll
Notify: winctrl32 - WinCtrl32.dll
AppInit_DLLs: sxedib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hs78344kjkfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs78344kjkfd.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayxVoOf

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\penny\applic~1\mozilla\firefox\profiles\op2ux18j.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 winrv61;winrv61;c:\windows\system32\drivers\Winrv61.sys [2007-8-6 31616]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-6 24652]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]
S3 winwb50;winwb50;\??\c:\windows\system32\drivers\winwb50.sys --> c:\windows\system32\drivers\Winwb50.sys [?]

=============== Created Last 30 ================

2010-05-01 16:41:35 1026 ----a-w- c:\windows\irokicuhuhoneni.dll
2010-04-21 09:51:41 0 d-----w- c:\program files\Trend Micro
2010-04-20 23:43:27 1026 ----a-w- c:\windows\ecoranaw.dll
2010-04-20 22:32:29 1026 ----a-w- c:\windows\ojogidel.dll
2010-04-20 14:25:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 14:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-20 11:46:47 16896 ----a-w- c:\windows\system32\WinCtrl32.dll

==================== Find3M ====================

2010-05-01 16:42:37 100590 ----a-w- c:\windows\system32\drivers\d3c003b.sys
2004-08-04 10:00:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 10:00:00 50688 --sh--w- c:\windows\twain_32.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_16.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_32.dll
2009-02-22 17:11:10 2320 --sha-w- c:\windows\system32\fOoVxyay.ini2
2004-08-04 10:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 10:00:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 10:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 10:00:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38:13 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 10:00:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 10:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 11:43:49.88 ===============



GMER OUTPUT

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-01 12:00:14
Windows 5.1.2600 Service Pack 2
Running: rm22663k.exe; Driver: C:\DOCUME~1\Penny\LOCALS~1\Temp\axnoapow.sys


---- System - GMER 1.0.15 ----

Code 83257E80 ZwEnumerateKey
Code 8322D4E0 ZwFlushInstructionCache
Code 8319046E IofCallDriver
Code 832272E6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 83190473
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 832272EB
PAGE ntoskrnl.exe!ZwEnumerateKey 8056F0B0 5 Bytes JMP 83257E84
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8057882D 5 Bytes JMP 8322D4E4
? C:\WINDOWS\system32\drivers\Winrv61.sys Access is denied.
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xF8CFCD00]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xF8B324C0]
init C:\WINDOWS\system32\DRIVERS\gticard.sys entry point in "init" section [0xF2584B20]
? C:\WINDOWS\System32\drivers\d3c003b.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\rundll32.exe[204] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A
.text C:\WINDOWS\system32\rundll32.exe[204] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\winlogon.exe[484] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\winlogon.exe[484] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\services.exe[528] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\services.exe[528] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\lsass.exe[540] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\lsass.exe[540] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0073000A
.text C:\WINDOWS\system32\SearchIndexer.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\SearchIndexer.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\SearchIndexer.exe[980] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 00E61B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\bcmwltry.exe[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\bcmwltry.exe[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\userinit.exe[1236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\userinit.exe[1236] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\spoolsv.exe[1284] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\spoolsv.exe[1284] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\SCardSvr.exe[1380] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\SCardSvr.exe[1380] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0071000A
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AC000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1608] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0072000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1608] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0073000A
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1656] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009E000A
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1656] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\HPZipm12.exe[1804] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\HPZipm12.exe[1804] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\notepad.exe[2092] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\notepad.exe[2092] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\alg.exe[2296] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\alg.exe[2296] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2344] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2344] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\notepad.exe[2748] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\notepad.exe[2748] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wscript.exe[2760] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\wscript.exe[2760] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A5000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00CC000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00CD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00CEFE90 \\?\globalroot\systemroot\system32\UACmnblycld.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00CF09A0 \\?\globalroot\systemroot\system32\UACmnblycld.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] WS2_32.dll!send 71AB428A 5 Bytes JMP 00CF0780 \\?\globalroot\systemroot\system32\UACmnblycld.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00CF0110 \\?\globalroot\systemroot\system32\UACmnblycld.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00CF0B80 \\?\globalroot\systemroot\system32\UACmnblycld.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3204] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 10014B74 C:\WINDOWS\system32\sxedib.dll
.text C:\Documents and Settings\Penny\Desktop\rm22663k.exe[3236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A6000A
.text C:\Documents and Settings\Penny\Desktop\rm22663k.exe[3236] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A7000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs d3c003b.sys
Device \Driver\Tcpip \Device\Ip d3c003b.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector Winrv61.sys
Device \Driver\Tcpip \Device\Tcp d3c003b.sys
Device \Driver\Tcpip \Device\Udp d3c003b.sys
Device \Driver\Tcpip \Device\RawIp d3c003b.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver Winrv61.sys
Device \Driver\Tcpip \Device\IPMULTICAST d3c003b.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector Winrv61.sys
Device \FileSystem\Cdfs \Cdfs Winrv61.sys

