Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92374 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] pop ups and trojans?


  • This topic is locked This topic is locked
11 replies to this topic

#1 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 20 November 2009 - 07:16 AM

sorry if im doing this wrong. i think i got a major problem and can use some help.

Thank you in advance!

hiack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:57 AM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ERUNT\ERUNT.EXE
C:\Documents and Settings\Brad\Desktop\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brad\Desktop\dds.scr
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\Brad\LOCALS~1\Temp\RarSFX1\WREGS.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zojikowuj] Rundll32.exe "c:\windows\system32\hunafomo.dll",a
O4 - HKCU\..\Run: [FtpDrive] C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [A00F2CAF4C34.exe] C:\WINDOWS\TEMP\_A00F2CAF4C34.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F2CAF4C34.exe] C:\WINDOWS\TEMP\_A00F2CAF4C34.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} (IntuitRecurPayCom2009.UserControl1) - https://merchantacco...rPayCom2009.cab
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantacco...ncCom1_2009.cab
O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantacco...ncCom2_2008.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D49EF7E0-6565-4CD0-A1BB-F7DE17901A9E}: NameServer = 77.74.48.113
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: jonatipi.dll c:\windows\system32\hunafomo.dll
O20 - Winlogon Notify: __c008489C - C:\WINDOWS\system32\__c008489C.dat
O21 - SSODL: boseniwun - {a089a8e6-6732-4b58-8b79-0d92499dece1} - c:\windows\system32\hunafomo.dll
O22 - SharedTaskScheduler: jugezatag - {a089a8e6-6732-4b58-8b79-0d92499dece1} - c:\windows\system32\hunafomo.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management AppMgmtAlerter (AppMgmtAlerter) - Unknown owner - C:\WINDOWS\system32\advpackz.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 14152 bytes

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/7/2006 8:38:42 PM
System Uptime: 11/11/2009 12:28:34 PM (209 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-E
Processor: AMD Athlon™ 64 Processor 3000+ | Socket 939 | 1813/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 14.281 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP443: 8/15/2009 5:22:23 PM - System Checkpoint
RP444: 8/16/2009 6:06:58 PM - System Checkpoint
RP445: 8/17/2009 7:06:58 PM - System Checkpoint
RP446: 8/19/2009 12:16:09 AM - System Checkpoint
RP447: 8/26/2009 3:00:20 AM - Software Distribution Service 3.0
RP448: 9/1/2009 12:51:12 PM - Installed HPSU306Stub
RP449: 9/2/2009 3:00:23 AM - Software Distribution Service 3.0
RP450: 9/9/2009 12:14:25 PM - Removed HPSU306Stub
RP451: 9/9/2009 12:14:46 PM - Removed HP Update
RP452: 9/9/2009 12:15:44 PM - Installed HP Update.
RP453: 9/9/2009 12:21:54 PM - Installed HP Product Assistant
RP454: 9/9/2009 12:24:23 PM - Installed 32 Bit HP CIO Components Installer
RP455: 9/9/2009 12:26:06 PM - Removed 32 Bit HP CIO Components Installer
RP456: 9/9/2009 11:45:07 PM - Installed BlackBerry Desktop Software 5.0.
RP457: 9/10/2009 3:00:17 AM - Software Distribution Service 3.0
RP458: 9/12/2009 11:33:20 AM - System Checkpoint
RP459: 9/13/2009 11:38:02 AM - System Checkpoint
RP460: 9/17/2009 3:00:24 AM - Software Distribution Service 3.0
RP461: 9/17/2009 12:53:16 PM - Installed Java™ 6 Update 15
RP462: 9/24/2009 3:48:23 AM - System Checkpoint
RP463: 9/25/2009 1:09:32 PM - Installed ScanSoft PaperPort 11
RP464: 9/25/2009 1:11:00 PM - Installed PaperPort Image Printer
RP465: 9/25/2009 1:11:16 PM - Printer Driver Nuance Image Printer Driver Installed
RP466: 9/25/2009 1:11:34 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP467: 9/25/2009 1:12:30 PM - Installed Brother MFL-Pro Suite
RP468: 9/25/2009 1:16:09 PM - Unsigned printer driver Brother PC-FAX v.2 installed.
RP469: 9/26/2009 2:42:19 PM - System Checkpoint
RP470: 9/28/2009 11:13:55 AM - System Checkpoint
RP471: 9/29/2009 1:13:22 PM - System Checkpoint
RP472: 9/30/2009 1:38:18 PM - System Checkpoint
RP473: 10/5/2009 8:38:57 PM - System Checkpoint
RP474: 10/6/2009 9:12:50 PM - System Checkpoint
RP475: 10/11/2009 3:01:10 AM - Software Distribution Service 3.0
RP476: 10/12/2009 3:00:22 AM - Software Distribution Service 3.0
RP477: 10/13/2009 3:16:16 AM - System Checkpoint
RP478: 10/14/2009 3:01:01 AM - Software Distribution Service 3.0
RP479: 10/21/2009 10:41:01 AM - Removed Microsoft Office Professional 2007 Trial
RP480: 10/22/2009 3:00:20 AM - Software Distribution Service 3.0
RP481: 10/24/2009 8:39:44 PM - System Checkpoint
RP482: 10/27/2009 12:52:59 PM - Installed Compatibility Pack for the 2007 Office system
RP483: 10/28/2009 3:00:19 AM - Software Distribution Service 3.0
RP484: 11/3/2009 4:00:25 AM - Software Distribution Service 3.0
RP485: 11/4/2009 4:00:32 AM - Software Distribution Service 3.0
RP486: 11/5/2009 4:00:17 AM - Software Distribution Service 3.0
RP487: 11/6/2009 4:42:47 AM - System Checkpoint
RP488: 11/7/2009 5:16:22 AM - System Checkpoint
RP489: 11/11/2009 3:01:30 AM - Software Distribution Service 3.0
RP490: 11/11/2009 11:53:06 AM - Installed iTunes
RP491: 11/12/2009 12:59:09 PM - FiOS Installation
RP492: 11/12/2009 2:13:24 PM - Installed Verizon FiOS Media Manager.

