Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » HJT Log: New Install Already Dirty!
Search Topic:
Uniqs:
1302		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
browser redirect and sluggish startup; HT log added »
page: 1 · 2
AuthorAll Replies


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

HJT Log: New Install Already Dirty!

About a month ago I had gotten something through the school network. Whatever it was opened the door for everything and anything to be installed and whatever I did and no matter how many programs I used, it was unstopable.
I reformatted and re-installed and 2 days latter (after being at school again with the computer) I had gotten a couple of virus'. I had a couple programs clear it out, but I still have some slowness, popups and redirections from search engines. I hope that whatever is left isnt serious.
Here is my HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:48 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Highjack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [RSwvx004hd] C:\WINDOWS\TEMP\win12.exe
O4 - HKLM\..\Policies\Explorer\Run: [0868YbKuQ0] C:\WINDOWS\TEMP\win29.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···12050468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···12039156
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5446 bytes
to forum · permalink · · 2008-03-31 00:50:52 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

 First go here
»Malware archive
and upload (attach) the following files for analysis:

C:\WINDOWS\TEMP\win12.exe
C:\WINDOWS\TEMP\win29.exe
C:\WINDOWS\system32\wowfx.dll

Make sure you have configured your PC to show all hidden files:
Windows XP
Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

....................

You missed step 3 which is very important (the online AV scan)
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

However, use this one instead and do it in SAFE MODE (with networking). Here is the link and instructions and I need for you to save and post the log it makes at the end:

* Go here: »www.eset.eu/online-scanner to run an online scannner from ESET.
[*]Note: You will need to use Internet explorer for this scan
[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Click Start
[*]Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
[*]Click Scan
[*]Wait for the scan to finish
[*]Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
[*]Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-03-31 12:29:23 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

1 edit		reply to Roundel
I ran AVG again and it acutally deleted those three files, The looked suspect to me. I am sorry I didnt come here before doing so, could have been some help to someone. I will do that online scan as the computer still seems to be sluggish and the occasional pop up and search redirect occurs. A new problem has come up that explorer.exe has a buffer overrun and needs to be shut down. After that explorer either restarts, or I have to manuall restart it through task manager.
Thanks for the help, will update soon.
to forum · permalink · · 2008-03-31 15:32:33 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
Here are the updated logs

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2988 (20080331)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a2425dddcbb7c34782178a77e4f968d8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-01 02:19:20
# local_time=2008-03-31 10:19:20 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=157947
# found=1
# scan_time=1655
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\ST6ZW16J\scan[1].htm probably a variant of JS/TrojanDownloader.Agent.NBQ trojan (unable to clean - deleted) 00000000000000000000000000000000

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:56 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Highjack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···12050468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···12039156
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5417 bytes
The computer still seems very slow to me. Sometimes a sidebar wont scroll immideatly or a button wont press. Its seems like I am running a remote desktop on a slow connection, thats how I can sum it up. Its strange, because this things looks like its clean as a whistle now after that last scan.
to forum · permalink · · 2008-03-31 22:38:30 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:		reply to Roundel
Still getting the odd pop up as well. When I restart the computer a rundll runs for a couple second, making me think there is something running VERY hidden. Just cant figure out what.
to forum · permalink · · 2008-03-31 22:49:14 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to Roundel
Thank you for finishing up with that scan and the report. The one item it found was simply nothing - you can just clear your cache to get rid of any items found there and that was not an active infection, but rather a stored webpage you viewed that had an exploit in it (and you may not have even be vulnerable to that exploit, your AV just "saw" it imbedded in the webpage viewed).

Do this to clear out any cached items and temporary files

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

If you are still seeing popups, then it is likely you have some hidden adware of some sort still active and it doesn't show on the last HijackThis log.

We'll have to dig a little deeper.
Let's use this free tool called ComboFix.

Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix

If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it.

