0

Hi Folks;

This is my first post. I attempted to search through some of the threads hoping to find the specific problems i see on my desktop (running on XP), to no avail. Hope you can help. Thanks

Symptoms: Virus or Malware downloaded?

1. Have to type "explorer.exe" on Task/Manager/File/new Task every time I restart my computer, so my personal settings will load. If not, I will only get my toolbar and start button. I suspect some malware may have been downloaded, but not able to identify it (HighJackThis log below)

2. Cannot open control panel icons so I can see or remove programs
3. My system restore's previous dates were wiped out as well, so cannot undo changes
4. cant access Run/cmd.exe either
5. Internet Explorer is VERY slow to load, and when clicking on any link, I am frequently redirected elsewhere, not to the intended site.

None of these problems above existed as of yesterday (1/25/2011), so between then and today, all of these issues surfaced.


I tried:

- Running Ad-Aware (LavaSoft) - Says system is clean
- Running Spybot - Search and Destroy - system clean
- Ran McAfee virusScan 8.8.0i- nothing detected
- Tried Housecall 7.2 antivirus and get an error message: 1082108645:2
- Ran HighJackThis for logs below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:03:47 PM, on 1/26/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\Program Files\Sygate\SSA\snac.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\WMVXENCD32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\msftedit32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sygate\SSA\SmcGui.exe
C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Documents and Settings\Owner\My Documents\Res.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\dmdskmgrwow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Malware Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0144DFBA-5F69-4C56-974E-131BE52F7C7a} - C:\WINDOWS\system32\autodisc32.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Documents and Settings\Owner\My Documents\Res.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MyWGU Messenger] C:\Program Files\MyWGU Messenger\MyWGU-Messenger.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "F:\Tom Tom\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://webtohost.prod.fedex.com/bluezone/bzw2h/sglw2hcm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Sygate\SSA\snac.exe
O23 - Service: TomTomHOMEService - Unknown owner - F:\Tom Tom\TomTom HOME 2\TomTomHOMEService.exe (file missing)
O23 - Service: Wireless Zero Configuration (WZCSVC32) - CodeGear - C:\WINDOWS\system32\WMVXENCD32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12699 bytes


Hope someone may be able to point me in the right direction. Thanks for your time and assistance.

4
Contributors
36
Replies
37
Views
6 Years
Discussion Span
Last Post by PhilliePhan
0

Hope someone may be able to point me in the right direction. Thanks for your time and assistance.

At quick glance, there are some iffy entries in your HJT log.
Please follow the steps in the linky below and post the requested scanlogs:

http://www.daniweb.com/forums/thread134865.html

We are a bit short on help, but I or another volunteer will check back as time permits.

Cheers :)
PP

0

None of these problems above existed as of yesterday (1/25/2011), so between then and today, all of these issues surfaced.

I tried:

- Running Ad-Aware (LavaSoft) - Says system is clean
- Running Spybot - Search and Destroy - system clean
- Ran McAfee virusScan 8.8.0i- nothing detected
- Tried Housecall 7.2 antivirus and get an error message: 1082108645:2
- Ran HighJackThis for logs below:

I should add that some of the malware showing is stuff I have not seen for a few years. Can't imagine how your scanners would miss it....

Anyhoo, the steps in the linky I provided should get most of it and we'll deal with the remnants accordingly.
Let us know if you have any trouble with the steps in the linky.

PP:)

0

PP; Thanks for your prompt response. I followed the steps as outlined in the link you provided above, below are the results: Thanks again for your assistance.


P2P (FrostWire)uninstalled via Start/Programs/Frostwire Uninstall. Cannot open Add remove programs, so uninstalled this way.


Downloaded:

1. ATF
2. DDS
3. GMER


Executed:
1. MS Malicious tool - Complete, no malicious files detected
2. ATF.- Complete, 515,969 MBS freed
2. GMER Scanner.- Wont run on my desktop
3. MBA-M (latest version 1.50.1.11).- Won't run either on my desktop
4. DDS.- Command prompt displays: "Tool does not support your operating system... press any key to continue"

Therefore, I have no logs to provide you with. Please advice. Thanks again


Alex

0

Hi Alex,I agree with PhilliePhan, the infections showing in your log are certainly ones that should have been found by the scanners you used. Let's try this another way:
See if you can boot to Safe mode and attempt to run MBA-M. To boot to safe mode do the following:
Using the F8 Method:

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.

Once in Safe Mode do a Full Scan with MBA-M. Have it Remove everything found. Then Reboot the computer, this is very important. See if you can then update MBA-M and run another full scan in normal mode. Again, have it remove everything found. Then reboot again.
Then try again to run the DDS Scanner. Post back here with whatever logs you are able to obtain.