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\UACrojbekmw.sys (*** hidden *** ) F2720000-F2733000 (77824 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [204] 0x00AA0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [328] 0x00710000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [484] 0x006C0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [528] 0x006C0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [540] 0x00740000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [764] 0x00710000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [820] 0x00710000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchIndexer.exe [980] 0x00A70000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [992] 0x00710000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1028] 0x00710000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\System32\WLTRYSVC.EXE [1144] 0x009B0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\System32\bcmwltry.exe [1156] 0x00BF0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\userinit.exe [1236] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1284] 0x009B0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\System32\SCardSvr.exe [1380] 0x00720000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1456] 0x00AF0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1608] 0x00740000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [1656] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [1788] 0x007D0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\HPZipm12.exe [1804] 0x00730000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [2092] 0x009A0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2296] 0x00720000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2344] 0x00840000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [2748] 0x009A0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscript.exe [2760] 0x00A60000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3204] 0x00CE0000
Library \\?\globalroot\systemroot\system32\UACmnblycld.dll (*** hidden *** ) @ C:\Documents and Settings\Penny\Desktop\rm22663k.exe [3236] 0x00BC0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\d3c003b.sys (*** hidden *** ) [SYSTEM] d3c003b <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACrojbekmw.sys (*** hidden *** ) [SYSTEM] uacd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d3c003b@ImagePath \SystemRoot\System32\drivers\d3c003b.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\d3c003b@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\d3c003b@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\d3c003b@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\d3c003b@F96ZK6nPB aHR0cDovL2VrYmFkLm1lOjgwLw==
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys@imagepath \systemroot\system32\drivers\UACrojbekmw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrojbekmw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfrmfadfe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpfofxhlm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACnwelcsit.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxbnbelur.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmnblycld.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UAClqrfnpkd.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACgkfdqhvk.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACsbobkayk.log
Reg HKLM\SYSTEM\ControlSet003\Services\d3c003b@ImagePath \SystemRoot\System32\drivers\d3c003b.sys
Reg HKLM\SYSTEM\ControlSet003\Services\d3c003b@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\d3c003b@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\d3c003b@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\d3c003b@F96ZK6nPB aHR0cDovL2VrYmFkLm1lOjgwLw==
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@imagepath \systemroot\system32\drivers\UACrojbekmw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrojbekmw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfrmfadfe.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpfofxhlm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACnwelcsit.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACxbnbelur.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmnblycld.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UAClqrfnpkd.log
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACgkfdqhvk.log
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACsbobkayk.log

---- EOF - GMER 1.0.15 ----
Blade81
2010-05-05, 12:04
Hi,


Sorry Blade81 for not getting back to you in a timely manner. I was in the process of getting married last weekend so I couldn't get the stuff up and running quickly.
Congrats :)


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Mofogo
2010-05-06, 02:58
ComboFix does not want to run. It gave me the prompt to run it, but after that, nothing.
Blade81
2010-05-06, 09:16
Hi,

