WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Mrofinu, Pholmes, Vundo

Started by florentia , Apr 16 2008 09:49 PM

This topic is locked

10 replies to this topic

#1 florentia

New Member

New Member
6 posts

Posted 16 April 2008 - 09:49 PM

Hi, I've downloaded something i thought it's cracked proxyshell, scanned it with AVG before starting it (no reports) and when i tried to start it, i just got message "all done! enjoy! " . Well, i knew i got infected, and when i tried to close it, all icons disappeared and all i could do is check Windows Task Manager or reboot. There was "17pholmes1753.exe" app running and i ended it and rebooted. After that in WTM there was " Mrofinu1753.exe" app running and i ended it and turned it off in startup menu. Scanned my pc with Malware Bytes, found 22 results, tried to remove them and my pc crashed.

Logfile of HijackThis v1.99.1
Scan saved at 5:18:51, on 17.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204943577529
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

This is MalwareBytes log before i tried to remove malwares

Malwarebytes' Anti-Malware 1.11
Database version: 636

Scan type: Full Scan (C:\|)
Objects scanned: 53144
Time elapsed: 42 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxywULec.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ddcAqQIc.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80d70932-732f-4877-92d9-31a5d18c277f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{80d70932-732f-4877-92d9-31a5d18c277f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcaqqic (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywulec -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywulec -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xxywULec.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ceLUwyxx.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ceLUwyxx.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ddcAqQIc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\mrofinu1753.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\17PHolmes1753.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\hgGvuUOH.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iifeeFYP.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yayvULcY.dll (Trojan.Vundo) -> No action taken.

Tnx in advance

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 17 April 2008 - 03:25 AM

Hi

Youre HijackThis is an old version. Please remove it and follow these instructions.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
If asked to install HijackThis click on Yes
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply

You too could train to help others- Join the Classroom

#3 florentia

New Member

New Member
6 posts

Posted 17 April 2008 - 07:45 AM

Tnx for answering,
I couldn't download HJT for some reason, so DSS finished scaning with clone HJT

Deckard's System Scanner v20071014.68
Run by al on 2008-04-17 15:26:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
28: 2008-04-17 13:26:45 UTC - RP123 - Deckard's System Scanner Restore Point
27: 2008-04-17 00:53:06 UTC - RP122 - Last known good configuration
26: 2008-04-17 00:52:34 UTC - RP121 - Installed Ad-Aware 2007
25: 2008-04-17 00:52:33 UTC - RP120 - System Checkpoint
24: 2008-04-17 00:52:32 UTC - RP119 - System Checkpoint

-- First Restore Point --
1: 2008-04-17 00:52:18 UTC - RP96 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 176 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-17 15:28:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\mixer.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\al\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NinjaSurfing\ProxyNew.dll
O2 - BHO: (no name) - {374B0795-2305-474B-A2CF-E353BE8EE29E} - C:\WINDOWS\system32\xxywULec.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\ddcAqQIc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204943577529
O20 - Winlogon Notify: ddcAqQIc - C:\WINDOWS\system32\ddcAqQIc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4051 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys <Not Verified; Conexant Systems Inc.; Conexant USB to Ethernet (LAN) Viking Modem>

S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_13F6&DEV_0211&SUBSYS_021113F6&REV_20\2&EBB567F&0&61
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_13F6&DEV_0211&SUBSYS_021113F6&REV_20\2&EBB567F&0&61
Service:

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 04:20:57 0 d-------- C:\Documents and Settings\al\Application Data\Malwarebytes
2008-04-17 04:19:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 04:19:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 04:18:44 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-17 03:16:13 0 d-------- C:\WINDOWS\pss
2008-04-17 02:52:41 37888 --a------ C:\WINDOWS\system32\iifeeFYP.dll
2008-04-17 02:52:07 23971 --ahs---- C:\WINDOWS\system32\ceLUwyxx.ini2
2008-04-17 02:51:54 273408 --a------ C:\WINDOWS\system32\xxywULec.dll
2008-04-17 02:51:26 38400 --a------ C:\WINDOWS\17PHolmes1753.exe
2008-04-17 02:49:18 38400 --a------ C:\WINDOWS\mrofinu1753.exe
2008-04-17 02:49:01 37888 --a------ C:\WINDOWS\system32\yayvULcY.dll
2008-04-17 02:48:16 37888 --a------ C:\WINDOWS\system32\hgGvuUOH.dll
2008-04-17 02:46:41 37888 --a------ C:\WINDOWS\system32\ddcAqQIc.dll
2008-04-16 05:54:35 0 d-------- C:\Program Files\Lavasoft
2008-04-16 05:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 05:53:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 04:44:19 0 d-------- C:\Program Files\NinjaSurfing

-- Find3M Report ---------------------------------------------------------------

2008-03-08 23:27:12 2404 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-07 02:52:32 0 d-------- C:\Documents and Settings\al\Application Data\Apple Computer
2008-03-02 04:14:02 0 d-------- C:\Program Files\Soulseek

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{374B0795-2305-474B-A2CF-E353BE8EE29E}]
17.04.2008 02:52 273408 --a------ C:\WINDOWS\system32\xxywULec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
17.04.2008 02:46 37888 --a------ C:\WINDOWS\system32\ddcAqQIc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [12.07.2002 17:33 C:\WINDOWS\mixer.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26.04.2007 09:45]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11.04.2008 14:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{63AB48C9-01A8-495C-8194-A715DB8A37A2}"= C:\WINDOWS\system32\ddcAqQIc.dll [17.04.2008 02:46 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcAqQIc]
ddcAqQIc.dll 17.04.2008 02:46 37888 C:\WINDOWS\system32\ddcAqQIc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxywULec

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ninja Surfing]
"C:\Program Files\NinjaSurfing\nsurfing.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1753.exe 61A847B5BBF72813359E3B466188719AB689201522886B092CBD44BD8689220221DD3257

-- End of Deckard's System Scanner: finished at 2008-04-17 15:31:57 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 175.49 MiB / 53.83 MiB
Pagefile Memory (total/avail): 691.54 MiB / 512.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.39 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.39 GiB total, 2.7 GiB free.
D: is Fixed (FAT32) - 18.54 GiB total, 11.5 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLlct20 30 - 27.95 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 9.4 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 18.55 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\MMC.EXE"="C:\\WINDOWS\\System32\\MMC.EXE:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\ApexDC++\\ApexDC.exe"="C:\\Program Files\\ApexDC++\\ApexDC.exe:*:Enabled:ApexDC++"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Ipref\\Ipref.exe"="C:\\Program Files\\Ipref\\Ipref.exe:*:Enabled:Ipref"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\al\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DUKE-9338258BBD
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA18
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\al
LOGONSERVER=\\DUKE-9338258BBD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0605
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\al\LOCALS~1\Temp
TMP=C:\DOCUME~1\al\LOCALS~1\Temp
USERDOMAIN=DUKE-9338258BBD
USERNAME=al
USERPROFILE=C:\Documents and Settings\al
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

al (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
ApexDC++ 0.4.0 --> C:\Program Files\ApexDC++\uninst.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1120 --> "C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe"
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
IE Privacy Keeper --> C:\Program Files\UnH Solutions\IE Privacy Keeper\unins000.exe
Ipref 2.71 --> "C:\Program Files\Ipref\unins000.exe"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 3.6.2 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MT882 --> C:\Program Files\MT882\Adsl\uninstall.exe
Ninja Surfing --> "C:\Program Files\NinjaSurfing\uninstall.exe"
NVIDIA Windows NT 4.0 Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
PCI Audio Driver --> cmuninst.exe
Sony Ericsson PC Suite --> MsiExec.exe /I{115DC143-58A1-4314-853D-FCA35D57EE8A}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
WinASO Registry Optimizer 2.0.6 --> "C:\Program Files\WinASO\Registry Optimizer 2.0\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

-- Application Event Log -------------------------------------------------------

Event Record #/Type672 / Error
Event Submitted/Written: 04/16/2008 09:06:49 PM / 04/16/2008 09:06:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ad-aware2007.exe, version 7.0.2.7, faulting module ad-aware2007.exe, version 7.0.2.7, fault address 0x0009691a.
Processing media-specific event for [ad-aware2007.exe!ws!]

Event Record #/Type665 / Error
Event Submitted/Written: 04/16/2008 03:47:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application epsxe.exe, version 0.0.0.0, faulting module gpupetedx6d3d.dll, version 1.76.0.0, fault address 0x0000feb8.
Processing media-specific event for [epsxe.exe!ws!]

Event Record #/Type664 / Error
Event Submitted/Written: 04/16/2008 03:44:18 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application epsxe.exe, version 0.0.0.0, faulting module gpupeted3d.dll, version 1.76.0.0, fault address 0x00010498.
Processing media-specific event for [epsxe.exe!ws!]

Event Record #/Type663 / Error
Event Submitted/Written: 04/15/2008 05:41:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application epsxe.exe, version 0.0.0.0, faulting module gpupeted3d.dll, version 1.76.0.0, fault address 0x00010498.
Processing media-specific event for [epsxe.exe!ws!]

Event Record #/Type662 / Error
Event Submitted/Written: 04/15/2008 05:38:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application epsxe.exe, version 0.0.0.0, faulting module gpupeted3d.dll, version 1.76.0.0, fault address 0x00010498.
Processing media-specific event for [epsxe.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type8890 / Warning
Event Submitted/Written: 04/17/2008 03:22:56 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{413CFEE7-BE2A-497A-B33B-4043498DF1C7}.

Event Record #/Type8889 / Warning
Event Submitted/Written: 04/17/2008 03:22:54 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0018027C3C08. The IP address being used is 169.254.90.63.

Event Record #/Type8888 / Warning
Event Submitted/Written: 04/17/2008 03:22:44 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0018027C3C08. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type8870 / Error
Event Submitted/Written: 04/17/2008 03:19:34 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The AVG Anti-Spyware Guard service hung on starting.

Event Record #/Type8850 / Error
Event Submitted/Written: 04/17/2008 05:18:07 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The AVG Anti-Spyware Guard service hung on starting.

-- End of Deckard's System Scanner: finished at 2008-04-17 15:31:57 ------------

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 17 April 2008 - 08:43 AM

That's cool. Just post a DSS log instead. (Without the Extra.txt)

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.

In your next reply post:
ComboFix.txt
Kaspersky report
New DSS log taken after the above scan has run

Edited by Scotty, 17 April 2008 - 08:43 AM.

You too could train to help others- Join the Classroom

#5 florentia

New Member

New Member
6 posts

Posted 17 April 2008 - 03:02 PM

Here it is :

ComboFix 08-04-16.5 - al 2008-04-17 18:03:36.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.50 [GMT 2:00]
Running from: C:\Documents and Settings\al\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\al\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\17PHolmes1753.exe
C:\WINDOWS\mrofinu1753.exe
C:\WINDOWS\mrofinu1753.exe.tmp
C:\WINDOWS\system32\ceLUwyxx.ini
C:\WINDOWS\system32\ceLUwyxx.ini2
C:\WINDOWS\system32\ddcAqQIc.dll
C:\WINDOWS\system32\hgGvuUOH.dll
C:\WINDOWS\system32\iifeeFYP.dll
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\xxywULec.dll
C:\WINDOWS\system32\yayvULcY.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 15:26 . 2008-04-17 15:26 <DIR> d-------- C:\Deckard
2008-04-17 04:20 . 2008-04-17 04:20 <DIR> d-------- C:\Documents and Settings\al\Application Data\Malwarebytes
2008-04-17 04:19 . 2008-04-17 04:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 04:19 . 2008-04-17 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 04:18 . 2008-04-17 04:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-16 05:54 . 2008-04-16 05:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-16 05:54 . 2008-04-16 05:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 05:53 . 2008-04-16 05:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 04:44 . 2008-04-15 04:44 <DIR> d-------- C:\Program Files\NinjaSurfing
2008-04-15 04:44 . 2008-04-15 04:44 125 --a------ C:\ioSpecial.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 21:54 90,112 ----a-w C:\WINDOWS\DUMP4e96.tmp
2008-03-07 00:52 --------- d-----w C:\Documents and Settings\al\Application Data\Apple Computer
2008-03-06 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-02 02:14 --------- d-----w C:\Program Files\Soulseek
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 14:57 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-07-12 17:33 1581056 C:\WINDOWS\mixer.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-04-26 09:45 401408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcAqQIc]
ddcAqQIc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ninja Surfing]
--a------ 2007-06-19 16:02 958535 C:\Program Files\NinjaSurfing\nsurfing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1753.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\MMC.EXE"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Ipref\\Ipref.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-03-20 08:32]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 21:34]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 21:34]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 21:34]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 21:34]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 18:17:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
.
**************************************************************************
.
Completion time: 2008-04-17 18:23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 16:22:50

Pre-Run: 2,815,139,840 bytes free
Post-Run: 2,736,308,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 17, 2008 10:43:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/04/2008
Kaspersky Anti-Virus database records: 712584
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 32181
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 03:32:51

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\al\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\al\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\al\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\al\Local Settings\History\History.IE5\MSHist012008041720080418\index.dat Object is locked skipped
C:\Documents and Settings\al\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\al\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\al\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\al\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\al\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\al\My Documents\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\al\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\al\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
C:\Documents and Settings\al\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\al\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
C:\Documents and Settings\al\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
C:\Documents and Settings\al\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP122\A0080225.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080262.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcAqQIc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGvuUOH.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iifeeFYP.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayvULcY.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nnp skipped
D:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\change.log Object is locked skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Run by al on 2008-04-17 22:48:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 176 MiB (512 MiB recommended).

-- HijackThis (run as al.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:07, on 17.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\al\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\al.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NinjaSurfing\ProxyNew.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204943577529
O20 - Winlogon Notify: ddcAqQIc - ddcAqQIc.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4180 bytes

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 22:48:46 0 d-------- C:\Program Files\Trend Micro
2008-04-17 18:35:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-17 18:35:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-17 18:35:23 0 d-------- C:\WINDOWS\LastGood
2008-04-17 18:03:02 0 d-------- C:\cmdcons
2008-04-17 17:57:19 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-17 17:57:18 68096 --a------ C:\WINDOWS\zip.exe
2008-04-17 17:57:18 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-17 17:57:18 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-17 17:57:18 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-17 17:57:18 98816 --a------ C:\WINDOWS\sed.exe
2008-04-17 17:57:18 80412 --a------ C:\WINDOWS\grep.exe
2008-04-17 17:57:18 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-17 17:38:29 0 d-------- C:\WINDOWS\setup.pss
2008-04-17 04:20:57 0 d-------- C:\Documents and Settings\al\Application Data\Malwarebytes
2008-04-17 04:19:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 04:19:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 04:18:44 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-17 03:16:13 0 d-------- C:\WINDOWS\pss
2008-04-16 05:54:35 0 d-------- C:\Program Files\Lavasoft
2008-04-16 05:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 05:53:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 04:44:19 0 d-------- C:\Program Files\NinjaSurfing

-- Find3M Report ---------------------------------------------------------------

2008-03-08 23:27:12 2404 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-07 02:52:32 0 d-------- C:\Documents and Settings\al\Application Data\Apple Computer
2008-03-02 04:14:02 0 d-------- C:\Program Files\Soulseek

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [12.07.2002 17:33 C:\WINDOWS\mixer.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26.04.2007 09:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11.04.2008 14:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcAqQIc]
ddcAqQIc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ninja Surfing]
"C:\Program Files\NinjaSurfing\nsurfing.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1753.exe 61A847B5BBF72813359E3B466188719AB689201522886B092CBD44BD8689220221DD3257

-- End of Deckard's System Scanner: finished at 2008-04-17 22:50:31 ------------

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 17 April 2008 - 03:20 PM

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\Program Files\Ipref\Ipref.exe
Click Submit.
Please post the results of this scan to this thread.

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\WINDOWS\DUMP4e96.tmp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcAqQIc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Open MBAM, make sure it is up to date then perform a Full Scan and post the resultant log.

In your next reply post:
Jotti results
ComboFix.txt
MBAM log
New HijackThis log taken after the above scans have run

You too could train to help others- Join the Classroom

#7 florentia

New Member

New Member
6 posts

Posted 17 April 2008 - 04:38 PM

Jotti log :

Scan taken on 17 Apr 2008 21:37:08 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 08-04-16.5 - al 2008-04-17 23:46:56.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 2:00]
Running from: C:\Documents and Settings\al\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\al\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\DUMP4e96.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DUMP4e96.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 22:48 . 2008-04-17 22:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 18:35 . 2008-04-17 18:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-17 18:35 . 2008-04-17 18:35 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-17 18:35 . 2008-04-17 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-17 15:26 . 2008-04-17 15:26 <DIR> d-------- C:\Deckard
2008-04-17 04:20 . 2008-04-17 04:20 <DIR> d-------- C:\Documents and Settings\al\Application Data\Malwarebytes
2008-04-17 04:19 . 2008-04-17 04:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-17 04:19 . 2008-04-17 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 04:18 . 2008-04-17 04:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-16 05:54 . 2008-04-16 05:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-16 05:54 . 2008-04-16 05:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 05:53 . 2008-04-16 05:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 04:44 . 2008-04-15 04:44 <DIR> d-------- C:\Program Files\NinjaSurfing
2008-04-15 04:44 . 2008-04-15 04:44 125 --a------ C:\ioSpecial.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 00:52 --------- d-----w C:\Documents and Settings\al\Application Data\Apple Computer
2008-03-06 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-02 02:14 --------- d-----w C:\Program Files\Soulseek
.

((((((((((((((((((((((((((((( snapshot@2008-04-17_18.20.47.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-17 16:16:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 21:52:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 14:57 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-07-12 17:33 1581056 C:\WINDOWS\mixer.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-04-26 09:45 401408]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ninja Surfing]
--a------ 2007-06-19 16:02 958535 C:\Program Files\NinjaSurfing\nsurfing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\MMC.EXE"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Ipref\\Ipref.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-03-20 08:32]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 21:34]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 21:34]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 21:34]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 21:34]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 23:53:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\File Manager\SendToDevice.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
.
**************************************************************************
.
Completion time: 2008-04-17 23:59:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 21:59:10
ComboFix2.txt 2008-04-17 16:23:14

Pre-Run: 2,690,088,960 bytes free
Post-Run: 2,679,078,912 bytes free

Malwarebytes' Anti-Malware 1.11
Database version: 642

Scan type: Quick Scan
Objects scanned: 30410
Time elapsed: 19 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:30:01, on 18.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NinjaSurfing\ProxyNew.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204943577529
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4121 bytes

#8 florentia

New Member

New Member
6 posts

Posted 17 April 2008 - 07:31 PM

I'm terrible sorry, i just realized that i did quick instead of full scan with MBAM Here's the log after full scan Malwarebytes' Anti-Malware 1.11 Database version: 642 Scan type: Full Scan (C:\|D:\|) Objects scanned: 54547 Time elapsed: 52 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP121\A0078163.exe (Trojan.Downloader) -> No action taken. C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080257.exe (Trojan.Downloader) -> No action taken. C:\System Volume Information\_restore{1AF4712D-2BDA-496E-9064-CBC0F4A2B89A}\RP124\A0080258.exe (Trojan.Downloader) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\mrofinu1753.exe.tmp.vir (Trojan.Downloader) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\mrofinu1753.exe.vir (Trojan.Downloader) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\17PHolmes1753.exe.vir (Trojan.Downloader) -> No action taken.

#9 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 18 April 2008 - 04:33 AM

Congratulations, you appear to be malware free. :woot:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Then download the latest version of Java Runtime Environment (JRE) (5th one down the list), which is JRE6u6, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.
There is no need to download the Sun Dowload manager but it is optional.

Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another free program I recommend.

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#10 florentia

New Member

New Member
6 posts

Posted 18 April 2008 - 08:36 AM

Thank you very much :notworthy:

You can close this thread now, problem resolved :thumbup:

Tnx again and bye.

#11 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 18 April 2008 - 08:37 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme