Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Rootkit.Agent.ODG trojan [Closed]

Started by nicolecolgate , May 31 2009 09:27 AM

  • This topic is locked This topic is locked

#1
nicolecolgate
Posted 31 May 2009 - 09:27 AM

nicolecolgate

    Member

  • Member
  • PipPip
  • 74 posts
Hi,

ESET has detected Win32/Rootkit.Agent.ODG trojan and is unable to clean it. What should I do? Please help :/
Greatly appreciated.

In addition, Google search is messed up. When I do a search in Google and click on any of the links, it redirects me to a new page (advertisement thing). Also the font in Google is larger than normal. Advice?

Thank you very much
  • 0

Advertisements

#2
BHowett
Posted 31 May 2009 - 09:47 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello nicolecolgate, and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

please start with the Malware and Spyware Cleaning Guide
this will give you a few preparations to make, as well as instruction for posting your OTListIt Log.

Thanks,
  • 0

#3
nicolecolgate
Posted 31 May 2009 - 11:49 AM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Thanks a lot.
Will this process delete contents on my computer?
I cannot complete the System Restore Point. It says: Single Click System Restore Point has encountered a problem and needs to close. Sorry for the inconenience.
?
  • 0

#4
nicolecolgate
Posted 31 May 2009 - 12:44 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Hi,
Also Malwarebytes' Anti-Malware wont run. I think it has something to do with this:
Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.
I renamed it and it still will not launch.
What do i do?
Thanks

Edited by nicolecolgate, 31 May 2009 - 01:26 PM.

  • 0

#5
BHowett
Posted 31 May 2009 - 02:48 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi nicolecolgate,

I'm not sure why MBAM isn't running, and don't worry about the restore point we will take care of that after we get you clean.

lets try this...

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • 0

#6
nicolecolgate
Posted 31 May 2009 - 02:52 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Someone suggested GMER (http://www.gmer.net/) in order to remove it. I would have to disable and delete all the RED lines (the trojan).
Is this safe?
Should I do this?
Thanks
  • 0

#7
BHowett
Posted 31 May 2009 - 02:55 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts

Someone suggested GMER (http://www.gmer.net/) in order to remove it. I would have to disable and delete all the RED lines (the trojan).
Is this safe?
Should I do this?
Thanks


please do not run anything unless I I give you instructions to, so please follow my above post :)
  • 0

#8
nicolecolgate
Posted 31 May 2009 - 03:02 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Hi,
When I try to run combofix it says:
Windows cannot find the copy 'grpconv.' Make sure you typed the name correctly. etc...

What do I do?
Thanks
  • 0

#9
BHowett
Posted 31 May 2009 - 03:09 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi

when you followed the cleaning guide, where you able to get OTlistIt to run?

delete your copy of combofix and do the following....

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

  • 0

#10
nicolecolgate
Posted 31 May 2009 - 03:12 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Hi
I followed your directions exactly
It is giving me the same response
Windows cannot find the copy 'grpconv.' Make sure you typed the name correctly. To search... use the Start button.... etc
??
  • 0

Advertisements

#11
BHowett
Posted 31 May 2009 - 03:16 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
when you followed the cleaning guide, where you able to get OTlistIt to run?
  • 0

#12
nicolecolgate
Posted 31 May 2009 - 03:44 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
ComboFix 09-05-31.02 - Jonathan 05/31/2009 17:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.278 [GMT -4:00]
Running from: c:\documents and settings\Jonathan\Desktop\asdfasdf.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonathan\Application Data\wiaserva.log
c:\windows\secure32.html
c:\windows\system32\drivers\UACmovmpptxjknskbg.sys
c:\windows\system32\Ijl11.dll
c:\windows\system32\mt_32.dll
c:\windows\system32\UACalvktlscigqhbvk.log
c:\windows\system32\UACdorqqbobydyenxf.dll
c:\windows\system32\UACebfivmmkyrubaqr.dll
c:\windows\system32\UACicjkcxetoiyfwnm.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClndylmlhyvuexix.log
c:\windows\system32\UACnuypawmrahrfmhr.dll
c:\windows\system32\UACqbuoxihhrvrvmlk.log
c:\windows\system32\UACubpqjwybelhtfxl.dll
c:\windows\system32\UACxdpqqtvoaitutwx.dat
c:\windows\system32\winload.dll
c:\windows\wiaserviv.log
c:\windows\wiaservv.log