==== Installed Programs ======================


==== End Of File ===========================

Attached Files


    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 November 2009 - 07:29 AM

Hi,

You have posted the Attach.txt and not the actual DDS log, which I will need to see.

Can you please also run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 20 November 2009 - 11:56 AM

Hi,

You have posted the Attach.txt and not the actual DDS log, which I will need to see.

Can you please also run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



#4 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 20 November 2009 - 11:59 AM

it said the file was to big to upload. i saved it as a .txt file. ?????

#5 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 November 2009 - 03:57 PM

Hi, right click it and zip it up, then attach it, thanks the GMER log shouldn't be that big - make certain you have the correct boxes checked as per the image thanks

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#6 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 21 November 2009 - 10:10 PM

hope the attachment works. my computer is getting worse.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:58 PM, on 11/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\70171723\70171723.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Temp\_ex-08.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Angle Interactive\RD2010\RD2010.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70171723] C:\DOCUME~1\ALLUSE~1\APPLIC~1\70171723\70171723.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKLM\..\Run: [zojikowuj] Rundll32.exe "c:\windows\system32\hamohive.dll",a
O4 - HKCU\..\Run: [FtpDrive] C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [A00F2CAF4C34.exe] C:\WINDOWS\TEMP\_A00F2CAF4C34.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F2CAF4C34.exe] C:\WINDOWS\TEMP\_A00F2CAF4C34.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: RD2010.lnk = C:\Program Files\Angle Interactive\RD2010\RDAssistant.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} (IntuitRecurPayCom2009.UserControl1) - https://merchantacco...rPayCom2009.cab
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantacco...ncCom1_2009.cab
O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantacco...ncCom2_2008.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D49EF7E0-6565-4CD0-A1BB-F7DE17901A9E}: NameServer = 77.74.48.113
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: yuzotate.dll c:\windows\system32\hamohive.dll
O20 - Winlogon Notify: __c008489C - C:\WINDOWS\system32\__c008489C.dat
O21 - SSODL: zutepijid - {0c462d09-a96c-41aa-8fb3-259419c7c734} - c:\windows\system32\hamohive.dll
O22 - SharedTaskScheduler: kupuhivus - {0c462d09-a96c-41aa-8fb3-259419c7c734} - c:\windows\system32\hamohive.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management AppMgmtAlerter (AppMgmtAlerter) - Unknown owner - C:\WINDOWS\system32\advpackz.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 14028 bytes