When, the tool is finished, it will produce a report for you.
Please post that report located at: C:\ComboFix.txt along with a new HijackThis log.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-01 09:45:10 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
ComboFix 08-04-02.1 - Sam 2008-04-02 16:55:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT -4:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bLRXaccf.ini
C:\WINDOWS\system32\bLRXaccf.ini2
C:\WINDOWS\system32\fccaXRLb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\uuklaaqf.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 00:27 . 2008-04-01 00:30 d-------- C:\Documents and Settings\Sam\.housecall6.6
2008-03-31 22:50 . 2008-03-31 22:50 d-------- C:\VundoFix Backups
2008-03-31 21:49 . 2008-03-31 22:19 d-------- C:\Program Files\EsetOnlineScanner
2008-03-31 12:26 . 2008-03-31 22:45 d-------- C:\Program Files\Highjack This
2008-03-31 12:25 . 2008-03-31 12:26 d-------- C:\Program Files\Windows Defender
2008-03-30 19:02 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-30 19:02 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-30 19:02 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-30 19:02 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-30 19:02 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-30 19:02 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-30 19:02 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-30 19:02 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-30 19:02 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-30 19:02 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-30 14:05 . 2008-03-30 14:05 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-30 13:59 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-30 13:59 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-30 13:59 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-29 13:07 . 2008-03-31 01:18 d-------- C:\Documents and Settings\Sam\Application Data\AVG7
2008-03-29 13:07 . 2008-03-29 13:07 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-29 13:06 . 2008-03-29 13:06 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 13:06 . 2008-03-29 13:08 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 12:03 . 2008-03-29 12:03 86,016 --a------ C:\WINDOWS\system32\kgrnilct.exe
2008-03-29 11:55 . 2008-03-29 11:55 d-------- C:\Program Files\Lavasoft
2008-03-29 11:55 . 2008-03-29 11:55 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 11:55 . 2008-03-29 11:56 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 11:00 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-29 10:43 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-29 10:43 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-29 00:58 . 2008-03-29 10:43 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-29 00:56 . 2008-03-29 00:56 d-------- C:\WINDOWS\provisioning
2008-03-29 00:53 . 2008-03-29 00:53 d-------- C:\WINDOWS\ServicePackFiles
2008-03-29 00:48 . 2004-07-17 12:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02390_.tmp
2008-03-29 00:45 . 2008-03-29 00:45 d-------- C:\WINDOWS\EHome
2008-03-26 22:38 . 2008-03-26 22:38 106,496 --a------ C:\WINDOWS\system32\dtdhyaav.dll
2008-03-26 22:38 . 2008-03-26 22:38 106,496 --a------ C:\Documents and Settings\All Users\Application Data\xmvwtobm.dll
2008-03-26 22:38 . 2008-03-26 22:38 98,304 --a------ C:\WINDOWS\system32\mboqeskb.exe
2008-03-26 12:06 . 2008-03-26 12:06 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 22:31 . 2008-03-31 12:34 d--h----- C:\WINDOWS\$hf_mig$
2008-03-24 22:31 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-24 22:30 . 2008-03-24 22:30 d-------- C:\WINDOWS\system32\bits
2008-03-24 22:30 . 2004-08-04 01:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-03-24 22:30 . 2004-08-04 01:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-24 22:30 . 2004-08-04 01:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-24 22:30 . 2004-08-04 01:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-03-24 22:30 . 2004-08-04 01:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-03-24 22:27 . 2008-03-24 22:27 d---s---- C:\Documents and Settings\Sam\UserData
2008-03-24 22:27 . 2007-07-30 20:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-24 22:27 . 2007-07-30 20:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-24 22:27 . 2007-07-30 20:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-24 22:27 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-24 22:27 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-24 22:27 . 2007-07-30 20:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-24 22:27 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-24 22:27 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-24 22:27 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 22:13 . 2008-03-24 22:13 d-------- C:\Documents and Settings\Sam\Application Data\Infineon
2008-03-24 20:25 . 2008-03-24 20:26 d-------- C:\Program Files\Google
2008-03-24 20:13 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-24 20:13 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-24 20:13 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-24 20:13 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-24 15:38 . 2008-03-24 14:39 d-------- C:\Program Files\Broadcom
2008-03-24 15:27 . 2008-03-24 15:27 d-------- C:\Program Files\SigmaTel
2008-03-24 15:26 . 2008-03-24 15:26 d-------- C:\Documents and Settings\Sam\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 19:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-24 18:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-24 18:43 --------- d-----w C:\Program Files\Dell
2008-03-24 18:41 --------- d-----w C:\Program Files\Intel
2008-03-24 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 18:40 --------- d-----w C:\Program Files\Modem Helper
2008-03-24 18:40 --------- d-----w C:\Program Files\CONEXANT
2008-03-24 18:40 --------- d-----w C:\Program Files\Apoint
2008-03-24 18:38 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B1226B4-0B81-5117-37BD-06CE9BA42546}]
2008-03-26 22:38 106496 --a------ C:\WINDOWS\system32\dtdhyaav.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D04CDB9-767F-15DD-5E30-081FD0F44FE3}]
C:\WINDOWS\system32\xfjqloww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F10DE2B-E923-4548-B524-4D9C5FA80777}]
C:\Program Files\Helper\1206802128.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-24 20:26 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IfxSecurePlatformIndication"="C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe" [2005-03-11 12:14 114688]
"PSDruntime"="C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE" [2005-03-11 11:41 81920]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2007-03-16 19:10 1392640]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-29 13:06 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-29 13:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcArpQk]
ddcArpQk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 2005-03-11 12:05 360448 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSDNtfy]
C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll 2005-03-11 11:43 45056 C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
winpdc32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2005-03-11 11:43]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 20:45:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-02 17:00:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
.
**************************************************************************
.
Completion time: 2008-04-02 17:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 21:02:46
Pre-Run: 32,703,766,528 bytes free
Post-Run: 32,767,344,640 bytes free
.
2008-03-31 14:25:23 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:28 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Highjack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B1226B4-0B81-5117-37BD-06CE9BA42546} - C:\WINDOWS\system32\dtdhyaav.dll
O2 - BHO: (no name) - {1D04CDB9-767F-15DD-5E30-081FD0F44FE3} - C:\WINDOWS\system32\xfjqloww.dll (file missing)
O2 - BHO: e404 helper - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1206802128.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···12050468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···12039156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - »www.ca.com/us/securityadvisor/vi···scan.cab
O20 - Winlogon Notify: ddcArpQk - ddcArpQk.dll (file missing)
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6535 bytes