0

Hi JHolland;

Thanks for your response and assistance. Will do what you suggested, and will post the results once completed. Thanks

0

Thanks for your response and assistance. Will do what you suggested, and will post the results once completed. Thanks

Great - One of us will be around.

-- You're running 32-bit Windows XP, right? All these tools should run.....
Did you update the tools you ran earlier to the latest definitions?

This stuff should have been easily removed: - Pretty sure they are all old baddies from a few years back....:

O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll


-- Plus, Sygate firewall hasn't been around for a few years either - if my memory is correct.

If Judy is not around, I'll check back Thursday evening EST.

Cheers :)
PP

0

PP is correct about Sygate. Sygate was acquired in 2003 by Symantec and they discontinued it. So it should be removed as it is no longer updated.

0

Hi folks...

Tried a number of times to save and or run GMER and DDS in both normal and safe mode to no avail. Tried these programs on a laptop to confirm, and they worked fine on the laptop, using the same XP Home Edition OS as my desktop. Still continue to type "explorer.exe" from the task manager when restarting my desktop, since it freezes up frequently now. Your thoughts? thanks again -Alex-

0

Continued...

Forgot to mention that Malawarebytes app also fails to run on my desktop, while confirming that it runs correctly on a different laptop. Alx

0

Hello, aventura, the others are in bed, or should be....
Firstly, get Unlocker:
==This is a general purpose force-deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, which is cool.
To use,, browse to the file to delete, rclick it, choose Unlocker, remove any hooks with Unlock...choose Delete, and delete it.
Use Unlocker on these files:

C:\WINDOWS\dmdskmgrwow.exe
C:\WINDOWS\system32\mp4sdecd32.dll
C:\WINDOWS\system32\WMVXENCD32.exe
C:\WINDOWS\system32\msftedit32.exe
C:\WINDOWS\system32\autodisc32.dll
C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe

Start hijackthis, scan only, place checkmarks against these entries and fix them:
O2 - BHO: (no name) - {0144DFBA-5F69-4C56-974E-131BE52F7C7a} - C:\WINDOWS\system32\autodisc32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll
Restart your sys, try GMER and MBAM now.


When this is over, you might dump Sygate as recommended by PP n Judy, perhaps get Comodo or similar. McAfee failed you, perhaps try Avast Free. It has the advantage of being active against some non-virus malwares.

Edited by gerbil: n/a

0

I agree with Gerbil - let's pull those out manually and then try to run the tools.

A couple thoughts:

-- Uninstall Spybot SD right away as it will get in the way of some cleaning steps.

-- Look at Add/Remove Programs and see if C:\Program Files\winvi can be uninstalled. If not, then delete the folder manually.
The same for this folder---> C:\Documents and Settings\Owner\Application Data\SysWin

-- After uninstalling SpybotSD, fix these with HijackThis:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

-- I see you are running HJT from F:\Drive - is that a USB Drive? If so, try running DDS and MBAM from the USB Drive and let us know how that shakes out.

Cheers :)
PP

Edited by PhilliePhan: n/a

0

Hi, finally home from work... Will work on this tonight.. Thanks again. Alex

0

My Tool Bar and Personal Settings are now loading own their own. Control Panel Icons now open correctly, MalwareBytes scan is now possible, and DDS is able to execute. Thank you all for your time and kind assistance.

Some lingering issues still remain, such as GMER freezing up halfway through scanning, and MalwareBytes half way through scanning displays an error message. But most if not all of my functionality is back. thanks so much to all of you. Below are the steps I followed and their corresponding logs as you requested. Thanks again. Alex

1) Unable to delete with Unlocker:

C:\WINDOWS\system32\mp4sdecd32.dll
C:\WINDOWS\system32\WMVXENCD32.exe
C:\WINDOWS\system32\msftedit32.exe
C:\WINDOWS\system32\autodisc32.dll
C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe

2) Removed with Unlocker:

C:\WINDOWS\dmdskmgrwow.exe

3) Removed with HiJackThis:

O2 - BHO: (no name) - {0144DFBA-5F69-4C56-974E-131BE52F7C7a} - C:\WINDOWS\system32\autodisc32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe

4) Unable to delete with High Jack This:

020 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll

5) After restarting system, Ran Unlocker again and was able to delete:

C:\WINDOWS\system32\mp4sdecd32.dll

C:\WINDOWS\system32\autodisc32.dll

6) Launched MalwareBytes QuickScan (working now !!!)