Attached Files

  • Attached File  Gmer.zip   55.77KB   251 downloads


#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 November 2009 - 11:16 PM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it to combo.com before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#8 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 22 November 2009 - 01:25 AM

ComboFix 09-11-21.01 - Brad 11/21/2009 22:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1676 [GMT -8:00]
Running from: c:\documents and settings\Brad\Desktop\combo.com.exe
AV: avast! antivirus 4.8.1356 [VPS 091118-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\70171723
c:\documents and settings\All Users\Application Data\70171723\70171723.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Brad\Desktop\Security Tool.lnk
c:\documents and settings\Brad\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\LocalService\Start Menu\Programs\Security Tool.lnk
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\__c008489C.dat
c:\windows\system32\334881955.dat
c:\windows\system32\6to4v32.dll
c:\windows\system32\advpackz.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Desktop\Security Tool.lnk
c:\windows\system32\daqdrv.sys
c:\windows\system32\diposeli.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\fihiwiku.dll
c:\windows\system32\gososeyo.dll
c:\windows\system32\hamohive.dll
c:\windows\system32\hibunevo.dll
c:\windows\system32\jufonefi.dll
c:\windows\system32\litikusi.dll
c:\windows\system32\luhuwuji.dll
c:\windows\system32\nemofavo.dll
c:\windows\system32\nevihezu.dll
c:\windows\system32\nonozera.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pebumabi.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\raripizu.dll
c:\windows\system32\siteyuwu.dll
c:\windows\system32\solarizo.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wijahupu.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yuzotate.dll
c:\windows\Tasks\pqipxrid.job
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_APPMGMTALERTER
-------\Legacy_NPF
-------\Service_6to4
-------\Service_AppMgmtAlerter
-------\Service_NPF
-------\Legacy_daqdrv
-------\Service_daqdrv