I couldn't get the recovery console insstalled for some reason. But I didnt really care as I there was nothing on the computer worth saving, I was about to reformat before I found this forum.

It seems to be A-OK now, Thanks again for all the help!
Will update if there is any problems!
to forum · permalink · · 2008-04-02 17:09:46 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

1 edit		reply to Roundel
Nope there is still some infection to deal with. This is Vundo by the way.

Make a copy of this instruction to have handy as these next steps need to be done with all browsers and any open windows closed, and will force a reboot at the end.

1. Please open Notepad - don't use any other texteditor than notepad or the script will fail.

2. Now copy/paste the entire content of the text in the code box below into the Notepad window )
3. Save the notepad file above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

* Combofix.txt
* A new HijackThis log.

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-02 19:31:30 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:		reply to Roundel
Tried several times and the script it seems isnt working. The computer freezes as the "Deleting Files/Folders

Is it safe to go in and delete those files manually?
to forum · permalink · · 2008-04-03 00:25:31 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

CFScript.zip 452 bytes
The problem with trying to delete manually is they often just recreate themselves.

I think I see the problem. The code tags are adding symbols to my script. I've created the txt file for you and attaching it here in a zip file. Save to your desktop and extract and save the text file on the desktop as well, then drag it into Combofix as shown above.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-03 05:35:32 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:		reply to Roundel
It was going so smooth until now!
Its still hanging up, I left it even overnight,and still hung up at that same spot.
to forum · permalink · · 2008-04-03 09:31:40 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

 Overnight? Did you try downloading the one I made for you and attached in my reply this morning (just above your last post)

If that doesn't work let me know
(what browser are you using in here?)

Don't dismay, I have another tool we can try if this isn't working.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-03 10:33:59 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
That was a blond moment, I had meant to say that before (must have forgotten) and it came out as I wrote that post.

Yes I used the zip, but it still hangs up. Tried it 4 times, the second time, explorer.exe started up right in the middle of the scan and combofix froze.
This morning AVG caught a couple of files ( I think including mboqeskb.exe)
Here's the current situation. At a glance, I still see some of the files mentioned in the script.

Scan saved at 11:43, on 2008-04-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Highjack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B1226B4-0B81-5117-37BD-06CE9BA42546} - C:\WINDOWS\system32\dtdhyaav.dll
O2 - BHO: (no name) - {1D04CDB9-767F-15DD-5E30-081FD0F44FE3} - C:\WINDOWS\system32\xfjqloww.dll (file missing)
O2 - BHO: e404 helper - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1206802128.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···12050468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···12039156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - »www.ca.com/us/securityadvisor/vi···scan.cab
O20 - Winlogon Notify: ddcArpQk - ddcArpQk.dll (file missing)
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6522 bytes
to forum · permalink · · 2008-04-03 11:45:54 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to Roundel
Ok, except AVG did not get all of it and there might now be new malware files may have been spawned. Could you please just scan with ComboFix and post a fresh log from it (don't use the script). With that info I can then try this other tool but I need to be sure no other file infectors were respawned with AVG's action.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-03 11:51:14 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

1 edit		reply to Roundel
ComboFix running a scan should only take 10-20 minutes max. If it is still getting stuck, please download this free tool and post the logs it makes instead.

Download Please download Deckard's System Scanner (DSS) and save it to your Desktop.


* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepad files: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note:A copy of these files can be found in your root drive, usually C:\Deckard\System Scanner\
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-03 13:29:05 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
extra.txt 13,631 bytesmain.txt 28,653 bytes
Sorry for the long wait in reply. My main computer somehow has become infected with something. And I have been trying to clean it out with online scans, but am having real trouble. (I'll post a new thread)
Here are the two text files from the scan
to forum · permalink · · 2008-04-06 02:28:57 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

1 edit		 Sorry to hear that Roundel

I'm going to try a different fix now because I'm not sure the board software is converting my text script properly with Combofix so I'm going to use a different tool.

Please download VundoFix.exe and save it to your desktop.
»www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.

* Click the Scan for Vundo button.

* Once it's done scanning, click the Remove Vundo button.

* In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.

* Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.

* In the Window: copy and paste next in the first field: C:\WINDOWS\system32\dtdhyaav.dll

* Copy and paste next in the second field: C:\WINDOWS\system32\xfjqloww.dll

* Click the “Add Files” button.

* Click the "Close Window" button.

* Click the Remove Vundo button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will shutdown your computer, click OK.

* Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {0B1226B4-0B81-5117-37BD-06CE9BA42546} - C:\WINDOWS\system32\dtdhyaav.dll

O2 - BHO: (no name) - {1D04CDB9-767F-15DD-5E30-081FD0F44FE3} - C:\WINDOWS\system32\xfjqloww.dll (file missing)

O2 - BHO: e404 helper - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1206802128.dll (file missing)

O20 - Winlogon Notify: ddcArpQk - ddcArpQk.dll (file missing)

O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new Hijackthis log and the contents of C:\vundofix.txt in your next reply.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-06 07:56:53 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
Next Set

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:55 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\IFXSPMGT.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Highjack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···12050468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···12039156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - »www.ca.com/us/securityadvisor/vi···scan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\System32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\System32\IFXTCS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Broadcom - C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6148 bytes

VundoFix V7.0.3

Scan started at 10:50:30 PM 3/31/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dtdhyaav.dll
C:\WINDOWS\system32\dtdhyaav.dll Has been deleted!