59 Viruses removed  (log below)

Malwarebytes' Anti-Malware 1.50.1.1100
[url]www.malwarebytes.org[/url]

Database version: 5624

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/27/2011 11:02:44 PM
mbam-log-2011-01-27 (23-02-44).txt

Scan type: Quick scan
Objects scanned: 172428
Time elapsed: 31 minute(s), 45 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 43

Memory Processes Infected:
c:\documents and settings\Owner\application data\SysWin\lsass.exe (Trojan.Tracur.S) -> 1260 -> Unloaded process successfully.
c:\WINDOWS\perfprocwow.exe (Trojan.Tracur.S) -> 644 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\winvi (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WZCSVC32 (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Tracur.S) -> Value: RTHDBPL -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\perfprocwow.exe (Trojan.Tracur.S) -> Value: perfprocwow.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\WINDOWS\system32\SysWoW32 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Owner\application data\SysWin\lsass.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\perfprocwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-343818398-1844823847-839522115-1003\Dc1.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-343818398-1844823847-839522115-1003\Dc2.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mp4sdecd32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\70.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\71.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\82.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\83.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1122c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1122o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1122p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1122s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1132c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1132o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1132p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000009509662d1132s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000009509662d1132c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000009509662d1132o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000009509662d1132p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000009509662d1132s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sl557678142 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1255597734v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1255597734v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1255597734v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1255597734v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1255597734v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1255597734v3 (Trojan.Tracur) -> Quarantined and deleted successfully.

7) Restarted System
- Toolbar and Personal Settings now loading on its own :)
- Can now open "Add Remove programs" from Control Panel as well as other Icons.

8) Launched MalwareBytes Full Scan

Half way through scanning, Blue Screen appears with some Disk Error, was not able to capture the error message

Then after, message displayed:

"Reboot and Select proper Boot device or insert Boot Media in selected Boot device and press a key"

9) Restarted System
CHKDSK verifying files and indexes
- Recovering orphaned file ciflfffd.000 (26628) into directory file 12573
- Recovering orphaned file ciflfffd.001 (26628) into directory file 12573

9) Launched GMER

Froze again for the third time halfway through performing full Scan. Was only able to capture GMER One.log below

GMER 1.0.15.15530 - [url]http://www.gmer.net[/url]
Rootkit quick scan 2011-01-28 00:24:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-17 Maxtor_6Y080M0 rev.YAR51HW0
Running: t4y907hb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwldqpow.sys


---- System - GMER 1.0.15 ----

Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwCreateFile [0xA819029E]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwCreateProcess [0xA81902CA]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwDeleteKey [0xA8190231]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwDeleteValueKey [0xA819025D]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwOpenKey [0xA8190207]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwRenameKey [0xA8190247]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwUnmapViewOfSection [0xA8190308]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  ZwYieldExecution [0xA81902DE]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)  NtCreateFile

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                        mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device          \Driver\Tcpip \Device\Ip                                                                      wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                      Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device          \Driver\Tcpip \Device\Tcp                                                                     wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                     Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device          \Driver\Tcpip \Device\Udp                                                                     wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                     Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device          \Driver\Tcpip \Device\RawIp                                                                   wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                   Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

10) Launched DDS DDS.txt below, and DDS attach.zip is attached)

DDS (Ver_10-12-12.02) - NTFSx86  
Run by Owner at  0:16:05.71 on Fri 01/28/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3063.2413 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Symantec Protection Agent 5.1 *Enabled* 