((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 06:55 . 2005-08-18 09:52 93568 ----a-r- c:\windows\system32\drivers\nvata_2.sys
2009-11-22 04:05 . 2009-11-22 04:05 -------- d-----w- C:\ProgramData
2009-11-22 04:05 . 2009-11-22 04:05 -------- d-----w- c:\program files\Angle Interactive
2009-11-21 00:48 . 2009-11-21 00:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-11-20 13:04 . 2009-11-20 13:04 -------- d-----w- c:\program files\ERUNT
2009-11-20 12:43 . 2009-11-20 12:43 52736 ----a-w- C:\hruvl.exe
2009-11-20 12:42 . 2009-11-20 12:42 39936 ----a-w- C:\dxtsyxru.exe
2009-11-12 22:25 . 2009-11-12 22:25 -------- d-----w- c:\documents and settings\Brad\Application Data\Verizon
2009-11-11 20:45 . 2009-11-11 20:45 69276 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-11 19:53 . 2009-11-11 19:53 -------- d-----w- c:\program files\iPod
2009-11-11 19:53 . 2009-11-11 19:54 -------- d-----w- c:\program files\iTunes
2009-11-11 19:53 . 2009-11-11 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-11 19:50 . 2009-11-11 19:50 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Apple
2009-11-11 19:49 . 2009-11-11 19:53 -------- d-----w- c:\program files\Common Files\Apple
2009-11-11 19:49 . 2009-11-11 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-11 17:00 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-11 17:00 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-11 17:00 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-11 17:00 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-11 17:00 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-11 17:00 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-11 17:00 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-11 17:00 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-11 16:59 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-29 04:58 . 2009-10-29 04:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-27 19:52 . 2009-10-27 19:52 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 07:11 . 2009-09-10 06:47 256 ----a-w- c:\windows\system32\pool.bin
2009-11-22 07:11 . 2009-08-11 03:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-21 07:22 . 2009-08-05 10:06 2306 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-11-20 12:43 . 2009-08-11 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 08:13 . 2009-08-05 18:54 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-13 08:13 . 2009-08-05 18:54 1087240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-12 22:13 . 2009-07-31 21:25 -------- d-----w- c:\program files\Verizon
2009-11-11 20:34 . 2006-12-14 07:32 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2009-11-11 19:52 . 2008-12-04 12:00 -------- d-----w- c:\program files\Bonjour
2009-11-11 19:52 . 2006-12-27 07:07 -------- d-----w- c:\program files\QuickTime
2009-11-11 19:50 . 2006-11-22 07:39 -------- d-----w- c:\program files\Apple Software Update
2009-11-11 16:39 . 2006-11-12 11:23 87640 ----a-w- c:\documents and settings\Brad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 09:11 . 2006-12-05 21:09 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-06 08:47 . 2009-08-12 07:06 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 08:47 . 2009-08-12 07:06 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 08:47 . 2009-08-12 07:06 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 08:47 . 2009-08-12 07:06 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 08:47 . 2009-08-12 07:06 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 08:47 . 2009-08-12 07:06 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 08:47 . 2009-08-12 07:06 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 08:47 . 2009-08-12 07:06 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 08:47 . 2009-08-12 07:06 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-03 11:06 . 2006-11-26 09:11 -------- d-----w- c:\documents and settings\Brad\Application Data\Azureus
2009-10-27 21:54 . 2007-01-18 08:34 -------- d-----w- c:\documents and settings\Brad\Application Data\.gaim
2009-10-21 17:54 . 2009-08-01 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 17:13 . 2006-11-26 08:59 -------- d-----w- c:\program files\Azureus
2009-10-11 10:20 . 2009-10-11 10:20 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\program files\Microsoft
2009-10-09 23:34 . 2009-10-09 23:33 -------- d-----w- c:\program files\Windows Live
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-09 23:31 . 2009-10-09 23:31 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-25 22:25 . 2009-09-25 22:25 -------- d-----r- c:\documents and settings\Brad\Application Data\Brother
2009-09-25 20:13 . 2009-09-25 20:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-09-25 20:13 . 2009-09-25 20:12 -------- d-----w- c:\program files\Brother
2009-09-25 20:12 . 2006-11-08 05:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-25 20:11 . 2009-09-25 20:11 10134 ----a-r- c:\documents and settings\Brad\Application Data\Microsoft\Installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}\ARPPRODUCTICON.exe
2009-09-25 20:11 . 2009-09-25 20:11 -------- d-----w- c:\program files\Nuance
2009-09-25 20:10 . 2009-09-25 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-25 20:10 . 2009-09-25 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-25 20:09 . 2009-09-25 20:09 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-25 20:09 . 2006-11-08 04:53 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 20:09 . 2009-09-25 20:09 -------- d-----w- c:\program files\ScanSoft
2009-09-25 20:08 . 2009-09-25 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-17 19:52 . 2009-09-17 19:52 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:50 . 2009-09-09 19:26 139306 ----a-w- c:\windows\hpqins00.dat
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:53 . 2009-09-01 19:43 151564 ----a-w- c:\windows\hpwins11.dat
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 12:49 . 2009-08-21 12:49 45056 --sha-w- c:\windows\system32\hatugepe.dll
2009-08-21 00:48 . 2009-08-21 00:48 45056 --sha-w- c:\windows\system32\miyefira.dll
2009-08-21 00:50 . 2009-08-21 00:50 53760 --sha-w- c:\windows\system32\puvusino.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67f77c72-a4b1-4ea1-8556-7560a4a998b8}]
2009-08-21 00:50 53760 --sha-w- c:\windows\system32\puvusino.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-07-11 1695744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-12 1519616]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-10-24 90112]