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NEW_DRV
-------\Legacy_POWERMANAGER
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 21:33 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-05-31 21:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-05-31 21:32 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-05-31 21:32 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-05-31 21:28 . 2009-05-31 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-05-31 21:03 . 2009-05-31 21:03 -------- d-s---w- C:\Fix
2009-05-31 20:20 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-31 20:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-31 20:20 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-31 20:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-31 20:20 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-31 20:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-31 20:20 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-31 20:20 . 2009-05-31 20:20 -------- d-----w- C:\f208deba2dd5db1598f089
2009-05-31 19:58 . 2009-05-31 19:58 -------- d-----w- C:\0961f79dca5789add98e
2009-05-31 19:58 . 2009-05-31 20:11 -------- d-----w- C:\7eea246ccaf425cf58414f34c54159
2009-05-31 17:52 . 2009-05-31 17:52 -------- d-----w- c:\program files\ERUNT
2009-05-31 00:06 . 2009-05-31 00:06 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\ESET
2009-05-30 23:58 . 2009-05-30 23:58 -------- d-----w- c:\documents and settings\Jonathan\Application Data\ESET
2009-05-30 23:56 . 2009-05-30 23:56 -------- d-----w- c:\program files\ESET
2009-05-30 23:56 . 2009-05-30 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-05-30 23:27 . 2009-05-30 23:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-30 23:05 . 2009-05-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-30 23:05 . 2009-05-30 23:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-30 23:00 . 2009-05-30 23:02 -------- d-----w- c:\program files\Symantec Endpoint Protection
2009-05-27 17:38 . 2009-05-27 17:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 13:15 . 2009-05-27 13:15 -------- d-sh--w- c:\documents and settings\Jonathan\IECompatCache
2009-05-27 13:15 . 2009-05-27 13:15 -------- d-sh--w- c:\documents and settings\Jonathan\PrivacIE
2009-05-27 13:11 . 2009-05-27 13:11 -------- d-sh--w- c:\documents and settings\Jonathan\IETldCache
2009-05-27 13:00 . 2009-05-27 13:00 -------- d-----w- c:\windows\ie8updates
2009-05-27 12:54 . 2009-05-27 12:57 -------- dc-h--w- c:\windows\ie8
2009-05-27 12:51 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\system32\scripting
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\l2schemas
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\system32\en
2009-05-21 20:32 . 2009-05-21 20:32 3584 ----a-w- c:\windows\system32\fdclient.dll
2009-05-21 20:32 . 2009-05-21 20:32 5632 ----a-w- c:\windows\system32\ptco.dll
2009-05-21 20:32 . 2009-05-21 20:32 7680 ----a-w- c:\windows\system32\protect.dll
2009-05-21 20:32 . 2009-05-21 20:31 3072 ----a-w- c:\windows\system32\pxcrt.dll
2009-05-21 20:31 . 2009-05-25 22:54 7686 ----a-w- c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\mt_32.dll
2009-05-21 20:31 . 2009-05-25 22:53 10752 ----a-w- c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\browserui.dll
2009-05-21 20:31 . 2009-05-21 20:30 13824 ----a-w- c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\winload.dll
2009-05-21 20:31 . 2009-05-25 22:54 19968 ----a-w- c:\windows\system32\mshtmllib.dll
2009-05-21 20:31 . 2009-05-25 22:54 7686 ----a-w- c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll
2009-05-21 20:31 . 2009-05-25 22:53 10752 ----a-w- c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll
2009-05-21 20:31 . 2009-05-21 20:30 13824 ----a-w- c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\winload.dll
2009-05-21 20:30 . 2009-05-21 20:30 4096 ----a-w- c:\windows\system32\clfsw.dll
2009-05-21 20:30 . 2009-05-21 20:30 6144 ----a-w- c:\windows\system32\mscert.dll