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Sygate\SSA\smc.exe
svchost.exe
svchost.exe
C:\Program Files\Sygate\SSA\snac.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Sygate\SSA\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Documents and Settings\Owner\My Documents\Res.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\CleanUp Tools\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*[url]http://www.yahoo.com[/url]
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MSKAgent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WinUpdater] "c:\program files\winvi\update.exe" /background
uRun: [WebSUpdater] "c:\program files\winvi\wupda.exe" /background
uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [MyWGU Messenger] c:\program files\mywgu messenger\MyWGU-Messenger.exe
uRun: [TomTomHOME.exe] "f:\tom tom\tomtom home 2\TomTomHOMERunner.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [USB Storage Toolbox] c:\documents and settings\owner\my documents\Res.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://primis.ebrary.com/support/plugins/ebraryRdr.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://webtohost.prod.fedex.com/bluezone/bzw2h/sglw2hcm.ocx
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax65.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\mp4sdecd32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\i5t4bxi9.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email]jqs@sun.com[/email] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: [email]moveplayer@movenetworks.com[/email] - c:\documents and settings\owner\application data\Move Networks
FF - Ext: XUL Cache: {59572186-7fb5-4356-a992-78a5afbf4b05} - %profile%\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}
FF - Ext: XUL Cache: {854a4e26-f10a-482a-8fb8-f4e2981a1577} - %profile%\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-26 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1402272]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-12-21 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-6-10 49152]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-21 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-21 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-21 178024]
S2 TomTomHOMEService;TomTomHOMEService;f:\tom tom\tomtom home 2\tomtomhomeservice.exe --> f:\tom tom\tomtom home 2\TomTomHOMEService.exe [?]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\maga.exe --> c:\program files\sygate\ssa\maga\maga.exe [?]
S3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [2009-10-7 23096]
S3 Soromck_ch;Soromck_ch;c:\windows\system32\drivers\udfs.sys [2004-8-4 66048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-10-26 2799808]
S4 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [2008-12-7 42496]
S4 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2011-01-28 03:22:47 --------    d-----w-    c:\docume~1\owner\applic~1\Malwarebytes
2011-01-28 03:18:14 38224   ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-28 03:18:13 --------    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-28 03:18:09 20952   ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-01-28 03:18:08 --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-01-28 01:37:25 --------    d-----w-    c:\program files\MSN Toolbar
2011-01-28 01:37:03 --------    d-----w-    c:\program files\Unlocker
2011-01-28 01:36:38 --------    d-----w-    c:\program files\Bing Bar Installer
2011-01-26 22:04:19 64288   ----a-w-    c:\windows\system32\drivers\Lbd.sys
2011-01-26 22:03:37 98392   ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
2011-01-26 22:00:53 --------    d-----w-    c:\docume~1\owner\locals~1\applic~1\Sunbelt Software
2011-01-26 21:59:46 --------    dc-h--w-    c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-26 21:59:22 --------    d-----w-    c:\program files\Lavasoft
2011-01-26 19:36:50 --------    d-----w-    c:\windows\system32\wbem\repository\FS
2011-01-26 19:36:50 --------    d-----w-    c:\windows\system32\wbem\repository\export
2011-01-26 19:36:50 --------    d-----w-    c:\windows\system32\wbem\Repository
2011-01-26 18:25:38 1033728 ----a-w-    c:\windows\aventura.exe
2011-01-26 13:01:25 203776  --sh--w-    c:\windows\system32\unrar.exe
2011-01-26 13:01:25 --------    d-----w-    c:\windows\system32\582933403
2011-01-26 12:32:58 85504   ----a-w-    c:\windows\system32\ff_vfw.dll
2011-01-26 12:32:55 --------    d-----w-    c:\program files\InstaCodecs
2011-01-26 02:01:44 61440   --sha-r-    c:\windows\system32\mll_mtf3.dll
2011-01-24 13:03:28 --------    d-sh--w-    c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE
2011-01-24 13:03:10 0   ---ha-w-    c:\documents and settings\owner\ezrjfdslvv.tmp

==================== Find3M  ====================

2010-11-29 22:38:30 94208   ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632   ----a-w-    c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920   ----a-w-    c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808  ----a-w-    c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728   ----a-w-    c:\windows\system32\javacpl.cpl
2010-11-09 14:52:35 249856  ----a-w-    c:\windows\system32\odbc32.dll
2010-11-06 00:34:12 832512  ----a-w-    c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336   ----a-w-    c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w-    c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408   ----a-w-    c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120  ----a-w-    c:\windows\system32\html.iec
2010-10-31 23:27:20 73728   -c--a-w-    c:\windows\ALCFDRTM.VER

============= FINISH:  0:20:48.65 ===============

Edited by mike_2000_17: Fixed formatting

0

Message from PP:

A couple thoughts:

-- Uninstall Spybot SD right away as it will get in the way of some cleaning steps.

-- Look at Add/Remove Programs and see if C:\Program Files\winvi can be uninstalled. If not, then delete the folder manually.
The same for this folder---> C:\Documents and Settings\Owner\Application Data\SysWin

-- After uninstalling SpybotSD, fix these with HijackThis:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Hi Phil

Answer:

Was not able to delete SpyBot, since I get an error message:

Messages files "C:\Program Files\Spybot...\unins000.msg" is missing. Please correct the problem or obtain an new copy of program.

