Virtumonde

[Culture]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:40 PM, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\61DE.tmp
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\d.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [60eada29] rundll32.exe "C:\WINDOWS\system32\gnmdsphl.dll",b
O4 - HKLM\..\Run: [BM63d9e9b5] Rundll32.exe "C:\WINDOWS\system32\svrqljqq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\d.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 5261 bytes












-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 9:52:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/05/2008
Kaspersky Anti-Virus database records: 799359
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86925
Number of viruses found: 16
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 01:47:04

Infected Object Name / Virus Name / Last Action
C:\d.exe Infected: Backdoor.Win32.Small.dwp skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KB6AQUPQ\mywehfoto[1].htm Infected: not-a-virus:AdWare.Win32.E404.aw skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Desktop\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe Infected: Trojan-Dropper.Win32.Agent.rub skipped
C:\Documents and Settings\Tyler\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\r16252.exe/6 Infected: not-a-virus:Server-Proxy.Win32.Bouncer.a skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\r16252.exe QuickBatch: infected - 1 skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\setup.exe Infected: Trojan-Dropper.Win32.Agent.rub skipped
C:\Documents and Settings\Tyler\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\3BGGTJ07\tuhvzqdrv[1].htm Infected: Rootkit.Win32.Agent.anj skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\L3URSL2J\cppthyzd[1].txt Infected: Trojan-Downloader.Win32.Small.wav skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\L3URSL2J\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\N3U9JDPH\tuylqdhim[1].htm Infected: Trojan-Downloader.Win32.Injecter.rs skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\RAW14F8N\xkypgt[1].htm Infected: Rootkit.Win32.Qandr.bc skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\WKVHZUB2\ddos1[1].htm Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\WKVHZUB2\dwxnbsj[1].htm Infected: Trojan-Proxy.Win32.Small.na skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\WKVHZUB2\wssl62_c[1].exe Infected: Trojan-Downloader.Win32.Agent.mgq skipped
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\WWAILKOM\ddos[1].htm Infected: Backdoor.Win32.Small.dwp skipped
C:\Documents and Settings\Tyler\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tyler\ntuser.dat.LOG Object is locked skipped
C:\gxcxpd.exe Infected: Trojan-Downloader.Win32.Injecter.rs skipped
C:\ptgttuaq.exe Infected: Rootkit.Win32.Agent.anj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9BB60656-E70E-457B-917F-82AD6255E2A0}\RP342\A0024919.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\System Volume Information\_restore{9BB60656-E70E-457B-917F-82AD6255E2A0}\RP342\A0024924.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\System Volume Information\_restore{9BB60656-E70E-457B-917F-82AD6255E2A0}\RP413\A0032996.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{9BB60656-E70E-457B-917F-82AD6255E2A0}\RP413\A0033012.exe Infected: Trojan-Proxy.Win32.Small.na skipped
C:\System Volume Information\_restore{9BB60656-E70E-457B-917F-82AD6255E2A0}\RP415\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\158117\158117.dll Infected: not-a-virus:AdWare.Win32.E404.au skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\WINDOWS\system32\crypts.dll Infected: Trojan-Downloader.Win32.Satray.br skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\khfGawxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\WINDOWS\system32\nnnLBTnm.dll Infected: Trojan-Downloader.Win32.Agent.pxj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\403A.tmp Infected: Trojan-Downloader.Win32.Agent.mgq skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe Infected: Trojan-Dropper.Win32.Agent.rub skipped

Scan process completed.

 

[Rorschach112]

Hello

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\d.exe
  C:\Documents and Settings\Tyler\Desktop\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe
  C:\gxcxpd.exe 
  C:\ptgttuaq.exe 
  C:\WINDOWS\system32\158117
  C:\WINDOWS\system32\crypts.dll
  C:\WINDOWS\system32\khfGawxx.dll 
  C:\WINDOWS\system32\nnnLBTnm.dll 
  C:\WINDOWS\Temp\403A.tmp
  F:\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe 
  purity 
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

 

[Culture]

Thanks very much for your help!!