2009-05-21 20:30 . 2009-05-25 22:53 10752 ----a-w- c:\windows\system32\browserui.dll
2009-05-18 22:04 . 2009-05-18 22:04 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-05-18 22:04 . 2009-05-18 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-14 19:49 . 2009-05-14 19:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 19:49 . 2009-05-14 19:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 19:49 . 2009-05-14 19:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-09 13:43 . 2009-05-09 13:43 0 ----a-w- c:\windows\Hvevacikofegi.binHvevacikofegi.bin
2009-05-02 15:35 . 2009-05-02 15:35 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-02 01:06 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-02 01:06 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-02 01:04 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-02 01:04 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-02 01:04 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-02 01:04 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-02 01:04 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-02 01:04 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-02 01:04 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-02 01:04 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-02 01:04 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-02 01:04 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-02 01:04 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-02 01:04 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 21:34 . 2005-01-11 01:24 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
2009-05-31 21:34 . 2005-01-11 01:24 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
2009-05-31 20:42 . 2006-03-16 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-05-31 02:05 . 2005-01-10 23:43 -------- d-----w- c:\program files\McAfee.com
2009-05-31 02:05 . 2005-03-25 03:11 -------- d-----w- c:\program files\McAfee
2009-05-31 00:06 . 2008-10-13 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\qncvsrsp
2009-05-30 23:53 . 2005-01-10 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-30 22:59 . 2005-03-08 20:58 -------- d-----w- c:\program files\Azureus
2009-05-27 04:32 . 2005-01-10 22:04 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-27 04:10 . 2005-01-10 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 04:40 . 2009-04-08 18:16 0 ----a-w- c:\windows\Hvevacikofegi.bin
2009-04-14 01:33 . 2009-04-08 18:16 408 ----a-w- c:\windows\Tqewoyiviyi.dat
2009-03-08 08:34 . 2004-08-24 00:32 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2002-09-03 16:39 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2002-09-03 16:29 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2002-09-03 16:26 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2002-09-03 16:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2002-09-03 16:35 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2002-09-03 16:44 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2002-09-03 16:44 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2002-09-03 16:45 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-09-03 16:51 284160 ----a-w- c:\windows\system32\pdh.dll
2004-03-01 18:25 . 2005-11-14 03:37 114688 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
2008-04-07 06:59 . 2008-06-06 23:15 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-06-06 23:15 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-06-06 23:15 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-06-06 23:15 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-06-06 23:15 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-01-26 02:51 . 2005-01-26 02:51 56 --sh--r- c:\windows\system32\8B53FBBF74.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-10-31 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-19 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-7-17 118784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT
backup=c:\windows\pss\NTUSER.DATStartup

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGStartup

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniStartup

[HKLM\~\startupfolder\^resetlog.txt]
path=\resetlog.txt
backup=c:\windows\pss\resetlog.txtStartup

[HKLM\~\startupfolder\^test4]
path=\test4
backup=c:\windows\pss\test4Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45543:TCP"= 45543:TCP:PORT_45543
"62551:TCP"= 62551:TCP:PORT_62551
"54668:TCP"= 54668:TCP:PORT_54668
"12183:TCP"= 12183:TCP:PORT_12183
"17883:TCP"= 17883:TCP:PORT_17883
"21502:TCP"= 21502:TCP:PORT_21502
"13751:TCP"= 13751:TCP:PORT_13751
"57774:TCP"= 57774:TCP:PORT_57774
"35488:TCP"= 35488:TCP:PORT_35488
"21806:TCP"= 21806:TCP:PORT_21806
"62478:TCP"= 62478:TCP:PORT_62478
"25030:TCP"= 25030:TCP:PORT_25030
"53691:TCP"= 53691:TCP:PORT_53691
"53430:TCP"= 53430:TCP:PORT_53430
"36645:TCP"= 36645:TCP:PORT_36645
"60184:TCP"= 60184:TCP:PORT_60184
"31274:TCP"= 31274:TCP:PORT_31274
"47594:TCP"= 47594:TCP:PORT_47594
"58103:TCP"= 58103:TCP:PORT_58103
"35801:TCP"= 35801:TCP:PORT_35801
"60744:TCP"= 60744:TCP:PORT_60744
"31100:TCP"= 31100:TCP:PORT_31100
"9067:TCP"= 9067:TCP:PORT_9067
"11418:TCP"= 11418:TCP:PORT_11418
"31328:TCP"= 31328:TCP:PORT_31328
"29590:TCP"= 29590:TCP:PORT_29590
"57756:TCP"= 57756:TCP:PORT_57756
"53434:TCP"= 53434:TCP:PORT_53434
"23305:TCP"= 23305:TCP:PORT_23305
"40219:TCP"= 40219:TCP:PORT_40219
"15000:TCP"= 15000:TCP:PORT_15000
"17009:TCP"= 17009:TCP:PORT_17009
"38024:TCP"= 38024:TCP:PORT_38024
"23673:TCP"= 23673:TCP:PORT_23673
"10852:TCP"= 10852:TCP:PORT_10852
"22285:TCP"= 22285:TCP:PORT_22285
"54351:TCP"= 54351:TCP:PORT_54351

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 11:23 PM 64160]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:24 PM 24652]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
SharedTaskScheduler-{3229DFCD-3EAF-4712-ED45-4876FEDC170C} - c:\windows\system32\winload.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 168.12.41.1:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.149.71.48/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\i7mnzlag.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFLocal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2196)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\ESPNRunTime\DIGServices.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2009-05-31 17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-31 21:40

Pre-Run: 4,541,079,552 bytes free
Post-Run: 4,552,613,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

338 --- E O F --- 2009-05-31 20:33
  • 0

#13
BHowett
Posted 31 May 2009 - 07:19 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi nicolecolgate,

Please do the following….

Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\fdclient.dll
c:\windows\system32\ptco.dll
c:\windows\system32\protect.dll
c:\windows\system32\pxcrt.dll
c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\mt_32.dll
c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\browserui.dll
c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\winload.dll
c:\windows\system32\mshtmllib.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\winload.dll
c:\windows\system32\clfsw.dll
c:\windows\system32\mscert.dll
c:\windows\system32\browserui.dll
c:\windows\Hvevacikofegi.binHvevacikofegi.bin
c:\windows\Hvevacikofegi.bin
c:\windows\Tqewoyiviyi.dat


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================

After that please try to run MBAM again and post the logs when your done. Also let me know how things are running now :)
  • 0

#14
nicolecolgate
Posted 31 May 2009 - 09:41 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
ComboFix 09-05-31.02 - Jonathan 05/31/2009 23:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00]
Running from: c:\documents and settings\Jonathan\Desktop\asdfasdf.exe
Command switches used :: c:\documents and settings\Jonathan\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\browserui.dll"
"c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\mt_32.dll"
"c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\winload.dll"
"c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll"
"c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll"
"c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\winload.dll"
"c:\windows\Hvevacikofegi.bin"
"c:\windows\Hvevacikofegi.binHvevacikofegi.bin"
"c:\windows\system32\browserui.dll"
"c:\windows\system32\clfsw.dll"
"c:\windows\system32\fdclient.dll"
"c:\windows\system32\mscert.dll"
"c:\windows\system32\mshtmllib.dll"
"c:\windows\system32\protect.dll"
"c:\windows\system32\ptco.dll"
"c:\windows\system32\pxcrt.dll"
"c:\windows\Tqewoyiviyi.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\browserui.dll
c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\mt_32.dll
c:\documents and settings\Jonathan\Application Data\Microsoft\SystemBackup\winload.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll
c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\main\winload.dll
c:\windows\Hvevacikofegi.bin
c:\windows\Hvevacikofegi.binHvevacikofegi.bin
c:\windows\system32\browserui.dll
c:\windows\system32\clfsw.dll
c:\windows\system32\fdclient.dll
c:\windows\system32\mscert.dll
c:\windows\system32\mshtmllib.dll
c:\windows\system32\protect.dll
c:\windows\system32\ptco.dll
c:\windows\system32\pxcrt.dll
c:\windows\Tqewoyiviyi.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 21:33 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-05-31 21:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-05-31 21:32 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-05-31 21:32 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-05-31 21:28 . 2009-05-31 21:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-05-31 21:03 . 2009-05-31 21:03 -------- d-s---w- C:\Fix
2009-05-31 20:20 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-31 20:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-31 20:20 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-31 20:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-31 20:20 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-31 20:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-31 20:20 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-31 20:20 . 2009-05-31 20:20 -------- d-----w- C:\f208deba2dd5db1598f089
2009-05-31 19:58 . 2009-05-31 19:58 -------- d-----w- C:\0961f79dca5789add98e
2009-05-31 19:58 . 2009-05-31 20:11 -------- d-----w- C:\7eea246ccaf425cf58414f34c54159
2009-05-31 17:52 . 2009-05-31 17:52 -------- d-----w- c:\program files\ERUNT
2009-05-31 00:06 . 2009-05-31 00:06 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\ESET
2009-05-30 23:58 . 2009-05-30 23:58 -------- d-----w- c:\documents and settings\Jonathan\Application Data\ESET
2009-05-30 23:56 . 2009-05-30 23:56 -------- d-----w- c:\program files\ESET
2009-05-30 23:56 . 2009-05-30 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-05-30 23:27 . 2009-05-30 23:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-30 23:05 . 2009-05-31 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-30 23:05 . 2009-05-30 23:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-30 23:00 . 2009-05-30 23:02 -------- d-----w- c:\program files\Symantec Endpoint Protection
2009-05-27 17:38 . 2009-05-27 17:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 13:15 . 2009-05-27 13:15 -------- d-sh--w- c:\documents and settings\Jonathan\IECompatCache
2009-05-27 13:15 . 2009-05-27 13:15 -------- d-sh--w- c:\documents and settings\Jonathan\PrivacIE
2009-05-27 13:11 . 2009-05-27 13:11 -------- d-sh--w- c:\documents and settings\Jonathan\IETldCache
2009-05-27 13:00 . 2009-05-27 13:00 -------- d-----w- c:\windows\ie8updates
2009-05-27 12:54 . 2009-05-27 12:57 -------- dc-h--w- c:\windows\ie8
2009-05-27 12:51 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\system32\scripting
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\l2schemas
2009-05-27 04:15 . 2009-05-27 04:15 -------- d-----w- c:\windows\system32\en
2009-05-18 22:04 . 2009-05-18 22:04 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-05-18 22:04 . 2009-05-18 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-14 19:49 . 2009-05-14 19:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 19:49 . 2009-05-14 19:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 19:49 . 2009-05-14 19:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-02 15:35 . 2009-05-02 15:35 152576 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 03:08 . 2006-03-16 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-05-31 22:04 . 2005-01-11 01:24 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
2009-05-31 22:04 . 2005-01-11 01:24 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
2009-05-31 02:05 . 2005-01-10 23:43 -------- d-----w- c:\program files\McAfee.com
2009-05-31 02:05 . 2005-03-25 03:11 -------- d-----w- c:\program files\McAfee
2009-05-31 00:06 . 2008-10-13 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\qncvsrsp
2009-05-30 23:53 . 2005-01-10 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-30 22:59 . 2005-03-08 20:58 -------- d-----w- c:\program files\Azureus
2009-05-27 04:32 . 2005-01-10 22:04 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-27 04:10 . 2005-01-10 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-03-08 08:34 . 2004-08-24 00:32 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2002-09-03 16:39 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2002-09-03 16:29 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2002-09-03 16:26 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2002-09-03 16:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2002-09-03 16:35 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2002-09-03 16:44 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2002-09-03 16:44 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2002-09-03 16:45 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-09-03 16:51 284160 ----a-w- c:\windows\system32\pdh.dll
2004-03-01 18:25 . 2005-11-14 03:37 114688 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
2008-04-07 06:59 . 2008-06-06 23:15 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-06-06 23:15 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-06-06 23:15 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-06-06 23:15 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-06-06 23:15 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-01-26 02:51 . 2005-01-26 02:51 56 --sh--r- c:\windows\system32\8B53FBBF74.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-10-31 278528]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-19 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-7-17 118784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT
backup=c:\windows\pss\NTUSER.DATStartup

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGStartup

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniStartup

[HKLM\~\startupfolder\^resetlog.txt]
path=\resetlog.txt
backup=c:\windows\pss\resetlog.txtStartup

[HKLM\~\startupfolder\^test4]
path=\test4
backup=c:\windows\pss\test4Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45543:TCP"= 45543:TCP:PORT_45543
"62551:TCP"= 62551:TCP:PORT_62551
"54668:TCP"= 54668:TCP:PORT_54668
"12183:TCP"= 12183:TCP:PORT_12183
"17883:TCP"= 17883:TCP:PORT_17883
"21502:TCP"= 21502:TCP:PORT_21502
"13751:TCP"= 13751:TCP:PORT_13751
"57774:TCP"= 57774:TCP:PORT_57774
"35488:TCP"= 35488:TCP:PORT_35488
"21806:TCP"= 21806:TCP:PORT_21806
"62478:TCP"= 62478:TCP:PORT_62478
"25030:TCP"= 25030:TCP:PORT_25030
"53691:TCP"= 53691:TCP:PORT_53691
"53430:TCP"= 53430:TCP:PORT_53430
"36645:TCP"= 36645:TCP:PORT_36645
"60184:TCP"= 60184:TCP:PORT_60184
"31274:TCP"= 31274:TCP:PORT_31274
"47594:TCP"= 47594:TCP:PORT_47594
"58103:TCP"= 58103:TCP:PORT_58103
"35801:TCP"= 35801:TCP:PORT_35801
"60744:TCP"= 60744:TCP:PORT_60744
"31100:TCP"= 31100:TCP:PORT_31100
"9067:TCP"= 9067:TCP:PORT_9067
"11418:TCP"= 11418:TCP:PORT_11418
"31328:TCP"= 31328:TCP:PORT_31328
"29590:TCP"= 29590:TCP:PORT_29590
"57756:TCP"= 57756:TCP:PORT_57756
"53434:TCP"= 53434:TCP:PORT_53434
"23305:TCP"= 23305:TCP:PORT_23305
"40219:TCP"= 40219:TCP:PORT_40219
"15000:TCP"= 15000:TCP:PORT_15000
"17009:TCP"= 17009:TCP:PORT_17009
"38024:TCP"= 38024:TCP:PORT_38024
"23673:TCP"= 23673:TCP:PORT_23673
"10852:TCP"= 10852:TCP:PORT_10852
"22285:TCP"= 22285:TCP:PORT_22285
"54351:TCP"= 54351:TCP:PORT_54351

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 11:23 PM 64160]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:24 PM 24652]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 168.12.41.1:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.149.71.48/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\i7mnzlag.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFLocal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 23:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-06-01 23:38
ComboFix-quarantined-files.txt 2009-06-01 03:37
ComboFix2.txt 2009-05-31 21:41

Pre-Run: 4,504,539,136 bytes free
Post-Run: 4,462,866,432 bytes free

264 --- E O F --- 2009-05-31 22:04
  • 0

#15
nicolecolgate
Posted 31 May 2009 - 09:53 PM

nicolecolgate

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
thanks for your help
when i open internet explorer, i still get the same pop up
this pop up started when i first got the trojan
the pop up says something like: internet explorer closed unexpectedly before... would you like to revert back to the original... something like that?



MBAM:


Malwarebytes' Anti-Malware 1.37
Database version: 2204
Windows 5.1.2600 Service Pack 3

5/31/2009 11:53:14 PM
mbam-log-2009-05-31 (23-53-14).txt

Scan type: Quick Scan
Objects scanned: 89380
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP