Malware Bytes & Hijack This are disabled

elnino550 · Sep 17, 2009

Hello Staff,

Please help. Safety Center and AntiVirusPro 2010 are both visible viruses on my desktop and have prevented me from using both malwarebytes and hijack this - even after re-downloading. error code is "Windows cannot access the specified device, path or file.." etc. System restore is ineffective as registry files are probably damaged and hidden. Google search engine results are redirected to advertisements upon clicking. Firefox will not open in normal mode.

What is most troubling is that malwarebytes and hijack this are not working in safemode. I still have networking capability in safemode with firefox working so hopefully you can help me. Upon downloading Spybot SD, the infection had irreversibly unchecked the install main files box...please help if you can - i am very worried about possible identity theft.

I have downloaded the recommended registry backup exe.

thank you staff!

ken545 · Sep 17, 2009

Hello elnino550

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

Open

on your desktop.
Click the

tab.
Click the

button.
Check just these boxes:
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the

button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

elnino550 · Sep 18, 2009

Thank you for your quick response....heres the root repeal report.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 18:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7F65000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8CB1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF81FA000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8A35000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF822A000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: kbiwkmakqindod
Image Path: C:\WINDOWS\system32\drivers\kbiwkmxsaqllgo.sys

Service Name: kbiwkmhdotxqqa
Image Path: C:\WINDOWS\system32\drivers\kbiwkmcyahvkjt.sys

==EOF==

ken545 · Sep 18, 2009

Hi,

Your infected with a Rootkit, I need you to run Combofix but its important that you rename it as this Rootkit will prevent Combofix from running.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

elnino550 · Sep 18, 2009

hello again,

running combofix appears to have successfully removed the rootkit. everything is running normal. could not disable avg 7 before combofix scan. i greatly desire to thoroughly followup with you to make sure everything is okay. youve been a wonderful help so far, thank you for your time...

here is the combofix log report:

ComboFix 09-09-17.04 - Matt 1 2009-09-17 19:33.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.296 [GMT -7:00]
Running from: c:\documents and settings\Matt 1\Desktop\Combo-Fix.exe
AV: AVG 7.5.549 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\damien rice - live unreleased\Start Menu\Programs\AntivirusPro_2010
c:\damien rice - live unreleased\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\damien rice - live unreleased\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Matt 1\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
c:\documents and settings\Matt 1\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
c:\documents and settings\Matt 1\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut5_6EA2867D4E8340A5A3471FF71A363544.exe
c:\documents and settings\Matt 1\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut6_6EA2867D4E8340A5A3471FF71A363544.exe
c:\documents and settings\Matt 1\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Matt 1\Desktop\AntivirusPro_2010.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Windows Police Pro
c:\windows\avaaa.dll
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\1227c0b6.msp
c:\windows\Installer\13202c6.msp
c:\windows\Installer\20aa7.msi
c:\windows\Installer\47383.msp
c:\windows\Installer\a913fe4.msp
c:\windows\Installer\a913ff7.msp
c:\windows\Installer\a91400b.msp
c:\windows\Installer\a914054.msp
c:\windows\Installer\a914067.msp
c:\windows\Installer\a91407b.msp
c:\windows\Installer\a91408f.msp
c:\windows\Installer\a9140a9.msp
c:\windows\Installer\a9140bf.msp
c:\windows\Installer\a9140d2.msp
c:\windows\Installer\a9140e5.msp
c:\windows\Installer\a91410b.msp
c:\windows\Installer\a914122.msp
c:\windows\Installer\a914136.msp
c:\windows\Installer\a91414a.msp
c:\windows\Installer\a91415d.msp
c:\windows\Installer\a914171.msp
c:\windows\Installer\a914186.msp
c:\windows\Installer\a91419b.msp
c:\windows\Installer\a9141ae.msp
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\ATHPRXY(2).DLL
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\desote.exe
c:\windows\system32\drivers\kbiwkmcyahvkjt.sys
c:\windows\system32\drivers\kbiwkmxsaqllgo.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\kbiwkmaoepyhul.dll
c:\windows\system32\kbiwkmcdcunckj.dll
c:\windows\system32\kbiwkmfvknoflp.dll
c:\windows\system32\kbiwkmqsklvvwh.dll
c:\windows\system32\kbiwkmqvncwbde.dll
c:\windows\system32\kbiwkmtexwpnip.dat
c:\windows\system32\kbiwkmtmcjpwiw.dat
c:\windows\system32\kbiwkmwnauhbku.dat
c:\windows\system32\logs
c:\windows\system32\net.net
c:\windows\system32\onhelp.htm
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\xa.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\temp\~4CA.dll

c:\windows\system32\drivers\beep.sys . . . is infected!!

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_AntipPro2009_100
-------\Service_kbiwkmakqindod
-------\Service_kbiwkmhdotxqqa

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 02:45 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-18 02:45 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-17 05:44 . 2009-09-17 05:44 -------- d-----w- c:\program files\Trend Micro
2009-09-17 00:09 . 2009-09-17 00:09 2198 -c--a-w- C:\EY6L79Oh.bat
2009-09-13 20:49 . 2009-09-17 00:17 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-13 20:44 . 2009-09-13 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-12 23:28 . 2009-09-12 23:30 -------- d-----w- c:\program files\NetDog
2009-09-12 23:07 . 2009-09-17 03:48 -------- d-----w- c:\program files\B Gone
2009-08-31 23:02 . 2009-08-31 23:02 163840 ----a-w- c:\windows\svchasts.exe
2009-08-24 23:46 . 2009-08-24 23:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\documents and settings\Matt 1\Application Data\skypePM
2009-08-24 23:43 . 2009-09-17 04:41 -------- d-----w- c:\documents and settings\Matt 1\Application Data\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----w- c:\program files\Common Files\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----r- c:\program files\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 04:46 . 2009-03-02 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 04:53 . 2007-10-13 10:18 -------- d-----r- c:\program files\rnamfler
2009-09-10 21:54 . 2009-03-02 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-03-02 06:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 00:04 . 2004-02-07 00:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-08 00:02 . 2009-08-08 00:02 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-08-08 00:02 . 2007-02-07 07:34 -------- d-----w- c:\documents and settings\Matt 1\Application Data\GetRightToGo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-09-25 4861952]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-04 86073]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-31 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-31 614400]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 185784]
"wrna3ls"="c:\program files\rnamfler\naomf.exe" [2006-04-01 1253448]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-09-25 323584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-07-19 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-09-25 278528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\netint.exe"= c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1171828283\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-02-09 10112]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 mrtRate;mrtRate; [x]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\MATT1~1\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\MATT1~1\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [2008-01-28 132096]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\e2ead497-6b39-4a73-afee-7b2d7a3729ed]
c:\windows\system32\cqcccdb.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Matt 1\Application Data\Mozilla\Firefox\Profiles\wqttpak4.default\
FF - prefs.js: browser.search.selectedEngine - SearchGeek
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-FL Studio_is1 - e:\air music soft\unins000.exe
AddRemove-FLAC - e:\flac converter\FLAC\uninstall.exe
AddRemove-HijackThis - e:\hijack this\HijackThis.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\malwarebytes' anti-malware\unins000.exe
AddRemove-Power Tab Editor 1.7 - c:\progra~1\PTSOFT~1\PTEDIT~1\UNWISE.EXE
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - e:\spybot - search & destroy\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmakqindod]
"imagepath"="\systemroot\system32\drivers\kbiwkmxsaqllgo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmhdotxqqa]
"imagepath"="\systemroot\system32\drivers\kbiwkmcyahvkjt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmakqindod]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmxsaqllgo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmhdotxqqa]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmcyahvkjt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\System32\LgNotify.dll
c:\program files\rnamfler\radprlib.dll

- - - - - - - > 'lsass.exe'(916)
c:\program files\rnamfler\radprlib.dll

- - - - - - - > 'explorer.exe'(2632)
c:\program files\rnamfler\radprlib.dll
c:\program files\rnamfler\radhslib.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL

- - - - - - - > 'csrss.exe'(836)
c:\program files\rnamfler\radprlib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\1XConfig.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\rnamfler\radprcmp.exe
.
**************************************************************************
.
Completion time: 2009-09-18 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 02:57
ComboFix2.txt 2009-03-02 05:57