Rename ComboFix.exe -> Mofogo.exe and try to run it.
Mofogo
2010-05-06, 14:26
OK, the rename worked. Combolog, DDS log, and attach log included


Combofix Log

ComboFix 10-05-05.0A - Penny 05/06/2010 6:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.306 [GMT -5:00]
Running from: c:\documents and settings\Penny\Desktop\Mofogo.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cwxwwgtl.exe
c:\docume~1\Penny\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Penny\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090222111724507.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\documents and settings\Penny\Local Settings\Temp\ntdll64.dll
C:\lsass.exe
c:\windows\acakogev.dll
c:\windows\acizogazin.dll
c:\windows\acoherajo.dll
c:\windows\akuqijoy.dll
c:\windows\amitixez.dll
c:\windows\aseyovoxan.dll
c:\windows\ayofowac.dll
c:\windows\ayotepopeg.dll
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\ecoranaw.dll
c:\windows\efoqufuna.dll
c:\windows\eleqotol.dll
c:\windows\emoqixiwuhuqe.dll
c:\windows\epegorey.dll
c:\windows\exivumej.dll
c:\windows\ezosazuyuf.dll
c:\windows\ihawaliy.dll
c:\windows\ijosoletunuxafuj.dll
c:\windows\inopoqoxevuqa.dll
c:\windows\iqivijukijadu.dll
c:\windows\iribenudajugabor.dll
c:\windows\irokicuhuhoneni.dll
c:\windows\itudejemi.dll
c:\windows\ivajiliquweju.dll
c:\windows\ivigulusef.dll
c:\windows\ivusequpal.dll
c:\windows\ixodolemahe.dll
c:\windows\iyoxitig.dll
c:\windows\izocayewiduce.dll
c:\windows\Kragus.dll
c:\windows\ocihomal.dll
c:\windows\odorigafey.dll
c:\windows\oduruxile.dll
c:\windows\ofajifoha.dll
c:\windows\ofureciyozoxu.dll
c:\windows\ogexodem.dll
c:\windows\ogezocohof.dll
c:\windows\ojogidel.dll
c:\windows\ojomonobapuyuqiy.dll
c:\windows\okevubom.dll
c:\windows\okubewahazuyos.dll
c:\windows\oleneniqedu.dll
c:\windows\omisanuk.dll
c:\windows\onozevuladiwoxew.dll
c:\windows\opucoruw.dll
c:\windows\orekexugujekafi.dll
c:\windows\oxikiqaq.dll
c:\windows\ozatubediday.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\avtap.dll
c:\windows\system32\awwbkh.dll
c:\windows\system32\bqreoa.dll
c:\windows\system32\cesnsciu.dll
c:\windows\system32\cfyvpnha.dll
c:\windows\system32\crypts.dll
c:\windows\system32\deckyuxg.dll
c:\windows\system32\drivers\d3c003b.sys
c:\windows\system32\drivers\UACrojbekmw.sys
c:\windows\system32\Drivers\Winrv61.sys
c:\windows\system32\eayfjjbi.ini
c:\windows\system32\ejaparir.dll
c:\windows\system32\enjxrvco.ini
c:\windows\system32\epmifuyq.dll
c:\windows\system32\eziuer.dll
c:\windows\system32\fhglkypo.dll
c:\windows\system32\fkiluogd.dll
c:\windows\system32\fOoVxyay.ini
c:\windows\system32\fOoVxyay.ini2
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ftjxnskn.dll
c:\windows\system32\gngappob.ini
c:\windows\system32\gtkstccb.dll
c:\windows\system32\hfdggs.dll
c:\windows\system32\hrylfe.dll
c:\windows\system32\hs78344kjkfd.dll
c:\windows\system32\hwkagper.ini
c:\windows\system32\icrayklr.ini
c:\windows\system32\ikrdrcvo.ini
c:\windows\system32\iqrjpury.ini
c:\windows\system32\jbqruf.dll
c:\windows\system32\jjijscsw.ini
c:\windows\system32\jqroowkp.dll
c:\windows\system32\jykqxaxk.dll
c:\windows\system32\kbooawtw.dll
c:\windows\system32\klujbfwu.ini
c:\windows\system32\kluvokcw.ini
c:\windows\system32\lbgxudlu.dll
c:\windows\system32\lcewpv.dll
c:\windows\system32\lldnwvmd.ini
c:\windows\system32\lwclmfil.dll
c:\windows\system32\lyjqmugn.dll
c:\windows\system32\mjqmix.dll
c:\windows\system32\mybxlp.dll
c:\windows\system32\nbuvum.dll
c:\windows\system32\ndqwinxh.ini
c:\windows\system32\njucbrex.dll
c:\windows\system32\nnbnaadq.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\nycqdg.dll
c:\windows\system32\orcumfcd.ini
c:\windows\system32\otsvxgom.dll
c:\windows\system32\pouylkqj.dll
c:\windows\system32\qcjjev.dll
c:\windows\system32\qflpldbl.ini
c:\windows\system32\qgpdgcgv.ini
c:\windows\system32\qtqytn.dll
c:\windows\system32\qwfehcnj.dll
c:\windows\system32\ramlgwuq.dll
c:\windows\system32\rfcdihhl.ini
c:\windows\system32\rhqlmgss.dll
c:\windows\system32\sepfpx.dll
c:\windows\system32\shkwivlj.dll
c:\windows\system32\sinvwu.dll
c:\windows\system32\sjrwpiox.dll
c:\windows\system32\smtuykeh.dll
c:\windows\system32\ssqRJAqo.dll
c:\windows\system32\sxedib.dll
c:\windows\system32\test.ttt
c:\windows\system32\tuockyic.dll
c:\windows\system32\UACfrmfadfe.dll
c:\windows\system32\UACgkfdqhvk.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClqrfnpkd.log
c:\windows\system32\UACmnblycld.dll
c:\windows\system32\UACnwelcsit.dll
c:\windows\system32\UACpfofxhlm.dat
c:\windows\system32\UACsbobkayk.log
c:\windows\system32\UACxbnbelur.dll
c:\windows\system32\uenijibg.dll
c:\windows\system32\ujzihc.dll
c:\windows\system32\ulduxgbl.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uuotiogd.dll
c:\windows\system32\vnpmmcnr.dll
c:\windows\system32\vojfjqqg.ini
c:\windows\system32\vycvsq.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\wxdbimgx.ini
c:\windows\system32\xerbcujn.ini
c:\windows\system32\xxyabbaA.dll
c:\windows\system32\ybhhkpoa.dll
c:\windows\system32\zcmfta.dll
c:\windows\Tasks.\eizmzbuh.job
c:\windows\Temp\tmp3.tmp
c:\windows\udesixax.dll
c:\windows\udezeleqayisado.dll
c:\windows\ufeciferabatid.dll
c:\windows\ugakalegetekola.dll
c:\windows\ukowuvuroviloxeg.dll
c:\windows\umariquy.dll
c:\windows\uqovaxesakorilow.dll
c:\windows\usemezocijezoweq.dll
c:\windows\uveqosej.dll
c:\windows\uxawatebicog.dll
c:\windows\uyoxutap.dll
c:\windows\Tasks.\eizmzbuh.job . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{683E9523-F7D2-4FF1-B7D2-D44DCF74B370}\RP444\A0050095.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uacd.sys
-------\Legacy_uacd.sys
-------\Legacy_winrv61
-------\Service_winrv61
-------\Service_d3c003b