Performing Repairs to the registry.
Done!
to forum · permalink · · 2008-04-06 10:55:49 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to Roundel
Well, that was successful anyway. How is your computer acting at this point?

Could I see one more scan with ComboFix just to make it didn't morph into another random named file. Just the plain scan and log (don't need to use the CFscript anymore - you can delete CFscript.txt)
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-04-06 11:49:58 · Reply to this


Roundel
Blau Und Weiss
Premium
join:2002-03-24
Westport, CT
clubs:
·Optimum Online

reply to Roundel
Computers running like new!!!!
Sorry for the delay in this responce, been a busy week. I will get to other thread soon.
Heres the CF log
ComboFix 08-04-02.1 - Sam 2008-04-09 21:55:04.10 - NTFSx86
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 16:49 . 2008-04-09 16:49 d-------- C:\WINDOWS\LastGood
2008-04-06 00:40 . 2008-04-06 00:42 d-------- C:\5b7bde4486948ed8818bb5fe
2008-04-06 00:30 . 2008-04-06 00:30 d-------- C:\Deckard
2008-04-01 00:27 . 2008-04-01 00:30 d-------- C:\Documents and Settings\Sam\.housecall6.6
2008-03-31 22:50 . 2008-03-31 22:50 d-------- C:\VundoFix Backups
2008-03-31 21:49 . 2008-03-31 22:19 d-------- C:\Program Files\EsetOnlineScanner
2008-03-31 12:26 . 2008-04-06 10:52 d-------- C:\Program Files\Highjack This
2008-03-31 12:25 . 2008-03-31 12:26 d-------- C:\Program Files\Windows Defender
2008-03-30 19:02 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-30 19:02 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-30 19:02 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-30 19:02 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-30 19:02 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-30 19:02 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-30 19:02 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-30 19:02 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-30 19:02 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-30 19:02 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-30 14:05 . 2008-03-30 14:05 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-30 13:59 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-30 13:59 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-30 13:59 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-29 13:07 . 2008-04-03 09:34 d-------- C:\Documents and Settings\Sam\Application Data\AVG7
2008-03-29 13:07 . 2008-03-29 13:07 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-29 13:06 . 2008-03-29 13:06 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 13:06 . 2008-03-29 13:08 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 11:55 . 2008-03-29 11:55 d-------- C:\Program Files\Lavasoft
2008-03-29 11:55 . 2008-03-29 11:55 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 11:55 . 2008-03-29 11:56 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 11:00 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-29 10:43 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-29 10:43 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-29 00:58 . 2008-03-29 10:43 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-29 00:56 . 2008-03-29 00:56 d-------- C:\WINDOWS\provisioning
2008-03-29 00:53 . 2008-03-29 00:53 d-------- C:\WINDOWS\ServicePackFiles
2008-03-29 00:48 . 2004-07-17 12:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02390_.tmp
2008-03-29 00:45 . 2008-03-29 00:45 d-------- C:\WINDOWS\EHome
2008-03-26 22:38 . 2008-03-26 22:38 106,496 --a------ C:\Documents and Settings\All Users\Application Data\xmvwtobm.dll
2008-03-26 12:06 . 2008-03-26 12:06 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 22:31 . 2008-04-09 16:49 d--h----- C:\WINDOWS\$hf_mig$
2008-03-24 22:31 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-24 22:30 . 2008-03-24 22:30 d-------- C:\WINDOWS\system32\bits
2008-03-24 22:30 . 2004-08-04 01:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-03-24 22:30 . 2004-08-04 01:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-24 22:30 . 2004-08-04 01:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-24 22:30 . 2004-08-04 01:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-03-24 22:30 . 2004-08-04 01:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-03-24 22:27 . 2008-03-24 22:27 d--hs---- C:\Documents and Settings\Sam\UserData
2008-03-24 22:27 . 2007-07-30 20:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-24 22:27 . 2007-07-30 20:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-24 22:27 . 2007-07-30 20:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-24 22:27 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-24 22:27 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-24 22:27 . 2007-07-30 20:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-24 22:27 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-24 22:27 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-24 22:27 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 22:13 . 2008-03-24 22:13 d-------- C:\Documents and Settings\Sam\Application Data\Infineon