Pre-Run: 24,420,458,496 bytes free
Post-Run: 24,998,117,376 bytes free

355 --- E O F --- 2009-06-14 19:06

.....and the hijack this log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:13:56 PM, on 2009-09-17
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\rnamfler\naomf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
c:\program files\rnamfler\radprcmp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 5545 bytes

how is my computer looking now? advice?

ken545 · Sep 18, 2009

Looking a lot better, Combofix did a good job, more to do

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above ReglockDel::

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmakqindod]
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbiwkmhdotxqqa]


Fcopy::
C:\WINDOWS\system32\dllcache\beep.sys|c:\windows\system32\drivers\beep.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

elnino550 · Sep 18, 2009

hello ken545,

looking better and better i believe....looks like combofix deleted a couple rnamfler files and kbiwkmcyahvkjt associated files....making me wonder if these rootkit backdoor programs will ever be completely erased.

heres the latest combofix report:

ComboFix 09-09-17.04 - Matt 1 2009-09-17 21:32.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.287 [GMT -7:00]
Running from: c:\documents and settings\Matt 1\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Matt 1\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\rnamfler\radprlib.dll
c:\program files\rnamfler\radhslib.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\rnamfler\radhslib.dll
c:\program files\rnamfler\radprlib.dll

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmakqindod
-------\Legacy_kbiwkmhdotxqqa
-------\Service_kbiwkmakqindod

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 02:45 . 2003-03-31 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-18 02:45 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-17 05:44 . 2009-09-17 05:44 -------- d-----w- c:\program files\Trend Micro
2009-09-17 00:09 . 2009-09-17 00:09 2198 -c--a-w- C:\EY6L79Oh.bat
2009-09-13 20:49 . 2009-09-18 02:46 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-13 20:44 . 2009-09-13 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-12 23:28 . 2009-09-12 23:30 -------- d-----w- c:\program files\NetDog
2009-09-12 23:07 . 2009-09-17 03:48 -------- d-----w- c:\program files\B Gone
2009-08-31 23:02 . 2009-08-31 23:02 163840 ----a-w- c:\windows\svchasts.exe
2009-08-24 23:46 . 2009-08-24 23:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\documents and settings\Matt 1\Application Data\skypePM
2009-08-24 23:43 . 2009-09-18 03:02 -------- d-----w- c:\documents and settings\Matt 1\Application Data\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----w- c:\program files\Common Files\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----r- c:\program files\Skype
2009-08-24 23:42 . 2009-08-24 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 04:23 . 2007-10-13 10:18 -------- d-----r- c:\program files\rnamfler
2009-09-17 04:46 . 2009-03-02 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 21:54 . 2009-03-02 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-03-02 06:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 00:04 . 2004-02-07 00:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-08 00:02 . 2009-08-08 00:02 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-08-08 00:02 . 2007-02-07 07:34 -------- d-----w- c:\documents and settings\Matt 1\Application Data\GetRightToGo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-09-25 4861952]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-04 86073]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-03 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-31 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-31 614400]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"Pinger"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-17 151552]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 185784]
"wrna3ls"="c:\program files\rnamfler\naomf.exe" [2006-04-01 1253448]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-09-25 323584]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-07-19 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-09-25 278528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\netint.exe"= c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Ubi Soft\\Chessmaster 9000\\Chessmaster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1171828283\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-02-09 10112]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 mrtRate;mrtRate; [x]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\MATT1~1\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\MATT1~1\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [2008-01-28 132096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\e2ead497-6b39-4a73-afee-7b2d7a3729ed]
c:\windows\system32\cqcccdb.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Matt 1\Application Data\Mozilla\Firefox\Profiles\wqttpak4.default\
FF - prefs.js: browser.search.selectedEngine - SearchGeek
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\1XConfig.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2009-09-18 21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 04:50
ComboFix2.txt 2009-09-18 02:59
ComboFix3.txt 2009-03-02 05:57

Pre-Run: 24,962,678,784 bytes free
Post-Run: 24,965,439,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /forceresetreg /fastdetect /NoExecute=OptIn

192 --- E O F --- 2009-06-14 19:06

and the a hijack this report from 30 seconds ago:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:49 PM, on 2009-09-17
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 5200 bytes

how are things looking at this point? advice? thank you again

ken545 · Sep 18, 2009

Good Morning,

I am looking at a one bad file that I think Malwarebytes removes and another is questionable. Lets see what Malwarebytes finds and go from there.

Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

elnino550 · Sep 18, 2009

Hi Ken545, here's the latest malware log...

Malwarebytes' Anti-Malware 1.41
Database version: 2821
Windows 5.1.2600 Service Pack 3

2009-09-18 03:31:59 PM
mbam-log-2009-09-18 (15-31-59).txt

Scan type: Quick Scan
Objects scanned: 108889
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchasts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

and the hijack this log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:01:07 PM, on 2009-09-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 5386 bytes

...hmm....well.....how are we looking? advice? thanks a lot!

ken545 · Sep 19, 2009

c:\program files\rnamfler\radprlib.dll <-- Do you know what this program is, I am not getting to much info on it. Combofix removed it but its back.

Please run this free online virus scanner from ESET

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

elnino550 · Sep 19, 2009

i noticed rnamfler is back as well...i believe this file may be connected with the internet filter application naomi.exe i downloaded for the kids over a year ago. this filter has worked extremely well and i would be surprised if there was a virus association.

ran ESET in explorer and here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=7355a6b722f21c49ae70a4aa6ba7cc7b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-19 04:51:28
# local_time=2009-09-18 09:51:28 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5890 62 0 3 96755443779920
# scanned=247306
# found=28
# cleaned=28
# scan_time=4631
C:\Documents and Settings\Matt 1\My Documents\Install_AIM.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.ANC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir a variant of Win32/Kryptik.AGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir a variant of Win32/Kryptik.AKT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\new.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\protector.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\start.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\uninstall.exe.vir Win32/Adware.SafetyCenter.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\BegjQqru.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\BegjQqru.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\cnkberkj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\desote.exe.vir Win32/Adware.WindowsAntivirusPro application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\fsperlak.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmqsklvvwh.dll.vir Win32/Olmarik.MF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Win32/TrojanClicker.Punad.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\pybsjrbf.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir a variant of Win32/Kryptik.AKT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmcyahvkjt.sys.vir a variant of Win32/Olmarik.LR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmxsaqllgo.sys.vir a variant of Win32/Olmarik.LR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\ppdisp10_1.dll Win32/Adware.BHO.BG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

...self-replication in progress? advice? thank you.

ken545 · Sep 19, 2009

Good Morning,

All most 100% of what ESET found where backups of what Combofix removed, not to worry.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\Program Files\rnamfler\naomf.exe

elnino550 · Sep 20, 2009

hey ken, i believe this is the correct report...thank you!

File naomf.exe received on 2009.08.22 06:43:31 (UTC)
Current status: finished
Result: 4/41 (9.76%)