ComboFix 08-05-24.1 - Tyler 2008-05-25 8:32:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -4:00]
Running from: C:\Documents and Settings\Tyler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tyler\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM63d9e9b5.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abdNmnpo.ini
C:\WINDOWS\system32\abdNmnpo.ini2
C:\WINDOWS\system32\acsfhxvl.ini
C:\WINDOWS\system32\aluvykgv.exe
C:\WINDOWS\system32\biihaeiq.ini
C:\WINDOWS\system32\bykfrixj.dll
C:\WINDOWS\system32\cbqarnqx.exe
C:\WINDOWS\system32\cmtbdudp.ini
C:\WINDOWS\system32\dhxlwibw.ini
C:\WINDOWS\system32\dkxtpuwj.exe
C:\WINDOWS\system32\elgagkkq.ini
C:\WINDOWS\system32\fccgynga.exe
C:\WINDOWS\system32\gsbgqpwwfw.sys
C:\WINDOWS\system32\gsojngak.ini
C:\WINDOWS\system32\hmsrjlic.ini
C:\WINDOWS\system32\iccxwalk.ini
C:\WINDOWS\system32\joupogcc.dll
C:\WINDOWS\system32\jousoeek.dll
C:\WINDOWS\system32\jsabvvqb.ini
C:\WINDOWS\system32\jTBKlnnn.ini
C:\WINDOWS\system32\jTBKlnnn.ini2
C:\WINDOWS\system32\jtwesxpd.ini
C:\WINDOWS\system32\keeosuoj.ini
C:\WINDOWS\system32\krjgyhcr.ini
C:\WINDOWS\system32\lckqcwur.ini
C:\WINDOWS\system32\lhpsdmng.ini
C:\WINDOWS\system32\Lmlmnnmp.ini
C:\WINDOWS\system32\Lmlmnnmp.ini2
C:\WINDOWS\system32\nhqxsesm.ini
C:\WINDOWS\system32\nnnLBTnm.dll
C:\WINDOWS\system32\nnnlKBTj.dll
C:\WINDOWS\system32\nvswrabe.exe
C:\WINDOWS\system32\qfcmlasp.ini
C:\WINDOWS\system32\rAcLRXyb.ini
C:\WINDOWS\system32\rAcLRXyb.ini2
C:\WINDOWS\system32\rlfjvufu.ini
C:\WINDOWS\system32\ruyfhhji.ini
C:\WINDOWS\system32\vqkqwqdw.ini
C:\WINDOWS\system32\vywtubfi.dll
C:\WINDOWS\system32\wEfMnqru.ini
C:\WINDOWS\system32\wEfMnqru.ini2
C:\WINDOWS\system32\wrkwybwx.exe
C:\WINDOWS\system32\xevyiuxg.ini
C:\WINDOWS\system32\xovufxjc.ini
C:\WINDOWS\system32\yyjdqwww.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gsbgqpwwfw


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 21:45 157 ----a-w C:\fl.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01fea11e-ed88-4307-941d-625667e1b9fc}]
C:\WINDOWS\system32\opnmNdba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0495b09c-0270-4d5f-878d-40d37dd761c2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06ecaf00-d4ad-478a-bb6f-88fd9134f351}]
2008-05-25 08:25 136704 --a------ C:\WINDOWS\system32\hjexigit.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16b754f2-a7c9-46c8-bff4-d379c0b433a8}]
C:\WINDOWS\system32\pmnnmlmL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16d47280-7340-4eb8-bd09-c3a6393c0057}]
C:\WINDOWS\system32\urqnMfEw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56695a72-21c4-4a71-990b-420c62750205}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5987a93a-b43b-48a4-986b-595ea62e5525}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663656df-6bae-460c-a612-8133df519346}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{934B883E-BC6E-4714-A380-610B1D23AB6E}]
C:\WINDOWS\system32\byXRLcAr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b40cf317-3cd4-4a2e-984f-43a926e8c11b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4befddb-bcc6-42b6-84b0-4fc680616a91}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2fc080-74bc-4206-9fcc-81cf5160fe8f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7d7e8d2-7395-4cef-9dc3-e8cfdc2911ef}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{df236510-5446-4e64-b50d-3a6c5878706a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dfc8ff99-8e8f-4b45-9a80-1be78eb2b6e1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WintelUpdate"="C:\d.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"60eada29"="C:\WINDOWS\system32\gnmdsphl.dll" [ ]
"BM63d9e9b5"="C:\WINDOWS\system32\odrlynqx.dll" [2008-05-25 08:25 125440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLBTnm]

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
--a------ 2007-01-25 10:54 154112 C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-05-30 20:12 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 08:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dacd9a39-eeb9-11dc-8b1b-001a7036ffe5}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:44:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\qandr.sys 125952 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qandr]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\qandr.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-25 8:53:26 - machine was rebooted [Tyler]
ComboFix-quarantined-files.txt 2008-05-25 12:53:00

Pre-Run: 34,250,309,632 bytes free
Post-Run: 34,220,961,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

176 --- E O F --- 2008-03-15 07:05:41

















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:56 AM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01fea11e-ed88-4307-941d-625667e1b9fc} - C:\WINDOWS\system32\opnmNdba.dll (file missing)
O2 - BHO: (no name) - {0495b09c-0270-4d5f-878d-40d37dd761c2} - (no file)
O2 - BHO: {153f4319-df88-f6bb-a874-da4d00face60} - {06ecaf00-d4ad-478a-bb6f-88fd9134f351} - C:\WINDOWS\system32\hjexigit.dll
O2 - BHO: (no name) - {16b754f2-a7c9-46c8-bff4-d379c0b433a8} - C:\WINDOWS\system32\pmnnmlmL.dll (file missing)
O2 - BHO: (no name) - {16d47280-7340-4eb8-bd09-c3a6393c0057} - C:\WINDOWS\system32\urqnMfEw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56695a72-21c4-4a71-990b-420c62750205} - (no file)
O2 - BHO: (no name) - {5987a93a-b43b-48a4-986b-595ea62e5525} - (no file)
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {934B883E-BC6E-4714-A380-610B1D23AB6E} - C:\WINDOWS\system32\byXRLcAr.dll (file missing)
O2 - BHO: (no name) - {b40cf317-3cd4-4a2e-984f-43a926e8c11b} - (no file)
O2 - BHO: (no name) - {b4befddb-bcc6-42b6-84b0-4fc680616a91} - (no file)
O2 - BHO: (no name) - {be2fc080-74bc-4206-9fcc-81cf5160fe8f} - (no file)
O2 - BHO: (no name) - {c7d7e8d2-7395-4cef-9dc3-e8cfdc2911ef} - (no file)
O2 - BHO: (no name) - {df236510-5446-4e64-b50d-3a6c5878706a} - (no file)
O2 - BHO: (no name) - {dfc8ff99-8e8f-4b45-9a80-1be78eb2b6e1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [60eada29] rundll32.exe "C:\WINDOWS\system32\gnmdsphl.dll",b
O4 - HKLM\..\Run: [BM63d9e9b5] Rundll32.exe "C:\WINDOWS\system32\odrlynqx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\d.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: nnnLBTnm - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 6775 bytes

 

[Rorschach112]

Post the OTMoveIt log please

 

[Culture]

sorry about that!

here it is:



Explorer killed successfully
File/Folder C:\d.exe not found.
File/Folder C:\Documents and Settings\Tyler\Desktop\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe not found.
File/Folder C:\gxcxpd.exe not found.
File/Folder C:\ptgttuaq.exe not found.
File/Folder C:\WINDOWS\system32\158117 not found.
File/Folder C:\WINDOWS\system32\crypts.dll not found.
File/Folder C:\WINDOWS\system32\khfGawxx.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnLBTnm.dll
C:\WINDOWS\system32\nnnLBTnm.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nnnLBTnm.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\Temp\403A.tmp not found.
File move failed. F:\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe scheduled to be moved on reboot.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 03142008_220436

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnLBTnm.dll
C:\WINDOWS\system32\nnnLBTnm.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nnnLBTnm.dll scheduled to be moved on reboot.
File move failed. F:\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe scheduled to be moved on reboot.

 

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\Antares.Autotune.VST.RTAS.TDM.v5.08-AiR\setup.exe

DirLook::
C:\Documents and Settings\Tyler\Desktop

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[Culture]

Thanks again for your help.

 

[Culture]

The log is too long for this thread.

 

[Rorschach112]

Attach it then please

 

[Culture]

It is now attached.

I appreciate the help!

 

[Culture]

whoops, the txt file is 125kb, and this forum only allows 19.5kb attachments.

 

[Rorschach112]

I can't see it, either you forgot to upload it or it is too big

Can you try attach it again, if it fails, host it somewhere like mediafire.com

 

[Culture]

its: http://www.mediafire.com/?xtjofeds5m0

thanks

 

[Rorschach112]

Ok no need to attach the following logs

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\BM63d9e9b5.xml
C:\fl.bat
G:\LaunchU3.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dacd9a39-eeb9-11dc-8b1b-001a7036ffe5}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qandr]

Rootkit::
C:\WINDOWS\system32\drivers\qandr.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

 

[Culture]

there are no processes found in icesword that were written in red.

here are the Message Hooks that are labeled WH_KEYBOARD
c:\windows\explorer.exe
c:\windows\microsoft intellipoint\ipoint.exe
c:\windows\system32\ctfmon.exe

there are a number of handles for each process path


------------------


SDFix: Version 1.185
Run by Tyler on 25/05/2008 at 08:00 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
QANDR

Path :
\??\C:\WINDOWS\system32\drivers\qandr.sys

QANDR - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\162600~1 - Deleted
C:\WINDOWS\system32\drivers\qandr.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:08:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 10 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Wed 16 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 28 Jun 2007 3,096,576 A..H. --- "C:\Documents and Settings\Tyler\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


---------------------

ComboFix 08-05-24.1 - Tyler 2008-05-25 20:16:34.3 - NTFSx86
Running from: C:\Documents and Settings\Tyler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tyler\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\fl.bat
C:\WINDOWS\BM63d9e9b5.xml
G:\LaunchU3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fl.bat
C:\WINDOWS\BM63d9e9b5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\qandr.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 19:54 . 2008-05-25 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-25 19:52 . 2008-05-25 20:11 <DIR> d-------- C:\SDFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( snapshot_2008-05-25_18.33.20.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 22:24:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 00:21:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-25 23:55:19 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-25 23:55:19 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-25 23:55:06 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-25 23:55:06 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01fea11e-ed88-4307-941d-625667e1b9fc}]
C:\WINDOWS\system32\opnmNdba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0495b09c-0270-4d5f-878d-40d37dd761c2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06ecaf00-d4ad-478a-bb6f-88fd9134f351}]
2008-05-25 08:25 136704 --a------ C:\WINDOWS\system32\hjexigit.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16b754f2-a7c9-46c8-bff4-d379c0b433a8}]
C:\WINDOWS\system32\pmnnmlmL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16d47280-7340-4eb8-bd09-c3a6393c0057}]
C:\WINDOWS\system32\urqnMfEw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56695a72-21c4-4a71-990b-420c62750205}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5987a93a-b43b-48a4-986b-595ea62e5525}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663656df-6bae-460c-a612-8133df519346}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{934B883E-BC6E-4714-A380-610B1D23AB6E}]
C:\WINDOWS\system32\byXRLcAr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b40cf317-3cd4-4a2e-984f-43a926e8c11b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4befddb-bcc6-42b6-84b0-4fc680616a91}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2fc080-74bc-4206-9fcc-81cf5160fe8f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7d7e8d2-7395-4cef-9dc3-e8cfdc2911ef}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{df236510-5446-4e64-b50d-3a6c5878706a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dfc8ff99-8e8f-4b45-9a80-1be78eb2b6e1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WintelUpdate"="C:\d.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"60eada29"="C:\WINDOWS\system32\gnmdsphl.dll" [ ]
"BM63d9e9b5"="C:\WINDOWS\system32\odrlynqx.dll" [2008-05-25 08:25 125440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLBTnm]

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
--a------ 2007-01-25 10:54 154112 C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-05-30 20:12 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 08:39]

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:21:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [696] 0x816EC848

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-25 20:32:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 00:32:07
ComboFix2.txt 2008-05-25 22:34:23
ComboFix3.txt 2008-05-25 12:53:28

Pre-Run: 33,904,234,496 bytes free
Post-Run: 33,892,945,920 bytes free

135 --- E O F --- 2008-05-25 22:23:31

 

[Rorschach112]

Can you post all the IceSword logs, and a new HijackThis log

 

[Culture]

Services.log
Started Service:

Service Name:Alerter Display Name:Alerter
Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:Bonjour Service Display Name:##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
Service Name:Browser Display Name:Computer Browser
Service Name:CryptSvc Display Name:Cryptographic Services
Service NamecomLaunch Display NameCOM Server Process Launcher
Service Namehcp Display NameHCP Client
Service Namenscache Display NameNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service NamelugPlay Display Namelug and Play
Service NameolicyAgent Display Name:IPSEC Services
Service NamerotectedStorage Display Namerotected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Namerint Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Nameistributed Link Tracking Client
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WUSB54GCSVC Display Name:WUSB54GCSVC
Service Name:WZCSVC Display Name:Wireless Zero Configuration

-------------

Processes Log

Process:

System Idle Process
System
C:\WINDOWS\system32\alg.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Documents and Settings\Tyler\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe

-------------
Startup Log

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
itype
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelliPoint
"C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NBKeyScan
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
60eada29
rundll32.exe "C:\WINDOWS\system32\gnmdsphl.dll",b

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BM63d9e9b5
Rundll32.exe "C:\WINDOWS\system32\odrlynqx.dll",s

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE (Remark£ºMicrosoft Office StartUp)

C:\Documents and Settings\Tyler\Start Menu\Programs\Startup
desktop.ini


-------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:47 PM, on 26/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01fea11e-ed88-4307-941d-625667e1b9fc} - C:\WINDOWS\system32\opnmNdba.dll (file missing)
O2 - BHO: (no name) - {0495b09c-0270-4d5f-878d-40d37dd761c2} - (no file)
O2 - BHO: {153f4319-df88-f6bb-a874-da4d00face60} - {06ecaf00-d4ad-478a-bb6f-88fd9134f351} - C:\WINDOWS\system32\hjexigit.dll
O2 - BHO: (no name) - {16b754f2-a7c9-46c8-bff4-d379c0b433a8} - C:\WINDOWS\system32\pmnnmlmL.dll (file missing)
O2 - BHO: (no name) - {16d47280-7340-4eb8-bd09-c3a6393c0057} - C:\WINDOWS\system32\urqnMfEw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56695a72-21c4-4a71-990b-420c62750205} - (no file)
O2 - BHO: (no name) - {5987a93a-b43b-48a4-986b-595ea62e5525} - (no file)
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {934B883E-BC6E-4714-A380-610B1D23AB6E} - C:\WINDOWS\system32\byXRLcAr.dll (file missing)
O2 - BHO: (no name) - {b40cf317-3cd4-4a2e-984f-43a926e8c11b} - (no file)
O2 - BHO: (no name) - {b4befddb-bcc6-42b6-84b0-4fc680616a91} - (no file)
O2 - BHO: (no name) - {be2fc080-74bc-4206-9fcc-81cf5160fe8f} - (no file)
O2 - BHO: (no name) - {c7d7e8d2-7395-4cef-9dc3-e8cfdc2911ef} - (no file)
O2 - BHO: (no name) - {df236510-5446-4e64-b50d-3a6c5878706a} - (no file)
O2 - BHO: (no name) - {dfc8ff99-8e8f-4b45-9a80-1be78eb2b6e1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [60eada29] rundll32.exe "C:\WINDOWS\system32\gnmdsphl.dll",b
O4 - HKLM\..\Run: [BM63d9e9b5] Rundll32.exe "C:\WINDOWS\system32\odrlynqx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - Winlogon Notify: nnnLBTnm - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 6588 bytes



Thanks!

 

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {01fea11e-ed88-4307-941d-625667e1b9fc} - C:\WINDOWS\system32\opnmNdba.dll (file missing)
O2 - BHO: (no name) - {0495b09c-0270-4d5f-878d-40d37dd761c2} - (no file)
O2 - BHO: {153f4319-df88-f6bb-a874-da4d00face60} - {06ecaf00-d4ad-478a-bb6f-88fd9134f351} - C:\WINDOWS\system32\hjexigit.dll
O2 - BHO: (no name) - {16b754f2-a7c9-46c8-bff4-d379c0b433a8} - C:\WINDOWS\system32\pmnnmlmL.dll (file missing)
O2 - BHO: (no name) - {16d47280-7340-4eb8-bd09-c3a6393c0057} - C:\WINDOWS\system32\urqnMfEw.dll (file missing)
O2 - BHO: (no name) - {56695a72-21c4-4a71-990b-420c62750205} - (no file)
O2 - BHO: (no name) - {5987a93a-b43b-48a4-986b-595ea62e5525} - (no file)
O2 - BHO: (no name) - {663656df-6bae-460c-a612-8133df519346} - (no file)
O2 - BHO: (no name) - {934B883E-BC6E-4714-A380-610B1D23AB6E} - C:\WINDOWS\system32\byXRLcAr.dll (file missing)
O2 - BHO: (no name) - {b40cf317-3cd4-4a2e-984f-43a926e8c11b} - (no file)
O2 - BHO: (no name) - {b4befddb-bcc6-42b6-84b0-4fc680616a91} - (no file)
O2 - BHO: (no name) - {be2fc080-74bc-4206-9fcc-81cf5160fe8f} - (no file)
O2 - BHO: (no name) - {c7d7e8d2-7395-4cef-9dc3-e8cfdc2911ef} - (no file)
O2 - BHO: (no name) - {df236510-5446-4e64-b50d-3a6c5878706a} - (no file)
O2 - BHO: (no name) - {dfc8ff99-8e8f-4b45-9a80-1be78eb2b6e1} - (no file)
O4 - HKLM\..\Run: [60eada29] rundll32.exe "C:\WINDOWS\system32\gnmdsphl.dll",b
O4 - HKLM\..\Run: [BM63d9e9b5] Rundll32.exe "C:\WINDOWS\system32\odrlynqx.dll",s
O20 - Winlogon Notify: nnnLBTnm - C:\WINDOWS\


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\hjexigit.dll

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log

 

[Culture]

ComboFix 08-05-24.1 - Tyler 2008-05-26 20:11:56.4 - NTFSx86
Running from: C:\Documents and Settings\Tyler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tyler\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\hjexigit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM63d9e9b5.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 19:54 . 2008-05-25 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-25 19:52 . 2008-05-25 20:11 <DIR> d-------- C:\SDFix
2008-05-25 08:25 . 2008-05-25 08:25 125,440 --a------ C:\WINDOWS\system32\odrlynqx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 19:54 115,200 ----a-w C:\WINDOWS\system32\psalmcfq.dll
2008-03-14 19:48 136,192 ----a-w C:\WINDOWS\system32\rxgmbmjv.dll
2008-03-14 19:46 126,464 ----a-w C:\WINDOWS\system32\svrqljqq.dll
2008-03-14 02:00 126,464 ----a-w C:\WINDOWS\system32\veijdqmq.dll
2008-03-14 01:59 126,464 ----a-w C:\WINDOWS\system32\vcsdmijk.dll
2008-03-13 21:59 115,200 ----a-w C:\WINDOWS\system32\klawxcci.dll
2008-03-13 01:17 134,144 ----a-w C:\WINDOWS\system32\impgeofv.dll
2008-03-13 01:12 126,464 ----a-w C:\WINDOWS\system32\fkqcrbcg.dll
2008-03-11 22:30 128,000 ----a-w C:\WINDOWS\system32\rbuxvpmg.dll
2008-03-11 22:00 128,000 ----a-w C:\WINDOWS\system32\hvjpkadt.dll
2008-03-11 21:47 128,000 ----a-w C:\WINDOWS\system32\pysemxtp.dll
2008-03-10 22:28 128,000 ----a-w C:\WINDOWS\system32\mrepojhv.dll
2008-03-10 21:57 128,000 ----a-w C:\WINDOWS\system32\esnrxysg.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-25_18.33.20.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 22:24:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 00:21:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-25 23:55:19 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-25 23:55:19 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-25 23:55:06 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-25 23:55:06 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"BM63d9e9b5"="C:\WINDOWS\system32\odrlynqx.dll" [2008-05-25 08:25 125440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
--a------ 2007-01-25 10:54 154112 C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-05-30 20:12 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 08:39]

*Newly Created Service* - GTNDIS5
*Newly Created Service* - ISDRV122
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 20:15:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 20:18:59
ComboFix-quarantined-files.txt 2008-05-27 00:18:38
ComboFix2.txt 2008-05-25 22:34:23
ComboFix3.txt 2008-05-25 12:53:28

Pre-Run: 33,906,614,272 bytes free
Post-Run: 33,897,267,200 bytes free

113 --- E O F --- 2008-05-25 22:23:31

 

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\odrlynqx.dll
C:\WINDOWS\system32\psalmcfq.dll
C:\WINDOWS\system32\rxgmbmjv.dll
C:\WINDOWS\system32\svrqljqq.dll
C:\WINDOWS\system32\veijdqmq.dll
C:\WINDOWS\system32\vcsdmijk.dll
C:\WINDOWS\system32\klawxcci.dll
C:\WINDOWS\system32\impgeofv.dll
C:\WINDOWS\system32\fkqcrbcg.dll
C:\WINDOWS\system32\rbuxvpmg.dll
C:\WINDOWS\system32\hvjpkadt.dll
C:\WINDOWS\system32\pysemxtp.dll
C:\WINDOWS\system32\mrepojhv.dll
C:\WINDOWS\system32\esnrxysg.dll

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Also post a new HijackThis log