((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-04-21 09:51 . 2010-04-21 09:51 -------- d-----w- c:\program files\Trend Micro
2010-04-21 09:10 . 2006-12-07 15:45 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-04-20 14:29 . 2010-04-20 14:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-04-20 14:25 . 2010-05-06 01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 14:25 . 2010-05-06 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 14:24 . 2006-12-07 15:45 3096576 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-04-20 14:23 . 2010-04-20 14:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:12 . 2007-10-11 23:31 -------- d-----w- c:\documents and settings\Penny\Application Data\U3
2010-04-20 14:30 . 2008-08-06 16:05 -------- d-----w- c:\program files\Common Files\AOL
2004-08-04 10:00 . 2004-08-04 10:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 10:00 . 2004-08-04 10:00 50688 --sh--w- c:\windows\twain_32.dll
2006-02-17 04:33 . 2006-02-17 04:33 1216 --sh--w- c:\windows\Twunk_16.dll
2006-02-17 04:33 . 2006-02-17 04:33 1216 --sh--w- c:\windows\Twunk_32.dll
2004-08-04 10:00 . 2004-08-04 10:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 10:00 . 2004-08-04 10:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 10:00 . 2004-08-04 10:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 10:00 . 2004-08-04 10:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2004-08-04 10:00 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 10:00 . 2004-08-04 10:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 10:00 . 2004-08-04 10:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winwb50.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Common Files\Agilix\GoBinder\Binder.exe"= c:\program files\Common Files\Agilix\GoBinder\Binder.exe:127.0.0.1/255.255.255.255:Enabled:Agilix GoBinder
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\cxfagn.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/6/2008 11:06 AM 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [10/23/2003 6:04 PM 76160]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]
S3 winwb50;winwb50;\??\c:\windows\System32\drivers\Winwb50.sys --> c:\windows\System32\drivers\Winwb50.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
DPF: {BA11E984-66D3-11D3-9196-006008105FA5} - hxxps://remote.precysesolutions.com/SDClientTools.cab
FF - ProfilePath - c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Kboqucocali - c:\windows\Kragus.dll
SafeBoot-winrv61.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 07:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1993962763-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-06 07:20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 12:20

