Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91983 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] wowfx.dll


  • This topic is locked This topic is locked
34 replies to this topic

#16 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 08 April 2008 - 09:41 AM

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-08 07:41:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT d346bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9F8DD08]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9F8DCC0]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F81A20]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F824FC]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8DE00]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenFile [0xB9F81A60]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9F8DC84]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F8251C]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F8DD56]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8D230]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89A70E40
Device \FileSystem\Rdbss \Device\FsWrap 8929D0E8
Device \Driver\atapi \Device\Ide\IdePort0 89A26518
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89A26518
Device \Driver\atapi \Device\Ide\IdePort1 89A26518
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 89A26518
Device \FileSystem\Srv \Device\LanmanServer 88B22108
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89796258
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89796258
Device \FileSystem\Npfs \Device\NamedPipe 897932D8
Device \FileSystem\Msfs \Device\Mailslot 88B63A70
Device \Driver\d346prt \Device\Scsi\d346prt1 898A5950
Device \Driver\d346prt \Device\Scsi\d346prt1Port4Path0Target0Lun0 898A5950
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 88B7B258
Device \FileSystem\Cdfs \Cdfs 88B4D5C8

---- Modules - GMER 1.0.14 ----

Module _________ B9EC6000-B9EDE000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}@DisplayName DAEMON Tools
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls
Reg HKLM\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341@ProductName DAEMON Tools

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001132.exe:ext.exe 28672 bytes executable

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-04-08 08:36:36
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk /p \??\E: autocheck autochk * lsdelete /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxdev.dll
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
DefWatch@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
Nero BackItUp Scheduler 3@ = C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
NishService@ = C:\Program Files\LG Software\System Control Manager\edd.exe
Norton AntiVirus Server@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O2Flash@ = C:\WINDOWS\system32\o2flash.exe
PLFlash DeviceIoControl Service@ = C:\WINDOWS\system32\IoctlSvc.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
WinVNC4@ = "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@vptrayC:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
@sunjavaupdatesched"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
@PersistenceC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@NeroFilterCheckC:\Program Files\Common Files\Nero\Lib\NeroCheck.exe = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
@NBKeyScan"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" = "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
@mgsysctrlC:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe = C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
@lg intelligent update"C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc = "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
@ipo3"C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG = "C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@hotkeyscmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@MSConfigC:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 = "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
@haoqsrkpC:\WINDOWS\system32\mxuzadin.exe /*file not found*/ = C:\WINDOWS\system32\mxuzadin.exe /*file not found*/
@ylsrrrxgC:\WINDOWS\system32\dcredmta.exe /*file not found*/ = C:\WINDOWS\system32\dcredmta.exe /*file not found*/

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Program Files\Unlocker\UnlockerCOM.dll = C:\Program Files\Unlocker\UnlockerCOM.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
@{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} /*NeroCoverEd Live Icons*/C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll = C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{DB8DC413-C0AA-11D0-9545-080009B1C2F3} /*Hummingbird Neighborhood*/ = C:\Program Files\Hummingbird\Connectivity\10.00\Hummingbird Neighborhood\heshell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
Cover Designer@{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} = C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{100BD527-7304-4b7f-BEE2-26D97B04EBA4} = C:\Program Files\Nero\Nero8\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{100BD527-7304-4b7f-BEE2-26D97B04EBA4} = C:\Program Files\Nero\Nero8\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0dc86bc9-3d48-6eb0-0399-0421245b8d84}C:\WINDOWS\system32\izrxvaxi.dll = C:\WINDOWS\system32\izrxvaxi.dll
@{141540B8-E5F7-2873-75B8-06955486C808}C:\WINDOWS\system32\fgutkkmc.dll = C:\WINDOWS\system32\fgutkkmc.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft...p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttps://registration.deere.com/SignInServlet?EM_SELECTAPPNAME=Deere&EM_REG=N&EM_FORGOT=Y&EM_USER=N&TYPE=33554433&REALMOID=06-00092531-6ace-1035-a66e-832a9f4e0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$vshzKeURLqBhtxQVJyjBB%2bIrHrJOuDXjQf7B5HeEfjKgjrGKcgasJg%3d%3d&TARGET=$SM$http%3a%2f%2fmypathways%2edeere%2ecom%2fportal%2fservlet%2fcom%2edeere%2erc%2epathways%2eportal%2eservlets%2euser%2ePortalEntryPoint%3flanguage%3den%26country%3dUS%26gmtOffset%3d-8 = https://registration.....6gmtOffset=-8
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = ad.friesenequipment.com

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

---- EOF - GMER 1.0.14 ----

    Advertisements

Register to Remove


#17 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 08 April 2008 - 11:47 AM