Other than this, everything you suggested I should remove above was completed, without having to remove Spybot. Just wanted to let you know. Thanks again. Alex

0

Yow. Those files that Unlocker could not remove sure had some protection cast upon them, I imagine that would have been from that rogue lsass.exe or C:\WINDOWS\dmdskmgrwow.exe.
Please delete these files:

c:\documents and settings\owner\ezrjfdslvv.tmp
c:\windows\system32\mll_mtf3.dll
and folders...
c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE
c:\windows\system32\582933403

To remove Spybot cleanly the easiest way is to reinstall it over the top of the old, then uninstall.
I would uninstall Adaware also... it once was good, seems not so now. Well, it did not save you from this attack.
Whenever GMER crashes it is usually because of malware killing it deliberately to protect itself. So your sys is sus. Still. Often the process of cleaning involves removing layers of protection files.
So now get a fresh copy of GMER and try it again. And if it will not run cleanly try again but in Safe Mode.
MBAM. I like clean runs.. repeat the quick scan.

Edited by gerbil: n/a

0

Hi Gerbil.. FYI... Deleted those files and folders you mentioned in post above. Will work on removing spybot and ad aware later today. Thanks, and have a great weekend. Alx

0

You are running two firewalls. McAfee Anti-Virus Mini Firewall which is included in the McAfee program and that discontinued Sygate that PP mentioned.You are also running two anti-virus programs, McAfee and Lavasoft Ad-Watch Live! Anti-Virus
There also are still infected files showing in the DDS scan.
I would recommend that you uninstall the following:
McAfee VirusScan Enterprise (this obviously is NOT doing the job it is supposed to be doing and it does contain a firewall) It needs to be uninstalled fully.
Symantec Protection Agent 5.1 (this is the Sygate firewall) It needs to be uninstalled fully.
Lavasoft Ad-Watch Live! Anti-Virus - This is the Ad-Aware program showing in your Add/Remove and must be removed also.

I know you may feel that by removing all of these will leave you without protection but by having all of these installed you have actually lessened your protection, as your multiple infections show.
Uninstall ALL of these. Once the computer is deemed 100% clean then we can advise on new FREE protection that will work 100% better than what you have on there now.
Plus the removal of all of these will hopefully make removal of other infected files easier.
Judy

0

Once you have completed Gerbil's and Judy's suggestions, let's run another tool:

-- Please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I will check back as time permits and we'll go from there.

PP:)

0

Once you have completed Gerbil's and Judy's suggestions, let's run another tool:

-- Please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I will check back as time permits and we'll go from there.

PP:)

===============================

Hi Judy/Gerbil/Phil;

I removed Ad Aware and Spybot, as you suggested, but did not remove Sygate /Symantec Protection Agent and McAfee Antivirus, since I need them both for VPN / remote access. However, I did run the ComboFix, and below are the details. Please let me know if you see any additional malicious items I may need to remove, keeping in mind that I need to keep the two beforementioned apps. Thanks again for your continued support. Alex


ComboFix 11-01-28.02 - Owner 01/28/2011 22:38:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3063.2550 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Symantec Protection Agent 5.1 *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\7z462.exe
c:\documents and settings\All Users\inf
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\DRemover98_2K.exe
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\SER2PL.SYS
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\SER9PL.SYS
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\SERSPL.INF
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\SERSPL.VXD
c:\documents and settings\All Users\inf\98ME_20011_2kXP_20024\SERWPL.INF
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{59572186-7fb5-4356-a992-78a5afbf4b05}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\extensions\{854a4e26-f10a-482a-8fb8-f4e2981a1577}\install.rdf
c:\documents and settings\Owner\Recent\Eminem - We Made You.mp3
c:\windows\system32\582933403
c:\windows\system32\BSTIeprintctl1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-28 03:39 . 2011-01-28 03:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-01-28 03:22 . 2011-01-28 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-01-28 03:18 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-28 03:18 . 2011-01-28 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-28 03:18 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-28 03:18 . 2011-01-28 04:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-28 01:37 . 2011-01-28 02:08 -------- d-----w- c:\program files\Unlocker
2011-01-26 22:03 . 2011-01-26 22:03 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-26 22:00 . 2011-01-26 22:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-01-26 19:36 . 2011-01-26 19:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 18:25 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\aventura.exe
2011-01-26 13:01 . 2011-01-26 13:01 203776 --sh--w- c:\windows\system32\unrar.exe
2011-01-26 12:32 . 2010-03-31 23:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-26 12:32 . 2011-01-26 12:32 -------- d-----w- c:\program files\InstaCodecs
2011-01-26 02:01 . 2011-01-26 02:01 61440 --sha-r- c:\windows\system32\mll_mtf3.dll
2011-01-24 13:03 . 2011-01-28 02:11 -------- d-sh--w- c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2006-06-29 18:26 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-10-10 17:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2007-05-10 10:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:34 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-31 23:27 . 2006-07-01 16:08 73728 -c--a-w- c:\windows\ALCFDRTM.VER
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-06-11 106496]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"USB Storage Toolbox"="c:\documents and settings\Owner\My Documents\Res.EXE" [2005-09-15 65536]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 2805248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