2008-03-24 20:25 . 2008-03-24 20:26 d-------- C:\Program Files\Google
2008-03-24 20:13 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-24 20:13 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-24 20:13 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-24 20:13 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-24 15:38 . 2008-03-24 14:39 d-------- C:\Program Files\Broadcom
2008-03-24 15:27 . 2008-03-24 15:27 d-------- C:\Program Files\SigmaTel
2008-03-24 15:26 . 2008-03-24 15:26 d-------- C:\Documents and Settings\Sam\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 13:50 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-24 19:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-24 18:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-24 18:43 --------- d-----w C:\Program Files\Dell
2008-03-24 18:41 --------- d-----w C:\Program Files\Intel
2008-03-24 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 18:40 --------- d-----w C:\Program Files\Modem Helper
2008-03-24 18:40 --------- d-----w C:\Program Files\CONEXANT
2008-03-24 18:40 --------- d-----w C:\Program Files\Apoint
2008-03-24 18:38 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-22 20:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-02_17.02.29.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-20 21:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2007-11-20 20:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-03-24 18:48:09 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-06 05:03:59 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-04-02 20:51:49 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-04 06:57:47 41,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-02 20:51:49 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-04 06:57:47 315,076 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-24 20:26 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IfxSecurePlatformIndication"="C:\Program Files\Broadcom\Security Platform Software\SpTNA.exe" [2005-03-11 12:14 114688]
"PSDruntime"="C:\Program Files\Broadcom\Security Platform Software\PSDrt.EXE" [2005-03-11 11:41 81920]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\WLTRAY.exe" [2007-03-16 19:10 1392640]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-29 13:06 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-29 13:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 2005-03-11 12:05 360448 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSDNtfy]
C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll 2005-03-11 11:43 45056 C:\Program Files\Broadcom\Security Platform Software\PSDNtfy.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2005-03-11 11:43]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 16:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 14:50:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-09 21:57:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 21:57:38
ComboFix-quarantined-files.txt 2008-04-10 01:57:23
ComboFix2.txt 2008-04-03 15:54:29
ComboFix3.txt 2008-04-03 04:30:55
ComboFix4.txt 2008-04-02 21:03:34
Pre-Run: 32,400,564,224 bytes free
Post-Run: 32,390,623,232 bytes free
.
2008-04-06 14:23:36 --- E O F ---
to forum · permalink · · 2008-04-09 22:00:49 · Reply to this
Forums » Up and Running » Security » Security Cleanupbrowser redirect and sluggish startup; HT log added »
page: 1 · 2

Sunday, 06-Dec 05:27:07 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [163] Comcast Releasing Promised Usage Meter
· [147] Avast Antivirus Has Gone Mad
· [128] Comcast Makes NBC Universal Acquisition Official
· [124] The Bandwidth Hog Does Not Exist
· [105] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [101] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [85] FCC Ponders Moving From PSTN To IP Voice
· [82] Latest Consumer Reports Survey Not Kind To AT&T
· [80] New Bill Aims To Limit ETFs
· [75] Sprint Defuses GPS Privacy Media Bomb
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· False positive in Avast! or is it real? [Security]
· Wife might have to work in.... Iowa for a few months!!! [General Questions]
· Is there any true cure for, or way to prevent, a hangover? [General Questions]
· [DNS] Google's public DNS... performance increases? [Comcast HSI]
· First commercial tool to crack BitLocker arrives (Updated) [Security]
· Security Software Updates - 06 Dec 2009 [Security]
· [Proggy] Google Voice dialer [VOIP Tech Chat]
· Opening a file download dialog from a JavaScript function. [Webmasters and Developers]
· [ Classes] 3.2.2 Rogue [World of Warcraft]