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-08 07:41:15
Windows 5.1.2600 Service Pack 2



---- System - GMER 1.0.14 ----

SSDT d346bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9F8DD08]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9F8DCC0]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F81A20]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F824FC]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8DE00]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenFile [0xB9F81A60]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9F8DC84]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F8251C]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F8DD56]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8D230]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89A70E40
Device \FileSystem\Rdbss \Device\FsWrap 8929D0E8
Device \Driver\atapi \Device\Ide\IdePort0 89A26518
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89A26518
Device \Driver\atapi \Device\Ide\IdePort1 89A26518
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 89A26518
Device \FileSystem\Srv \Device\LanmanServer 88B22108
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89796258
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89796258
Device \FileSystem\Npfs \Device\NamedPipe 897932D8
Device \FileSystem\Msfs \Device\Mailslot 88B63A70
Device \Driver\d346prt \Device\Scsi\d346prt1 898A5950
Device \Driver\d346prt \Device\Scsi\d346prt1Port4Path0Target0Lun0 898A5950
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 88B7B258
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 88B7B258
Device \FileSystem\Cdfs \Cdfs 88B4D5C8

---- Modules - GMER 1.0.14 ----

Module _________ B9EC6000-B9EDE000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}@DisplayName DAEMON Tools
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls
Reg HKLM\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341@ProductName DAEMON Tools

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001132.exe:ext.exe 28672 bytes executable

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-04-08 08:36:36
Windows 5.1.2600 Service Pack 2



HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk /p \??\E: autocheck autochk * lsdelete /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxdev.dll
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
DefWatch@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
Nero BackItUp Scheduler 3@ = C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
NishService@ = C:\Program Files\LG Software\System Control Manager\edd.exe
Norton AntiVirus Server@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O2Flash@ = C:\WINDOWS\system32\o2flash.exe
PLFlash DeviceIoControl Service@ = C:\WINDOWS\system32\IoctlSvc.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
WinVNC4@ = "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@vptrayC:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
@sunjavaupdatesched"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
@PersistenceC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@NeroFilterCheckC:\Program Files\Common Files\Nero\Lib\NeroCheck.exe = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
@NBKeyScan"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" = "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
@mgsysctrlC:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe = C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
@lg intelligent update"C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc = "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
@ipo3"C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG = "C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@hotkeyscmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@MSConfigC:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 = "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
@haoqsrkpC:\WINDOWS\system32\mxuzadin.exe /*file not found*/ = C:\WINDOWS\system32\mxuzadin.exe /*file not found*/
@ylsrrrxgC:\WINDOWS\system32\dcredmta.exe /*file not found*/ = C:\WINDOWS\system32\dcredmta.exe /*file not found*/

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Program Files\Unlocker\UnlockerCOM.dll = C:\Program Files\Unlocker\UnlockerCOM.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
@{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} /*NeroCoverEd Live Icons*/C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll = C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{DB8DC413-C0AA-11D0-9545-080009B1C2F3} /*Hummingbird Neighborhood*/ = C:\Program Files\Hummingbird\Connectivity\10.00\Hummingbird Neighborhood\heshell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
Cover Designer@{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} = C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{100BD527-7304-4b7f-BEE2-26D97B04EBA4} = C:\Program Files\Nero\Nero8\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{100BD527-7304-4b7f-BEE2-26D97B04EBA4} = C:\Program Files\Nero\Nero8\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0dc86bc9-3d48-6eb0-0399-0421245b8d84}C:\WINDOWS\system32\izrxvaxi.dll = C:\WINDOWS\system32\izrxvaxi.dll
@{141540B8-E5F7-2873-75B8-06955486C808}C:\WINDOWS\system32\fgutkkmc.dll = C:\WINDOWS\system32\fgutkkmc.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft...p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttps://registration.deere.com/SignInServlet?EM_SELECTAPPNAME=Deere&EM_REG=N&EM_FORGOT=Y&EM_USER=N&TYPE=33554433&REALMOID=06-00092531-6ace-1035-a66e-832a9f4e0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$vshzKeURLqBhtxQVJyjBB%2bIrHrJOuDXjQf7B5HeEfjKgjrGKcgasJg%3d%3d&TARGET=$SM$http%3a%2f%2fmypathways%2edeere%2ecom%2fportal%2fservlet%2fcom%2edeere%2erc%2epathways%2eportal%2eservlets%2euser%2ePortalEntryPoint%3flanguage%3den%26country%3dUS%26gmtOffset%3d-8 = https://registration.....6gmtOffset=-8
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = ad.friesenequipment.com

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

---- EOF - GMER 1.0.14 ----

#18 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 08 April 2008 - 01:04 PM

There's nothing to stop you deleting the contents of Norton's Quarantine file - as long as it hasn't incorrectly identified anything as malicious that isn't, they are all junk anyway.
Death to the salad eaters!