c:\documents and settings\Alan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-7 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-17 20:10 61952 ------w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 21:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Pamela\\Desktop\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Alan\\Desktop\\FrostWire\\FrostWire.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 TomTomHOMEService;TomTomHOMEService;f:\tom tom\TomTom HOME 2\TomTomHOMEService.exe --> f:\tom tom\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [10/7/2009 3:09 PM 23096]
S3 Soromck_ch;Soromck_ch;c:\windows\system32\drivers\udfs.sys [8/4/2004 7:00 AM 66048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [10/26/2006 1:45 PM 2799808]
S4 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [12/7/2008 1:14 PM 42496]
.
Contents of the 'Scheduled Tasks' folder

2011-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{7B0AC932-676D-4887-B3A3-964E96452225}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://webtohost.prod.fedex.com/bluezone/bzw2h/sglw2hcm.ocx
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
HKCU-Run-MyWGU Messenger - c:\program files\MyWGU Messenger\MyWGU-Messenger.exe
HKCU-Run-TomTomHOME.exe - f:\tom tom\TomTom HOME 2\TomTomHOMERunner.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
AddRemove-ABC Amber The Bat! Converter - c:\progra~1\ABCAMB~1\UNWISE.EXE
AddRemove-TomTom HOME - f:\tom tom\TomTom HOME 2\Uninstall TomTom HOME.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SSSensor.dll
c:\program files\Sygate\SSA\SnacNp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SSA\smc.exe
c:\program files\Sygate\SSA\snac.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Sygate\SSA\SmcGui.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-28 23:47:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-29 04:47

Pre-Run: 28,522,196,992 bytes free
Post-Run: 29,692,559,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - CEA55C12EBC503867A8BACD8265AE4B2

0

:). Looks like Combofix took great issue with your USB mobile connection software [beats me why the software created an inf folder in All Users, instead of using the %windir%\inf folder]. And that old 7Zip file .
It doesn't think much of Eminem, either. I'm with Combofix, right there. Is/was it actually a playable mp3?
The deleted firefox extensions, all two sets of them, are baddies; I notice that Greatis [anti-rootkit folk] have identified some such files linked to your rogue lsass.exe infection.
This one should be genuine, though - c:\windows\system32\BSTIeprintctl1.dll? You would have to check its properties to see if it was a legal version.
What is in this folder : c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE ?
There are several registry keys to unlock, but I'll wait for PP's thoughts on what combofix has done. Any files wrongly deleted can be reinstated from its vault. Else you just reinstall...

Edited by gerbil: n/a

0

There are several registry keys to unlock, but I'll wait for PP's thoughts on what combofix has done. Any files wrongly deleted can be reinstated from its vault. Else you just reinstall...

I am going to be away from the computer for much of the weekend - back on Monday.

Most of the combofix deletions look legit - Though some are "iffy" as Gerbil noted. One of the drawbacks to MBAM and Combofix is "collateral damage" to files in odd places.... If things are not running properly, you can restore the deleted components.
I'd scan them at Jotti or Virustotal before reinstating them. There are a few other items in the CF log that bear further scrutiny - If Judy or Gerbil don't address them, hang in there and I'll post back as soon as I am able.

PP:)

Edited by PhilliePhan: n/a

0

Allrightythen.... I am back in business!

-- How are things running now, Alex?

Let's remove a few more things with combofix. I have left some questionable items alone (codec / some likely work-related stuff / etc...)

-- Please delete your current copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

Edited by PhilliePhan: n/a

Attachments
KillAll::

File::
C:\StubInstaller.exe
C:\windows\system32\mll_mtf3.dll

Folder::
C:\Documents and Settings\Pamela\Desktop\LimeWire
C:\Documents and Settings\Alan\Desktop\FrostWire
C:\program files\winvi

DDS::
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [WinUpdater] "c:\program files\winvi\update.exe" /background
uRun: [WebSUpdater] "c:\program files\winvi\wupda.exe" /background

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-
"c:\\Documents and Settings\\Pamela\\Desktop\\LimeWire\\LimeWire.exe"=-
"c:\\Documents and Settings\\Alan\\Desktop\\FrostWire\\FrostWire.exe"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
0

PP, I didn't touch this thread further because Combofix has gotten away from me... but this file is sus?
c:\windows\aventura.exe

0

PP, I didn't touch this thread further because Combofix has gotten away from me... but this file is sus?
c:\windows\aventura.exe

Due to my limited forum time these days, I tend to make more assumptions about questionable items that may be work-related and the like.
In this case, I assumed Alex renamed the executable and therefore knows what it is......