c:\documents and settings\Brad\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
RD2010.lnk - c:\program files\Angle Interactive\RD2010\RDAssistant.exe [2009-10-12 818112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-11 984352]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\gaim\\gaim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/11/2009 9:00 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/11/2009 9:00 AM 20560]
R2 MSSQL$NEBULA2K;MSSQL$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K [?]
S0 qppd06c;qppd06c;\SystemRoot\\SystemRoot\System32\drivers\qppd06c.sys --> \SystemRoot\\SystemRoot\System32\drivers\qppd06c.sys [?]
S1 08a827b9.sys;08a827b9.sys;\??\c:\windows\System32\drivers\08a827b9.sys --> c:\windows\System32\drivers\08a827b9.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/10/2009 8:13 PM 38160]
S3 SQLAgent$NEBULA2K;SQLAgent$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-11-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-11 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D49EF7E0-6565-4CD0-A1BB-F7DE17901A9E} = 77.74.48.113
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
FF - ProfilePath - c:\documents and settings\Brad\Application Data\Mozilla\Firefox\Profiles\fv9mlh44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-70171723 - c:\docume~1\ALLUSE~1\APPLIC~1\70171723\70171723.exe
HKLM-Run-zojikowuj - c:\windows\system32\hamohive.dll
HKLM-Run-dohareyojo - jufonefi.dll
SharedTaskScheduler-{0c462d09-a96c-41aa-8fb3-259419c7c734} - c:\windows\system32\hamohive.dll
SSODL-zutepijid-{0c462d09-a96c-41aa-8fb3-259419c7c734} - c:\windows\system32\hamohive.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
@DACL=(02 0000)
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000
"InstallEvent"="1.8.0031.9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe
c:\program files\angle interactive\rd2010\rd2010.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-11-21 23:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 07:20

Pre-Run: 20,695,822,336 bytes free
Post-Run: 21,997,592,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8E6AFFC82A33C2387D020DBA77909CA7

#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 22 November 2009 - 06:53 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/pop_ups_trojans_t108391.html&view=findpost&p=612661#entry612661

Collect::
C:\hruvl.exe
C:\dxtsyxru.exe
c:\windows\system32\hatugepe.dll
c:\windows\system32\miyefira.dll
c:\windows\system32\puvusino.dll
c:\windows\System32\drivers\qppd06c.sys
c:\windows\System32\drivers\08a827b9.sys 
c:\windows\system32\drivers\xeixgoienbqhwbuy.sys 
C:\WINDOWS\system32\jonatipi.dll	  
c:\windows\system32\hunafomo.dll
C:\WINDOWS\system32\bapajinu.dll  
  
KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67f77c72-a4b1-4ea1-8556-7560a4a998b8}]

Driver::
qppd06c
08a827b9.sys
xeixgoienbqhwbuy

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    c:\windows\system32\drivers\nvata_2.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Please do the same for the following two files:

C:\WINDOWS\system32\ntkrnlpa.exe
C:\WINDOWS\system32\nvapi.dll

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#10 MiNdHaBiTs

MiNdHaBiTs

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 22 November 2009 - 02:59 PM

ComboFix 09-11-21.03 - Brad 11/22/2009 11:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1338 [GMT -8:00]
Running from: c:\documents and settings\Brad\Desktop\combo.com.exe
Command switches used :: c:\documents and settings\Brad\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091118-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: C:\dxtsyxru.exe
file zipped: C:\hruvl.exe
file zipped: c:\windows\System32\drivers\qppd06c.sys
file zipped: c:\windows\system32\hatugepe.dll
file zipped: c:\windows\system32\miyefira.dll
file zipped: c:\windows\system32\puvusino.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dxtsyxru.exe
C:\hruvl.exe
c:\windows\System32\drivers\qppd06c.sys
c:\windows\system32\hatugepe.dll
c:\windows\system32\miyefira.dll
c:\windows\system32\puvusino.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_08a827b9.sys
-------\Service_qppd06c
-------\Service_xeixgoienbqhwbuy