#19 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 08 April 2008 - 01:12 PM

Ok I can do that although it seems i might have to do it in safe mode. They seem to be very reluctant to any modification. In having said that, they are all still there and renamed back to their original state. What is the next step please?

#20 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 08 April 2008 - 01:23 PM

What is the next step please?

You get to wait until i've researched every line in both logs to see if I can find out exactly what problems you have - it may take some time.
Death to the salad eaters!

#21 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 08 April 2008 - 01:31 PM

okey dokey

#22 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 08 April 2008 - 02:06 PM

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {0dc86bc9-3d48-6eb0-0399-0421245b8d84} - C:\WINDOWS\system32\izrxvaxi.dll
O2 - BHO: (no name) - {141540B8-E5F7-2873-75B8-06955486C808} - C:\WINDOWS\system32\fgutkkmc.dll

O4 - HKCU\..\Run: [haoqsrkp] C:\WINDOWS\system32\mxuzadin.exe
O4 - HKCU\..\Run: [ylsrrrxg] C:\WINDOWS\system32\dcredmta.exe


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Run the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
Death to the salad eaters!

#23 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 08 April 2008 - 04:26 PM

going to run the panda scan this evening as it seems that it takes a very long time to complete. Do I need to register it as that is the only way I am prompted for any information contrary to what you said? FYI...I did not use your link, perhaps I will to see if it reacts differently.

Edited by howcho, 08 April 2008 - 04:26 PM.


#24 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 08 April 2008 - 04:36 PM

They've changed the site again! Try just clicking "Scan now" rather than "Register" when the two options appear and see if you can get a scan that way. I'll take a closer look at the site tomorrow when I get some more time.
Death to the salad eaters!

#25 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 09 April 2008 - 08:55 AM

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-09 07:20:42
PROTECTIONS: 2
MALWARE: 19
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\administrator\Cookies\administrator@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jdvision\Cookies\jdvision@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\administrator\Cookies\administrator@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\administrator\Desktop\virus tools\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\administrator\Cookies\administrator@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\jdvision\Cookies\jdvision@fastclick[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\administrator\Cookies\administrator@ad.yieldmanager[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\jdvision\Cookies\jdvision@burstnet[2].txt
00252281 Adware/Trymedia Adware No 0 Yes No C:\Documents and Settings\administrator\Desktop\website\FE_Website\JDAmericanFarmer_Setup-dm.exe
00520005 Trj/Downloader.NUS Virus/Trojan No 0 Yes No C:\SDFix\backups\backups.zip[backups/d.exe]
00520005 Trj/Downloader.NUS Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001096.exe
00520005 Trj/Downloader.NUS Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001173.exe
00966454 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\LoderRunOnce.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01240456 Dialer.KLF Dialers No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynowti.exe.vir
02904369 W32/Spamta.AFT Virus/Worm No 1 Yes No C:\cwwkxwu.exe
02904369 W32/Spamta.AFT Virus/Worm No 1 Yes No C:\cguyj.exe
02909764 Adware/BHO Adware No 0 Yes No C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001139.exe
02909768 Trj/Clicker.AJU Virus/Trojan No 1 Yes No C:\WINDOWS\system32\ewml427.exe
02912550 Adware/Suurch Adware No 1 Yes No C:\System Volume Information\_restore{4F8E2999-F9EA-40B2-8B9D-F60320AB66E1}\RP2\A0001098.exe
02912550 Adware/Suurch Adware No 1 Yes No C:\SDFix\backups\backups.zip[backups/ie_updates3r.exe]
02912621 W32/Socks.B.worm Virus/Worm No 0 Yes No C:\WINDOWS\system32\ewml500.exe
02912621 W32/Socks.B.worm Virus/Worm No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir
02912621 W32/Socks.B.worm Virus/Worm No 0 Yes No C:\WINDOWS\system32\ewml463.exe
02912628 Trj/Downloader.THF Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q5.exe.vir
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170911 HIGH MS07-050
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
141034 HIGH MS06-076
141033 MEDIUM MS06-075
141030 HIGH MS06-072
137571 HIGH MS06-070
137568 HIGH MS06-067
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
131654 HIGH MS06-055
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126083 HIGH MS06-042
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
120825 MEDIUM MS06-032
120823 MEDIUM MS06-030
120818 HIGH MS06-025
120815 HIGH MS06-022
120814 HIGH MS06-021
117384 MEDIUM MS06-018
114666 HIGH MS06-015
114664 HIGH MS06-013
108744 MEDIUM MS06-008
108743 MEDIUM MS06-007
108742 MEDIUM MS06-006
104567 HIGH MS06-002
104237 HIGH MS06-001
96574 HIGH MS05-053
93395 HIGH MS05-051
93394 HIGH MS05-050
93454 MEDIUM MS05-049
;===============================================================================
=================================================================================
===================

    Advertisements

Register to Remove


#26 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 09 April 2008 - 09:12 AM

Logfile of HijackThis v1.99.1
Scan saved at 08:01, on 2008-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\LG Software\System Control Manager\edd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DWHWIZRD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\lg_swupdate\Gilautouc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://registration...mp;gmtOffset=-8 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mgsysctrl] C:\Program Files\LG Software\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [lg intelligent update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [ipo3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [indxstoresvr_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://www.mikescomputershop.com
O16 - DPF: {123BBFF5-F9E4-4B0A-A75B-B545AC5AAB91} (DiagClientA Class) - https://mcpe.portal..../DiagClient.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3C9ECC99-D050-4AA2-9D9A-C0EA26252005} (DealerIdentity Class) - https://mcpe.portal....lerIdentity.CAB
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - https://ea-land.ea.c...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201810158652
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.friesenequipment.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.friesenequipment.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Evil Driver Daemon (NishService) - Unknown owner - C:\Program Files\LG Software\System Control Manager\edd.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



The computer is still having some virus issues. I will get pop ups from my norton telling me it has found an infection via its notification tool. This usually happens during odd times such as while i might be exploreing the hard drive or looking at somethings properties. As far as the browser goes I do note some oddities. For one, if i do a google search on a topic, I cannot select the url of one of the results, the browser goes no where if I do so. If I copy and past the link into my addressbar it works fine, favorites also work fine. Opening the browser seems to take longer as is the first page to load, after that most seems good. On the computer as general, I beleieve I note another oddity. I would seem to me that any "left clicking" with the mouse is much less responsive than any right clicking ( strange one I know, might just be the mouse) as an example, if i where to click my "start" button, I might realize a 2 second delay, if I where to right click to create a new folder, it would be instantaneous.

Edited by howcho, 09 April 2008 - 09:13 AM.


#27 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 09 April 2008 - 01:42 PM

I will get pop ups from my norton telling me it has found an infection via its notification tool.

It would help if you posted what it was telling you and where it was finding it.

Remove any/all of the following files/folders that you can find:

Files

C:\cwwkxwu.exe
C:\cguyj.exe
C:\WINDOWS\system32\ewml427.exe
C:\WINDOWS\system32\ewml500.exe
C:\WINDOWS\system32\ewml463.exe


As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


This one could be a false positive, or not. You''ll have a better idea than I as to what it is:

[b]C:\Documents and Settings\administrator\Desktop\website\FE_Website\JDAmericanFarmer_Setup-dm.exe
Death to the salad eaters!

#28 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 09 April 2008 - 02:41 PM

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.


Pardon me?

I posted the results of the panda scan as requested. I also posted a fresh HJT log as requested. I went on further to describe how my computer seemd to be running.

If you would ather not work with me say so, I will try another forum. I believe I did exactly as you requested.

I did not note the virus pop ups. I will take notes from here on.

#29 howcho

howcho

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 09 April 2008 - 02:46 PM

Deleted the files/folder you specified. FYI also residing in c:/windows/system32/ are the following similair files which weher left alone...ewml472.exe; ewml498.exe and ewml502.exe The American Farmer thing would have been from the John Deere website. It should be just fine, although I have no problem if we should get rid of it.

Edited by howcho, 09 April 2008 - 02:48 PM.


#30 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 09 April 2008 - 03:32 PM

FYI also residing in c:/windows/system32/ are the following similair files which weher left alone...ewml472.exe; ewml498.exe and ewml502.exe

They can go too.

The American Farmer thing would have been from the John Deere website. It should be just fine, although I have no problem if we should get rid of it.

That can stay then.

Pardon me?

I posted the results of the panda scan as requested. I also posted a fresh HJT log as requested. I went on further to describe how my computer seemd to be running.

If you would ather not work with me say so, I will try another forum. I believe I did exactly as you requested.

You did indeed post what I originally asked for, but telling me that Norton is finding something but not what it is finding doesn't help.
The Panda log, HJT log and description of the PC's behaviour help me to understand exactly what is happening, but telling me that Norton is detecting something, but nothing more specific, doesn't - it may be the root cause of your problems, or it may be a false positive that has no bearing on things. You need to remember that I can only see what you post and not what you see - that is down to you to detail.
Death to the salad eaters!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users