PP:)

0

Hi guys:

I just finished deleting c:\windows\"aventura.exe", as I had created it earlier in an attempt to fix the then corrupted explorer.exe. Thanks for pointing it out. Alex

0

Hi guys:
I just finished deleting c:\windows\"aventura.exe", as I had created it earlier in an attempt to fix the then corrupted explorer.exe. Thanks for pointing it out. Alex

Hey Alex,

Did you see my post above to rerun combofix?

I'll be back Tuesday to have a look at the new log.

PP:)

0

Hey Alex,

Did you see my post above to rerun combofix?

I'll be back Tuesday to have a look at the new log.

PP:)

Hi Phil;

Hope you had a great weekend. Yes, I did read your post, and just finished re-executing Combofix per your request (see logs below). Thanks again for your invaluable assistance. Alex


ComboFix 11-01-31.01 - Owner 01/31/2011 22:09:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3063.2461 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Symantec Protection Agent 5.1 *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"C:\StubInstaller.exe"
"c:\windows\system32\mll_mtf3.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alan\Desktop\FrostWire
c:\documents and settings\Alan\Desktop\FrostWire\aopalliance.jar
c:\documents and settings\Alan\Desktop\FrostWire\clink.jar
c:\documents and settings\Alan\Desktop\FrostWire\commons-codec-1.3.jar
c:\documents and settings\Alan\Desktop\FrostWire\commons-logging.jar
c:\documents and settings\Alan\Desktop\FrostWire\daap.jar
c:\documents and settings\Alan\Desktop\FrostWire\EULA.txt
c:\documents and settings\Alan\Desktop\FrostWire\forms.jar
c:\documents and settings\Alan\Desktop\FrostWire\foxtrot.jar
c:\documents and settings\Alan\Desktop\FrostWire\FrostWire.exe
c:\documents and settings\Alan\Desktop\FrostWire\FrostWire.ico
c:\documents and settings\Alan\Desktop\FrostWire\FrostWire.jar
c:\documents and settings\Alan\Desktop\FrostWire\gettext-commons.jar
c:\documents and settings\Alan\Desktop\FrostWire\GPL3.txt
c:\documents and settings\Alan\Desktop\FrostWire\gson-1.4.jar
c:\documents and settings\Alan\Desktop\FrostWire\guice-1.0.jar
c:\documents and settings\Alan\Desktop\FrostWire\hashes
c:\documents and settings\Alan\Desktop\FrostWire\httpclient-4.0.jar
c:\documents and settings\Alan\Desktop\FrostWire\httpcore-4.0.1.jar
c:\documents and settings\Alan\Desktop\FrostWire\httpcore-nio-4.0.1.jar
c:\documents and settings\Alan\Desktop\FrostWire\icu4j.jar
c:\documents and settings\Alan\Desktop\FrostWire\inspection.props
c:\documents and settings\Alan\Desktop\FrostWire\jaudiotagger.jar
c:\documents and settings\Alan\Desktop\FrostWire\jcip-annotations.jar
c:\documents and settings\Alan\Desktop\FrostWire\jcraft.jar
c:\documents and settings\Alan\Desktop\FrostWire\jdic.dll
c:\documents and settings\Alan\Desktop\FrostWire\jdic.jar
c:\documents and settings\Alan\Desktop\FrostWire\jdic_stub.jar
c:\documents and settings\Alan\Desktop\FrostWire\jflac.jar
c:\documents and settings\Alan\Desktop\FrostWire\jl.jar
c:\documents and settings\Alan\Desktop\FrostWire\jmdns.jar
c:\documents and settings\Alan\Desktop\FrostWire\jython.jar
c:\documents and settings\Alan\Desktop\FrostWire\launch.properties
c:\documents and settings\Alan\Desktop\FrostWire\log4j.jar
c:\documents and settings\Alan\Desktop\FrostWire\log4j.properties
c:\documents and settings\Alan\Desktop\FrostWire\looks.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-azureus.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-collection.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-common.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-http.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-io.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-mojito.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-net.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-nio.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-resources.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-rudp.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-security.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-setting.jar
c:\documents and settings\Alan\Desktop\FrostWire\lw-statistic.jar
c:\documents and settings\Alan\Desktop\FrostWire\messages.jar
c:\documents and settings\Alan\Desktop\FrostWire\mp3spi.jar
c:\documents and settings\Alan\Desktop\FrostWire\onion-common.jar
c:\documents and settings\Alan\Desktop\FrostWire\onion-fec.jar
c:\documents and settings\Alan\Desktop\FrostWire\pmf.ico
c:\documents and settings\Alan\Desktop\FrostWire\ProgressTabs.jar
c:\documents and settings\Alan\Desktop\FrostWire\splash.jar
c:\documents and settings\Alan\Desktop\FrostWire\SystemUtilities.dll
c:\documents and settings\Alan\Desktop\FrostWire\SystemUtilitiesA.dll
c:\documents and settings\Alan\Desktop\FrostWire\themes.jar
c:\documents and settings\Alan\Desktop\FrostWire\tray.dll
c:\documents and settings\Alan\Desktop\FrostWire\tritonus.jar
c:\documents and settings\Alan\Desktop\FrostWire\Uninstall.exe
c:\documents and settings\Alan\Desktop\FrostWire\vorbisspi.jar
c:\documents and settings\Pamela\Desktop\LimeWire
c:\documents and settings\Pamela\Desktop\LimeWire\lib\jdic.dll
c:\documents and settings\Pamela\Desktop\LimeWire\lib\SystemUtilities.dll
c:\documents and settings\Pamela\Desktop\LimeWire\lib\tray.dll
c:\documents and settings\Pamela\Desktop\LimeWire\LimeWire.exe
C:\StubInstaller.exe
c:\windows\system32\mll_mtf3.dll