Pre-Run: 49,020,235,776 bytes free
Post-Run: 49,020,026,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7112E8E3E3819A8E44C5EF50D07A0A38


DDS Log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Penny at 7:23:15.15 on Thu 05/06/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.216 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Penny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.capella.edu/lib/capella/support/plugins/ebraryRdr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {BA11E984-66D3-11D3-9196-006008105FA5} - hxxps://remote.precysesolutions.com/SDClientTools.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\penny\applic~1\mozilla\firefox\profiles\op2ux18j.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\penny\application data\mozilla\firefox\profiles\op2ux18j.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-6 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]
S3 winwb50;winwb50;\??\c:\windows\system32\drivers\winwb50.sys --> c:\windows\system32\drivers\Winwb50.sys [?]
UnknownUnknown d3c003b;d3c003b; [x]

=============== Created Last 30 ================

2010-05-06 11:40:39 0 d-sha-r- C:\cmdcons
2010-05-06 11:38:19 98816 ----a-w- c:\windows\sed.exe
2010-05-06 11:38:19 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 11:38:19 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 11:38:19 161792 ----a-w- c:\windows\SWREG.exe
2010-04-21 09:51:41 0 d-----w- c:\program files\Trend Micro
2010-04-20 14:25:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 14:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2004-08-04 10:00:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 10:00:00 50688 --sh--w- c:\windows\twain_32.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_16.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_32.dll
2004-08-04 10:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 10:00:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 10:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38:13 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 10:00:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 10:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 7:23:24.34 ===============
Blade81
2010-05-06, 16:21
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



Driver::
winwb50
File::
c:\windows\System32\drivers\Winwb50.sys
DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winwb50.sys]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\cxfagn.exe"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Mofogo
2010-05-07, 23:03
Well, Kaspersky keeps hanging around 65-66% an hour and a half into it. I've been kicking it on and leaving b/c I can't sit there and watch it for that long. By that point its detected one infection, but even after I stop the scan it doesn't bring up a log.