((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 06:55 . 2005-08-18 09:52 93568 ----a-r- c:\windows\system32\drivers\nvata_2.sys
2009-11-22 04:05 . 2009-11-22 04:05 -------- d-----w- C:\ProgramData
2009-11-22 04:05 . 2009-11-22 04:05 -------- d-----w- c:\program files\Angle Interactive
2009-11-20 13:04 . 2009-11-20 13:04 -------- d-----w- c:\program files\ERUNT
2009-11-12 22:25 . 2009-11-12 22:25 -------- d-----w- c:\documents and settings\Brad\Application Data\Verizon
2009-11-11 20:45 . 2009-11-11 20:45 69276 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-11 19:53 . 2009-11-11 19:53 -------- d-----w- c:\program files\iPod
2009-11-11 19:53 . 2009-11-11 19:54 -------- d-----w- c:\program files\iTunes
2009-11-11 19:53 . 2009-11-11 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-11 19:50 . 2009-11-11 19:50 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Apple
2009-11-11 19:49 . 2009-11-11 19:53 -------- d-----w- c:\program files\Common Files\Apple
2009-11-11 19:49 . 2009-11-11 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-11 17:00 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-11 17:00 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-11 17:00 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-11 17:00 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-11 17:00 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-11 17:00 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-11 17:00 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-11 17:00 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-11 16:59 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-29 04:58 . 2009-10-29 04:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-27 19:52 . 2009-10-27 19:52 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 19:48 . 2009-09-10 06:47 256 ----a-w- c:\windows\system32\pool.bin
2009-11-22 19:48 . 2009-08-11 03:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-21 07:22 . 2009-08-05 10:06 2306 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-11-20 12:43 . 2009-08-11 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 08:13 . 2009-08-05 18:54 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-13 08:13 . 2009-08-05 18:54 1087240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-12 22:13 . 2009-07-31 21:25 -------- d-----w- c:\program files\Verizon
2009-11-11 20:34 . 2006-12-14 07:32 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2009-11-11 19:52 . 2008-12-04 12:00 -------- d-----w- c:\program files\Bonjour
2009-11-11 19:52 . 2006-12-27 07:07 -------- d-----w- c:\program files\QuickTime
2009-11-11 19:50 . 2006-11-22 07:39 -------- d-----w- c:\program files\Apple Software Update
2009-11-11 16:39 . 2006-11-12 11:23 87640 ----a-w- c:\documents and settings\Brad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 09:11 . 2006-12-05 21:09 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-06 08:47 . 2009-08-12 07:06 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 08:47 . 2009-08-12 07:06 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 08:47 . 2009-08-12 07:06 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 08:47 . 2009-08-12 07:06 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 08:47 . 2009-08-12 07:06 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 08:47 . 2009-08-12 07:06 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 08:47 . 2009-08-12 07:06 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 08:47 . 2009-08-12 07:06 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 08:47 . 2009-08-12 07:06 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-03 11:06 . 2006-11-26 09:11 -------- d-----w- c:\documents and settings\Brad\Application Data\Azureus
2009-10-27 21:54 . 2007-01-18 08:34 -------- d-----w- c:\documents and settings\Brad\Application Data\.gaim
2009-10-21 17:54 . 2009-08-01 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 17:13 . 2006-11-26 08:59 -------- d-----w- c:\program files\Azureus
2009-10-11 10:20 . 2009-10-11 10:20 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\program files\Microsoft
2009-10-09 23:34 . 2009-10-09 23:33 -------- d-----w- c:\program files\Windows Live
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-09 23:31 . 2009-10-09 23:31 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-25 22:25 . 2009-09-25 22:25 -------- d-----r- c:\documents and settings\Brad\Application Data\Brother
2009-09-25 20:13 . 2009-09-25 20:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-09-25 20:13 . 2009-09-25 20:12 -------- d-----w- c:\program files\Brother
2009-09-25 20:12 . 2006-11-08 05:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-25 20:11 . 2009-09-25 20:11 10134 ----a-r- c:\documents and settings\Brad\Application Data\Microsoft\Installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}\ARPPRODUCTICON.exe
2009-09-25 20:11 . 2009-09-25 20:11 -------- d-----w- c:\program files\Nuance
2009-09-25 20:10 . 2009-09-25 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-25 20:10 . 2009-09-25 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-25 20:09 . 2009-09-25 20:09 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-25 20:09 . 2006-11-08 04:53 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-25 20:09 . 2009-09-25 20:09 -------- d-----w- c:\program files\ScanSoft
2009-09-25 20:08 . 2009-09-25 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-17 19:52 . 2009-09-17 19:52 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:50 . 2009-09-09 19:26 139306 ----a-w- c:\windows\hpqins00.dat
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:53 . 2009-09-01 19:43 151564 ----a-w- c:\windows\hpwins11.dat
2009-08-29 07:36 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-22_07.10.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 19:07 . 2009-11-22 19:07 16384 c:\windows\temp\Perflib_Perfdata_750.dat
+ 2009-11-22 19:07 . 2009-11-22 19:07 16384 c:\windows\temp\Perflib_Perfdata_118.dat
+ 2009-11-22 19:48 . 2009-11-22 19:48 610304 c:\windows\ERDNT\AutoBackup\11-22-2009\Users\00000002\UsrClass.dat
+ 2009-11-22 19:48 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\11-22-2009\ERDNT.EXE
+ 2009-11-22 19:48 . 2009-11-22 19:48 4861952 c:\windows\ERDNT\AutoBackup\11-22-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-07-11 1695744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-12 1519616]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-10-24 90112]