Infected copy of c:\windows\system32\rexec.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rexec.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-01 to 2011-02-01 )))))))))))))))))))))))))))))))
.

2011-01-28 03:39 . 2011-01-28 03:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-01-28 03:22 . 2011-01-28 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-01-28 03:18 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-28 03:18 . 2011-01-28 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-28 03:18 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-28 03:18 . 2011-01-28 04:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-28 01:37 . 2011-01-28 02:08 -------- d-----w- c:\program files\Unlocker
2011-01-26 22:03 . 2011-01-26 22:03 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-26 22:00 . 2011-01-26 22:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-01-26 19:36 . 2011-01-26 19:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 13:01 . 2011-01-26 13:01 203776 --sh--w- c:\windows\system32\unrar.exe
2011-01-26 12:32 . 2010-03-31 23:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-26 12:32 . 2011-01-26 12:32 -------- d-----w- c:\program files\InstaCodecs
2011-01-24 13:03 . 2011-01-28 02:11 -------- d-sh--w- c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2006-06-29 18:26 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53 . 2010-10-10 17:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2007-05-10 10:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:34 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-06-11 106496]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"USB Storage Toolbox"="c:\documents and settings\Owner\My Documents\Res.EXE" [2005-09-15 65536]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 2805248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

c:\documents and settings\Alan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-7 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-03-17 20:10 61952 ------w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 21:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 TomTomHOMEService;TomTomHOMEService;f:\tom tom\TomTom HOME 2\TomTomHOMEService.exe --> f:\tom tom\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [10/7/2009 3:09 PM 23096]
S3 Soromck_ch;Soromck_ch;c:\windows\system32\drivers\udfs.sys [8/4/2004 7:00 AM 66048]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [10/26/2006 1:45 PM 2799808]
S4 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [12/7/2008 1:14 PM 42496]
.
Contents of the 'Scheduled Tasks' folder

2011-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2011-02-01 c:\windows\Tasks\User_Feed_Synchronization-{7B0AC932-676D-4887-B3A3-964E96452225}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://webtohost.prod.fedex.com/bluezone/bzw2h/sglw2hcm.ocx
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5t4bxi9.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-31 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SSSensor.dll
c:\program files\Sygate\SSA\SnacNp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SSA\smc.exe
c:\program files\Sygate\SSA\snac.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Sygate\SSA\SmcGui.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-31 22:30:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-01 03:30
ComboFix2.txt 2011-01-29 04:47

Pre-Run: 29,613,989,888 bytes free
Post-Run: 29,551,976,448 bytes free

- - End Of File - - C6F778A5ACE7FEC6E09E916E96719B6E

0

Hope you had a great weekend. Yes, I did read your post, and just finished re-executing Combofix per your request (see logs below). Thanks again for your invaluable assistance. Alex

Happy to help :)

Weekend was quite busy - I find myself working twice as hard for half the pay these days! LOL.

That log looks better - how are things running now?

I left these alone - they are probably OK.
The first two are likely related - we see an awful lot of infected codecs these days. Not sure if that is the case here:

c:\windows\system32\ff_vfw.dll
c:\program files\InstaCodecs
c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE


Anyhoo, let me know how things are working now and we'll go from there.

PP:)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.