Anyways, DDS log first


DDS (Ver_10-03-17.01) - NTFSx86
Run by Penny at 15:57:48.09 on Fri 05/07/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.343 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Penny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.capella.edu/lib/capella/support/plugins/ebraryRdr.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BA11E984-66D3-11D3-9196-006008105FA5} - hxxps://remote.precysesolutions.com/SDClientTools.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\penny\applic~1\mozilla\firefox\profiles\op2ux18j.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-6 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

=============== Created Last 30 ================

2010-05-06 22:59:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-06 22:59:22 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 11:40:39 0 d-sha-r- C:\cmdcons
2010-05-06 11:38:19 98816 ----a-w- c:\windows\sed.exe
2010-05-06 11:38:19 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 11:38:19 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 11:38:19 161792 ----a-w- c:\windows\SWREG.exe
2010-04-21 09:51:41 0 d-----w- c:\program files\Trend Micro
2010-04-20 14:25:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 14:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2004-08-04 10:00:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 10:00:00 50688 --sh--w- c:\windows\twain_32.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_16.dll
2006-02-17 04:33:10 1216 --sh--w- c:\windows\Twunk_32.dll
2004-08-04 10:00:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 10:00:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 10:00:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38:13 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 10:00:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 10:00:00 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 15:58:41.94 ===============



ComboFix 10-05-05.0D - Penny 05/06/2010 16:59:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.167 [GMT -5:00]
Running from: c:\documents and settings\Penny\Desktop\Mofogo.exe
Command switches used :: c:\documents and settings\Penny\Desktop\CFScript.txt

FILE ::
"c:\windows\System32\drivers\Winwb50.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_winwb50


((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-04-21 09:51 . 2010-04-21 09:51 -------- d-----w- c:\program files\Trend Micro
2010-04-20 14:29 . 2010-04-20 14:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-04-20 14:25 . 2010-05-06 01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 14:25 . 2010-05-06 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 14:23 . 2010-04-20 14:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:12 . 2007-10-11 23:31 -------- d-----w- c:\documents and settings\Penny\Application Data\U3
2010-04-20 14:30 . 2008-08-06 16:05 -------- d-----w- c:\program files\Common Files\AOL
2004-08-04 10:00 . 2004-08-04 10:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 10:00 . 2004-08-04 10:00 50688 --sh--w- c:\windows\twain_32.dll
2006-02-17 04:33 . 2006-02-17 04:33 1216 --sh--w- c:\windows\Twunk_16.dll
2006-02-17 04:33 . 2006-02-17 04:33 1216 --sh--w- c:\windows\Twunk_32.dll
2004-08-04 10:00 . 2004-08-04 10:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 10:00 . 2004-08-04 10:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 10:00 . 2004-08-04 10:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 . 2004-08-04 10:00 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 10:00 . 2004-08-04 10:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 10:00 . 2004-08-04 10:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Common Files\Agilix\GoBinder\Binder.exe"= c:\program files\Common Files\Agilix\GoBinder\Binder.exe:127.0.0.1/255.255.255.255:Enabled:Agilix GoBinder
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/6/2008 11:06 AM 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [10/23/2003 6:04 PM 76160]
S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
DPF: {BA11E984-66D3-11D3-9196-006008105FA5} - hxxps://remote.precysesolutions.com/SDClientTools.cab
FF - ProfilePath - c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Penny\Application Data\Mozilla\Firefox\Profiles\op2ux18j.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 17:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuauclt.exe.wusetup.346538.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.355861.bak 1809944 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1993962763-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-06 17:22:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 22:22
ComboFix2.txt 2010-05-06 12:20

Pre-Run: 49,684,471,808 bytes free
Post-Run: 49,617,895,424 bytes free

- - End Of File - - 98B298301B58B25EE3FADBE7E91BCE50
Blade81
2010-05-07, 23:15
Hi,

If hard drive has not been defragged lately that may affect to scanning speed. Also, antivirus protection should be disabled. Naturally file amount affects too - the more files to scan the longer it takes.
Mofogo
2010-05-08, 00:01
Alright, well I'll start a defrag then. As far as I can tell I've got the protections disabled on this computer though.