c:\documents and settings\Brad\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
RD2010.lnk - c:\program files\Angle Interactive\RD2010\RDAssistant.exe [2009-10-12 818112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-11 984352]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2006-02-14 20:00 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\gaim\\gaim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/11/2009 9:00 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/11/2009 9:00 AM 20560]
R2 MSSQL$NEBULA2K;MSSQL$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe -sNEBULA2K [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/10/2009 8:13 PM 38160]
S3 SQLAgent$NEBULA2K;SQLAgent$NEBULA2K;c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K --> c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlagent.EXE -i NEBULA2K [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-11-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-11 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D49EF7E0-6565-4CD0-A1BB-F7DE17901A9E} = 77.74.48.113
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
FF - ProfilePath - c:\documents and settings\Brad\Application Data\Mozilla\Firefox\Profiles\fv9mlh44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(484)
c:\windows\system32\WININET.dll
c:\program files\KillSoft\FtpDrive\FtpDrive.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL$NEBULA2K\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\angle interactive\rd2010\rd2010.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-22 11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 19:55
ComboFix2.txt 2009-11-22 07:20

Pre-Run: 21,977,546,752 bytes free
Post-Run: 21,879,468,032 bytes free

- - End Of File - - 68D3FD466636EE37E3885E8CAABCD2A2

#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 22 November 2009 - 03:31 PM

Hi,

Please do the following:


Reset the DNS Server

  • Go to Start > run > type in ncpa.cpl > OK to bring up the Network connections window.
  • Right click "Local Area Connection" if you are connecting to the internet by a cable or "Wireless Network Connection" if wireless. Click "Properties" to bring up the "Connection Properties" panel.
  • Highlight "Internet Protocol (TCP/IP)" and click the "Properties" button.
  • In the "Use the following DNA server addresses:" section "77.74.48.113" should be showing as the Preferred DNS server.
  • If this is the case, delete "77.74.48.113" and then select the radio button next to the "Obtain DNS server address automatically"
  • Click OK.

NEXT

The files I wanted submitted didn't submit automatically, so we need to do it manually:

Please open this link HERE in a new window.

In the box marked Link to topic where this file was requested: please paste in the following text
http://forums.whatthetech.com/pop_ups_trojans_t108391.html

Click the Browse button and navigate to C:\Qoobox\Quarantine

There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the ***'s denotes Date and Time stamp - yours will be close to 11/22/2009 11:01 )
Select this file and click Open
In the Largest box please put
File Requested By CatByte
Failed Submit::

Finally click SendFile

Please return here and let me know when that file has been uploaded.

any luck with the Virscan scans?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 30 November 2009 - 06:21 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users