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.08.22 -
AhnLab-V3 5.0.0.2 2009.08.21 -
AntiVir 7.9.1.3 2009.08.21 -
Antiy-AVL 2.0.3.7 2009.08.21 -
Authentium 5.1.2.4 2009.08.21 W32/Heuristic-210!Eldorado
Avast 4.8.1335.0 2009.08.21 -
AVG 8.5.0.406 2009.08.22 -
BitDefender 7.2 2009.08.22 -
CAT-QuickHeal 10.00 2009.08.21 -
ClamAV 0.94.1 2009.08.22 -
Comodo 2054 2009.08.22 -
DrWeb 5.0.0.12182 2009.08.21 -
eSafe 7.0.17.0 2009.08.20 -
eTrust-Vet 31.6.6694 2009.08.21 -
F-Prot 4.4.4.56 2009.08.21 W32/Heuristic-210!Eldorado
F-Secure 8.0.14470.0 2009.08.21 -
Fortinet 3.120.0.0 2009.08.22 -
GData 19 2009.08.22 -
Ikarus T3.1.1.68.0 2009.08.22 -
Jiangmin 11.0.800 2009.08.21 -
K7AntiVirus 7.10.824 2009.08.21 -
Kaspersky 7.0.0.125 2009.08.22 -
McAfee 5716 2009.08.21 -
McAfee+Artemis 5716 2009.08.21 -
McAfee-GW-Edition 6.8.5 2009.08.22 Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft 1.4903 2009.08.22 -
NOD32 4357 2009.08.21 -
Norman 6.01.09 2009.08.21 -
nProtect 2009.1.8.0 2009.08.22 -
Panda 10.0.0.14 2009.08.22 -
PCTools 4.4.2.0 2009.08.21 -
Prevx 3.0 2009.08.22 -
Rising 21.43.50.00 2009.08.22 -
Sophos 4.44.0 2009.08.22 Sus/UnkPacker
Sunbelt 3.2.1858.2 2009.08.22 -
Symantec 1.4.4.12 2009.08.22 -
TheHacker 6.3.4.3.385 2009.08.22 -
TrendMicro 8.950.0.1094 2009.08.21 -
VBA32 3.12.10.9 2009.08.22 -
ViRobot 2009.8.22.1896 2009.08.22 -
VirusBuster 4.6.5.0 2009.08.21 -
Additional information
File size: 1253448 bytes
MD5 : edbab1bd1ced1ab1429f79f1463b3952
SHA1 : d23148030ce1c2ea1ec02713b99b8866ed67986f
SHA256: e5e01902c85bd9c9237fdf75b6b10e0047c3e5a2d961fb993623855f9d3d0282
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x137060
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x100670 0x100800 7.99 e2d27507f172fb228d13afffa02250f0
DATA 0x102000 0x10790 0x10800 7.87 2012faab89f38f41fd5b9553fdd5c3d8
BSS 0x113000 0xE4D 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x114000 0x2A06 0x2C00 7.97 df3b3160ce2e34c804f05ae059fd13c0
.tls 0x117000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x118000 0x18 0x200 7.75 da72c30eee50a2ce98b3d1871524055c
.reloc 0x119000 0x10AD0 0x10C00 6.50 286d962bfcf904b879710f077edf87a7
.rsrc 0x12A000 0xC800 0xC800 6.49 fb06a4df4dd5e41fa2adede940fe335e
Jc 0x137000 0x2000 0xA48 7.47 274e2a51bcfacbe3a30921f8458f9cdc

( 1 imports )

> kernel32.dll: LoadLibraryA, GetProcAddress

( 0 exports )
TrID : File type identification
54.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
17.4% (.EXE) Win32 Executable Generic (8527/13/3)
15.5% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
4.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.1% (.EXE) Generic Win/DOS Executable (2002/3)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=edbab1bd1ced1ab1429f79f1463b3952
ssdeep: 24576:O0iAL67gsxJNBA89fHCn8tegKHPFpDksIqiap8k0+gzVlzA2JXA:O0iT75r9fjFULosIJFnBlzAL
PEiD : -
packers (Kaspersky): Yoda
packers (F-Prot): Yoda
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=edbab1bd1ced1ab1429f79f1463b3952
packers (Authentium): Yoda
RDS : NSRL Reference Data Set
-

how are we looking?

ken545 · Sep 20, 2009

Hi,

You said you had this installed ?
http://www.bleepingcomputer.com/startups/naomf.exe-12695.html

I think its just a false positive and nothing to worry about.

How are things running now ?

elnino550 · Sep 20, 2009

Things are running very well - really appreciate your time.

in this thread, can you recommend a reliable firewall? do you suggest running ESET from time to time?

ken545 · Sep 20, 2009

Great,.

You can run ESET once in awhile if you wish, its a nice online scanner. I am looking at AVG AV running, open it up and I believe it includes a firewall.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

elnino550 · Sep 22, 2009

Thanks a lot for all your help Ken545 - my machine is running great.

i have looked into all of your security recommendations and have installed most of them.

Thank you again, ill know where to turn next time (providing...)

ken545 · Sep 23, 2009

Your very welcome,

Take Care,

Ken

ken545 · Sep 28, 2009

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Malware Bytes & Hijack This are disabled

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert