Viruses, Spyware and...

Multiple Computer problems

•

Join Date: Feb 2004

Posts: 10,101

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Multiple Computer problems

#11

Feb 2nd, 2009

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\system32\drivers\zqgyhlq6pgg.sys
c:\windows\sysguard.exe
c:\windows\system32\twain32
c:\windows\system32\lazogiya.exe

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jan 2009

Posts: 12

Reputation: milenia is an unknown quantity at this point

Solved Threads: 0

milenia

Offline

Newbie Poster

Re: Multiple Computer problems

#12

Feb 2nd, 2009

I don't know if this is the right way to post the result but for :

c:\windows\system32\drivers\zqgyhlq6pgg.sys

Scan taken on 03 Feb 2009 03:40:49 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dropper.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Rootkit.Agent.AITB
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Rootkit.Agent.AITB
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Rootkit.Win32.Agent.fry

c:\windows\sysguard.exe

Scan taken on 03 Feb 2009 03:43:54 (GMT)
A-Squared
Found Virus.Win32.Rootkit!IK
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Rootkit-gen
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1405877
ClamAV
Found nothing
CPsecure
Found FraudTool.W32.WinSpywareProtect.dw
Dr.Web
Found Trojan.Fakealert.3908
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:FraudTool.Win32.WinSpywareProtect.dw
G DATA
Found Win32:Rootkit-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:FraudTool.Win32.WinSpywareProtect.dw
NOD32
Found Win32/Adware.SpywareProtect2009 application
Norman Virus Control
Found W32/Malware.FIIJ
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/FakeVir-JX, Troj/SWProt-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\twain32
this turned out to be a folder and two files were inside it :
local.ds and user.ds i scanned local.ds and nothing was found and it wouldn't let me scan user.ds due to being 0kb or malware?

c:\windows\system32\lazogiya.exe

Scan taken on 03 Feb 2009 03:51:15 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

•

Join Date: Feb 2004

Posts: 10,101

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Multiple Computer problems

#13

Feb 3rd, 2009

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Help with Code Tags

(Toggle Plain Text)

Driver::
zqgyhlq6pgg
File::
c:\windows\sysguard.exe
FileLook::
c:\windows\system32\twain32\user.ds
c:\windows\system32\twain32\local.ds
c:\windows\system32\lazogiya.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jan 2009

Posts: 12

Reputation: milenia is an unknown quantity at this point

Solved Threads: 0

milenia

Offline

Newbie Poster

Re: Multiple Computer problems

#14

Feb 3rd, 2009

Thank you once again and here is the logs:

Combofix:

ComboFix 09-02-01.01 - user 2009-02-03 7:05:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1383 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\sysguard.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-22 23:28 129,024 ----a-w c:\windows\system32\uspbhd.dll
2008-12-22 23:28 129,024 ----a-w c:\windows\system32\agijdoim.dll
2008-12-22 14:03 72,704 ----a-w c:\windows\system32\jhkttyqe.dll
2008-12-22 13:54 129,024 ----a-w c:\windows\system32\evleqpvm.dll
2008-12-21 14:00 72,704 ----a-w c:\windows\system32\gamlfpgv.dll
2008-12-21 13:51 129,024 ----a-w c:\windows\system32\xojlqy.dll
2008-12-21 13:51 129,024 ----a-w c:\windows\system32\sjrycsnt.dll
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-20 13:49 129,024 ----a-w c:\windows\system32\reowgxid.dll
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-19 03:33 129,024 ----a-w c:\windows\system32\uwoowg.dll
2008-12-19 03:33 129,024 ----a-w c:\windows\system32\lwhwmhsp.dll
2008-12-18 03:21 34,816 ----a-w c:\windows\system32\vtUmNDVo.dll
2008-12-18 03:15 72,704 ----a-w c:\windows\system32\epsldmxb.dll
2008-12-18 03:14 34,816 ----a-w c:\windows\system32\khfEVOig.dll
2008-12-18 03:12 129,024 ----a-w c:\windows\system32\pyfmnkyh.dll
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 06:02 8,464 ----a-w c:\windows\system32\SpOrder.Dll
2008-11-21 06:02 719,360 ----a-w c:\windows\system32\bmutil.dll
2008-11-21 06:02 475,136 ----a-w c:\windows\system32\bmnet.dll
2008-11-21 06:02 126,976 ----a-w c:\windows\system32\bmdumpd.bin
2008-11-21 06:02 118,784 ----a-w c:\windows\system32\bmwebcfg.exe
2008-11-21 05:59 32,408 ----a-w c:\windows\system32\PCTINDIS5.sys
2008-11-21 05:59 137,752 ----a-w c:\windows\system32\PCTIN50.dll
2008-11-15 02:25 61,440 ----a-w c:\windows\system32\pthswmcp.dll
2008-11-15 02:25 6,144 ----a-w c:\windows\system32\mot_ci.dll
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lazogiya.exe -- Not a PE file.
MD5: 4bcfe9f8db04948cddb5e31fe6a7f984

c:\windows\system32\twain32\local.ds -- Not a PE file.
MD5: c50a713fdee9b00a620d50dac1889292

c:\windows\system32\twain32\user.ds -- Not a PE file.
MD5: d41d8cd98f00b204e9800998ecf8427e

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP

xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP

xpsp2res.dll,-22016
"500:UDP"= 500:UDP

xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]

--- Other Services/Drivers In Memory ---

*Deregistered* - dump_wmimmc
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 07:07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-02-03 7:09:23
ComboFix-quarantined-files.txt 2009-02-03 15:09:17
ComboFix2.txt 2009-02-01 21:50:24

Pre-Run: 67,239,387,136 bytes free
Post-Run: 67,237,728,256 bytes free

227 --- E O F --- 2009-02-02 11:10:02

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:49 AM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4769 bytes

•

Join Date: Feb 2004

Posts: 10,101

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Multiple Computer problems

#15

Feb 3rd, 2009

I have more for you for Jotti now

;

c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\xojlqy.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\agijdoim.dll
c:\windows\system32\jhkttyqe.dll

Post the results back please.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jan 2009

Posts: 12

Reputation: milenia is an unknown quantity at this point

Solved Threads: 0

milenia

Offline

Newbie Poster

Re: Multiple Computer problems

#16

Feb 3rd, 2009

Yay more fun

,

c:\windows\system32\pyfmnkyh.dll

Scan taken on 04 Feb 2009 02:42:18 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Pakes.mfm
ArcaVir
Found Trojan.Agent.Asib
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1244680
ClamAV
Found Trojan.Vundo-10267
CPsecure
Found Troj.W32.Pakes.mfm
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FUQB
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GK, Trojan.Win32.Pakes.mfm
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Pakes.mfm
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTT
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Pakes.mfm

c:\windows\system32\lwhwmhsp.dll

Scan taken on 04 Feb 2009 02:46:48 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.adyt
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1248348
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FWFV
F-Secure Anti-Virus
Found Trojan.Win32.Monder.adyt
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.adyt
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCM
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\uwoowg.dll

Scan taken on 04 Feb 2009 02:49:34 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.adyt
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1248348
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FWFV
F-Secure Anti-Virus
Found Trojan.Win32.Monder.adyt
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.adyt
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCM
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\reowgxid.dll

Scan taken on 04 Feb 2009 02:53:08 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.6
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1256911
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiig
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GU, Trojan.Win32.Monder.aiig
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiig
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCN
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\sjrycsnt.dll

Scan taken on 04 Feb 2009 02:58:58 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.aiir
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1258231
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GS, Trojan.Win32.Monder.aiir
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiir
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LXCU
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\xojlqy.dll

Scan taken on 04 Feb 2009 03:03:47 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.aiir
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1258231
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GS, Trojan.Win32.Monder.aiir
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiir
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LXCU
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\evleqpvm.dll

Scan taken on 04 Feb 2009 03:07:35 (GMT)
A-Squared
Found Trojan.Win32.Conhook!IK
AntiVir
Found TR/ConHook.D.4
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Vundo.GGE
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GQ
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTV
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\uspbhd.dll

Scan taken on 04 Feb 2009 03:12:49 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.3
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1267491
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiiq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan3.WK
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GT, Trojan.Win32.Monder.aiiq
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiiq
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Monder.aiiq

c:\windows\system32\agijdoim.dll

Scan taken on 04 Feb 2009 03:15:32 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.3
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1267491
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiiq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan3.WK
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GT, Trojan.Win32.Monder.aiiq
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiiq
NOD32
Found nothing
Norman Virus Control
Found W32/Virtumonde.AIMK
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
Viruhttp://www.daniweb.com/forums/newreply.php?do=newreply&noquote=1&p=790475sBuster
Found nothing
VBA32
Found Trojan.Win32.Monder.aiiq

c:\windows\system32\jhkttyqe.dll

Scan taken on 04 Feb 2009 03:17:57 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Vundo.72704Y
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1265340
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTW
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

•

Join Date: Feb 2004

Posts: 10,101

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Multiple Computer problems

#17

Feb 3rd, 2009

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Help with Code Tags

(Toggle Plain Text)

KillAll::

File::
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\xojlqy.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\agijdoim.dll
c:\windows\system32\jhkttyqe.dll

Combofix.txt
A new HijackThis log.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jan 2009

Posts: 12

Reputation: milenia is an unknown quantity at this point

Solved Threads: 0

milenia

Offline

Newbie Poster

Re: Multiple Computer problems

#18

Feb 4th, 2009

Combo fix:

ComboFix 09-02-01.01 - user 2009-02-03 21:48:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1415 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\agijdoim.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\jhkttyqe.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\xojlqy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\agijdoim.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\jhkttyqe.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\xojlqy.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP

xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP

xpsp2res.dll,-22016
"500:UDP"= 500:UDP

xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 21:52:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(568)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-03 21:54:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 05:54:41
ComboFix2.txt 2009-02-03 15:09:24
ComboFix3.txt 2009-02-01 21:50:24

Pre-Run: 67,132,297,216 bytes free
Post-Run: 67,224,801,280 bytes free

217 --- E O F --- 2009-02-02 11:10:02

HJT :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:34 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4970 bytes

•

Join Date: Feb 2004

Posts: 10,101

Reputation: crunchie is a splendid one to behold

Solved Threads: 767

crunchie

Offline

Spyware Killer

Re: Multiple Computer problems

#19

Feb 4th, 2009

Are you cutting off the bottom of the hijackthis log? there appears to be some missing.

==

I missed a file that needs to go. Also, can you rename this file; c:\windows\system32\lazogiya.exe and make it oldlazogiya please.

==

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Help with Code Tags

(Toggle Plain Text)

KillAll::

File::
c:\windows\system32\TDSSlxwp.dll
Driver::
zqgyhlq6pgg

Combofix.txt
A new HijackThis log.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Jan 2009

Posts: 12

Reputation: milenia is an unknown quantity at this point

Solved Threads: 0

milenia

Offline

Newbie Poster

Re: Multiple Computer problems

#20

Feb 4th, 2009

I am not cutting off any part of the logs, it only produces up to that amount for some reason. I tried to search for that file, but was unable to locate it. Here are the new logs

Combofix:

ComboFix 09-02-01.01 - user 2009-02-03 23:15:18.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1407 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\TDSSlxwp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSlxwp.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-03 22:17 . 2009-02-03 22:17 <DIR> d-------- c:\program files\AT&T
2009-02-03 21:59 . 2009-02-03 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-02-03 22:17 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2007-01-18 18:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\0012\DriverFiles\RimSerial.sys
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP

xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP

xpsp2res.dll,-22016
"500:UDP"= 500:UDP

xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 23:18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-03 23:21:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 07:21:20
ComboFix2.txt 2009-02-04 05:54:49
ComboFix3.txt 2009-02-03 15:09:24
ComboFix4.txt 2009-02-01 21:50:24

Pre-Run: 67,031,392,256 bytes free
Post-Run: 67,012,251,648 bytes free

211 --- E O F --- 2009-02-02 11:10:02

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:37 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
D:\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/...jolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

--
End of file - 5371 bytes