I know it can take a long while which is why I set it off this morning before work. 8 hours later, its hung at 1 hour 20 minute duration and 66%.
Blade81
2010-05-08, 00:23
Hi,

If it still gets stuck after defragging let me know and we'll try something else.
Mofogo
2010-05-08, 07:44
Ah shit, relapse.

Defrag wasn't analyzing for some reason, and thinking I would be productive prior to going to Iron Man II, I installed WinXP SP3 and now I'm blue screened

PAGE_FAULT_IN_NONPAGED_AREA

Technical Information:

*** STOP: 0x00000050 (0xE1E4B050,0x00000000,0x805ACEAD,0x00000002)

I get the feeling that I should revert back to pre SP3 state, but I'll let you go ahead and tell me that ;)

Oh yeah, after windows loading screeen it goes black. When I tried safe mode, it goes Blue screen. Sorry for the extra trouble.

Thanks Blade
Blade81
2010-05-08, 13:52
One example why things outside instructions shouldn't be tried. No doubt mess got worse now. Does the last known good configuration option work?
Mofogo
2010-05-08, 17:47
My bad man. I'm not touching it unless you say so. :lip:


Last known good configuration results in an "UNMOUNTABLE_BOOT_VOLUME" BSOD.
Blade81
2010-05-08, 17:57
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

chkdsk /r

6. Let the operation finish and then at the next prompt, type the following bolded text, and press Enter:
exit

See if system is able to reboot.
Mofogo
2010-05-08, 19:02
All I get is a black screen with a blinking cursor. I typed the "1" and "enter" just for grins but it doesn't appear to do anything. I assume I should be seeing another screen.

Could I burn one on a CD and boot to that to get the recovery console? Or maybe throw in one of my XP discs (this is a friends computer) to get to the recovery console?
Blade81
2010-05-09, 02:05
Hi,

Yes, if you have XP Professional media around then you could try to reboot recovery console with it.

Reboot the system with cd set as #1 boot option and XP Pro media inserted in. When you get to the Windows XP Setup screen, press the R button to select the option to repair a Windows XP installation using the Recovery Console.

If you're able to reach recovery console then type chkdsk /r command there. It's possible that system's hard drive has seen its best days.
Mofogo
2010-05-09, 16:46
Well, I was able to reach the recovery console off of the XP disc, and it completed, but I still can't get booted into windows.

Same loading screen that goes black for normal windows, and BSOD when trying to get into Safe Mode or reverting to last known good configuration.

So you think it could be hard drive hardware related at this point? Nothing is seeming to want to work.
Blade81
2010-05-09, 18:02
Hi,

Yes, I think hard drive may have problems with it. Failure in defragmenting and error message indicate that possibility.
Mofogo
2010-05-09, 18:20
Alright well shit. I thought we were making good progress (at least until I screwed it up). Thanks for your help though. You did as much as you could and it was going good. Sorry to waste your time.

Have a good one.
Blade81
2010-05-09, 18:35
Hi,

You may try to attach the hard drive to other system as a slave drive to see if you can get some data backuped from it.
Mofogo
2010-05-09, 19:12
Would this help at all with actually getting it running again on this hard drive? He wasn't concerned really with any of the data/files/pictures/etc on it, because he already had another laptop and simply wanted to get this one back to a usable state (without having the necessary discs to do a reformat). So I'm not worried about any data, just getting the laptop to a functioning state.

Is there any cleaning or operations that could come of hooking it up as a slave that would possibly allow me to put it back into the laptop and get it back up?
Blade81
2010-05-10, 07:27
Hi,

Sorry, I didn't have a clue it was a laptop hard drive there. That makes it more difficult to get the drive slaved. If drive contents getting deleted doesn't matter then reformat would be recommended (even that won't help if hard drive is broken). That of course requires operating system media though.
Blade81
2010-05-18, 15:35
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.