Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Heavily infected computer [CLOSED]


  • This topic is locked This topic is locked

#1
Conte Rules

Conte Rules

    Member

  • Member
  • PipPip
  • 27 posts
Hi guys. My friends computer was heavily infected so I thought I'd help him clean it out. Before I did anything I ran ATF cleaner. The malware was crashing programs like MBAM so I ran SDFIX and here is the log from that:


SDFix: Version 1.209
Run by Owner on Mon 07/28/2008 at 08:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tcpsr

Path :
\??\C:\WINDOWS\System32\drivers\tcpsr.sys

tcpsr - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1.EXE - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp7.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp8.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp9.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpA.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpB.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpD.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpE.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpF.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp10.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp11.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp12.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp7.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp8.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmp9.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpA.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpB.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpD.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpE.tmp - Deleted
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\tmpF.tmp - Deleted
C:\WINDOWS\winlogon.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll - Deleted
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 20:13:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1155222575\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1155222575\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 23 Jun 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Thu 23 Jun 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT9.tmp"

Finished!


After that got done I was able to run MBAM and update it etc. Here is the log from that. I fixed everything it found and run a second scan which came up clean.


Malwarebytes' Anti-Malware 1.23
Database version: 985
Windows 5.1.2600 Service Pack 2

7:58:00 PM 7/28/2008
mbam-log-7-28-2008 (19-57-56).txt

Scan type: Quick Scan
Objects scanned: 45768
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\AppCert\hb241g.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\prx992h.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\snf50.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XP antivirus (Rogue.XPantivirus) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runwinlogon (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\hb241g.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\prx992h.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\snf50.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\winlogon.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\WinCtrl32.dl1 (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\fontviewl.exe (Trojan.Spammer) -> No action taken.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> No action taken.

The log appeared before I fixed everything so that is why it says no action taken.

Here is a deckards system scanner log because I know you guys will ask for one. Also, logmein is knowingly installed so don't think that it is part of the malware.


Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-28 22:54:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-29 02:54:04 UTC - RP16 - Deckard's System Scanner Restore Point
1: 2008-07-29 02:49:56 UTC - RP15 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:44 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.HOME-LISA\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {6176620C-3A23-4545-9B16-257243DFF1B0} - c:\windows\system32\iuaittx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-334423841-2532436680-594992101-1008\..\Run: [Power2GoExpress] NA (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-334423841-2532436680-594992101-1008\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'LogMeInRemoteUser')
O4 - Global Startup: msupd15476.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1167279414158
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167279404547
O20 - Winlogon Notify: nquwryil - C:\WINDOWS\SYSTEM32\iuaittx.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6380 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080728-223241-111 O4 - Global Startup: msupd15476.exe
backup-20080728-223241-990 O2 - BHO: (no name) - {6176620C-3A23-4545-9B16-257243DFF1B0} - c:\windows\system32\iuaittx.dll
backup-20080728-223259-703 O4 - Global Startup: msupd15476.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 xzyypaod - c:\windows\system32\drivers\xzyypaod.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S0 Udk75 - c:\windows\system32\drivers\udk75.sys (file missing)
S0 Winai07 - c:\windows\system32\drivers\winai07.sys (file missing)
S0 Winai18 - c:\windows\system32\drivers\winai18.sys (file missing)
S0 Windl63 - c:\windows\system32\drivers\windl63.sys (file missing)
S0 Winjq17 - c:\windows\system32\drivers\winjq17.sys (file missing)
S0 Winpx42 - c:\windows\system32\drivers\winpx42.sys (file missing)
S3 catchme - c:\docume~1\owner~1.hom\locals~1\temp\catchme.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 Winyh86 - c:\windows\system32\drivers\winyh86.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 20:16:40 434 --a------ C:\WINDOWS\Tasks\At1.job


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\SendTo
2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Recent
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\PrintHood
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\NetHood
2008-07-28 22:16:59 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\My Documents
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Local Settings
2008-07-28 22:16:59 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Favorites
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Desktop
2008-07-28 22:16:59 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Cookies
2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Application Data
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\You've Got Pictures Screensaver
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\SampleView
2008-07-28 22:16:59 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Microsoft
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Identities
2008-07-28 22:16:58 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\WINDOWS
2008-07-28 22:16:58 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Templates
2008-07-28 22:16:58 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Start Menu
2008-07-28 22:16:58 1048576 --ah----- C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT
2008-07-28 21:50:13 0 d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-07-28 21:49:41 0 d-------- C:\Program Files\LogMeIn
2008-07-28 21:27:28 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\.housecall6.6
2008-07-28 21:27:16 0 d-------- C:\WINDOWS\Sun
2008-07-28 21:25:12 0 d-------- C:\Program Files\Java
2008-07-28 21:25:10 0 d-------- C:\Program Files\Common Files\Java
2008-07-28 20:53:39 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-28 19:59:27 0 d-------- C:\WINDOWS\ERUNT
2008-07-28 19:42:16 0 d-------- C:\Program Files\Trend Micro
2008-07-28 19:40:43 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Malwarebytes
2008-07-28 19:40:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 19:40:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 19:38:11 0 d--hs---- C:\WINDOWS\CSC
2008-07-28 19:33:54 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Mozilla
2008-07-28 19:33:53 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\ajssfbhj
2008-07-17 20:17:25 15872 --a------ C:\WINDOWS\system32\fontviewl.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-28 21:42:53 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-28 21:36:55 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Move Networks
2008-07-28 21:36:39 0 d-------- C:\Program Files\Verizon
2008-07-28 21:26:24 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Adobe
2008-07-28 21:25:10 0 d-------- C:\Program Files\Common Files
2008-07-28 21:16:30 0 d-------- C:\Program Files\QuickTime
2008-07-28 21:16:06 0 d-------- C:\Program Files\Common Files\Real
2008-07-28 21:15:41 0 d-------- C:\Program Files\Canon
2008-07-28 20:58:57 0 d-------- C:\Program Files\Yahoo!
2008-07-28 20:54:49 0 d-------- C:\Program Files\Google
2008-07-28 20:52:17 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-28 20:50:12 0 d-------- C:\Program Files\WildTangent
2008-07-28 20:40:21 0 d-------- C:\Program Files\Pure Networks
2008-07-28 20:38:54 0 d-------- C:\Program Files\Napster
2008-07-28 20:38:53 0 d-------- C:\Program Files\Common Files\AOL
2008-07-28 20:38:31 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\AOL
2008-07-28 20:38:24 0 d-------- C:\Program Files\Gateway Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6176620C-3A23-4545-9B16-257243DFF1B0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 11:56 PM]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 07:19 PM C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 09:44 PM]
"CHotkey"="zHotkey.exe" [12/08/2004 08:57 PM C:\WINDOWS\zHotkey.exe]
"RTHDCPL"="RTHDCPL.EXE" [11/09/2005 08:14 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/02/2005 03:43 PM C:\WINDOWS\Alcmtr.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/30/2005 10:02 AM]
"nwiz"="nwiz.exe" [11/30/2005 10:02 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/30/2005 10:02 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 12:35 PM]
"NWEReboot"="" []
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [06/23/2006 12:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [02/28/2008 03:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
msupd15476.exe [7/9/2008 8:50:19 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/28/2008 12:32 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nquwryil]
iuaittx.dll 08/10/2004 03:00 PM 104960 C:\WINDOWS\system32\iuaittx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ehshell.exe]
Debugger="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Udk75.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjq17.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpx42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh86.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xriyqbaq


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-07-28 22:55:15 ------------

Please help ASAP, I'm sure this thing is still infected and I'm unsure of where to go from here.
  • 0

Advertisements


#2
Conte Rules

Conte Rules

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I've been plugging away at this for a while so here is an updated DSS log.



Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-29 03:55:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:25 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner.HOME-LISA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {6176620C-3A23-4545-9B16-257243DFF1B0} - c:\windows\system32\iuaittx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\[email protected]\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-21-334423841-2532436680-594992101-1008\..\Run: [Power2GoExpress] NA (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-334423841-2532436680-594992101-1008\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'LogMeInRemoteUser')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1167279414158
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167279404547
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nquwryil - C:\WINDOWS\SYSTEM32\iuaittx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6282 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 02:39:41 0 d-------- C:\Program Files\[email protected]
2008-07-29 02:39:41 0 d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-07-29 02:00:44 0 d-------- C:\WINDOWS\pss
2008-07-29 01:52:49 0 d--h----- C:\$AVG8.VAULT$
2008-07-29 01:50:55 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-29 01:50:48 0 d-------- C:\Program Files\AVG
2008-07-29 01:50:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-29 01:21:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-29 00:24:18 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-29 00:24:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-29 00:24:09 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\SUPERAntiSpyware.com
2008-07-29 00:23:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-29 00:16:31 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-29 00:16:31 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-29 00:16:22 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-29 00:16:21 0 d-------- C:\Documents and Settings\NetworkService\Application Data\ajssfbhj
2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\SendTo
2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Recent
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\PrintHood
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\NetHood
2008-07-28 22:16:59 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\My Documents
2008-07-28 22:16:59 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Local Settings
2008-07-28 22:16:59 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Favorites
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Desktop
2008-07-28 22:16:59 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Cookies
2008-07-28 22:16:59 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Application Data
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\You've Got Pictures Screensaver
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\SampleView
2008-07-28 22:16:59 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Microsoft
2008-07-28 22:16:59 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Identities
2008-07-28 22:16:58 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\WINDOWS
2008-07-28 22:16:58 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Templates
2008-07-28 22:16:58 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Start Menu
2008-07-28 22:16:58 1048576 --ah----- C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT
2008-07-28 21:50:13 0 d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-07-28 21:49:41 0 d-------- C:\Program Files\LogMeIn
2008-07-28 21:27:28 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\.housecall6.6
2008-07-28 21:27:16 0 d-------- C:\WINDOWS\Sun
2008-07-28 21:25:12 0 d-------- C:\Program Files\Java
2008-07-28 21:25:10 0 d-------- C:\Program Files\Common Files\Java
2008-07-28 20:53:39 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-28 19:59:27 0 d-------- C:\WINDOWS\ERUNT
2008-07-28 19:42:16 0 d-------- C:\Program Files\Trend Micro
2008-07-28 19:40:43 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Malwarebytes
2008-07-28 19:40:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 19:40:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 19:38:11 0 d--hs---- C:\WINDOWS\CSC
2008-07-28 19:33:54 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Mozilla
2008-07-28 19:33:53 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\ajssfbhj


-- Find3M Report ---------------------------------------------------------------

2008-07-29 01:43:03 0 d-------- C:\Program Files\Symantec
2008-07-29 01:42:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-29 00:23:45 0 d-------- C:\Program Files\Common Files
2008-07-28 21:42:53 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-28 21:36:55 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Move Networks
2008-07-28 21:36:39 0 d-------- C:\Program Files\Verizon
2008-07-28 21:26:24 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\Adobe
2008-07-28 21:16:30 0 d-------- C:\Program Files\QuickTime
2008-07-28 21:16:06 0 d-------- C:\Program Files\Common Files\Real
2008-07-28 21:15:41 0 d-------- C:\Program Files\Canon
2008-07-28 20:58:57 0 d-------- C:\Program Files\Yahoo!
2008-07-28 20:54:49 0 d-------- C:\Program Files\Google
2008-07-28 20:52:17 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-28 20:50:12 0 d-------- C:\Program Files\WildTangent
2008-07-28 20:40:21 0 d-------- C:\Program Files\Pure Networks
2008-07-28 20:38:54 0 d-------- C:\Program Files\Napster
2008-07-28 20:38:53 0 d-------- C:\Program Files\Common Files\AOL
2008-07-28 20:38:31 0 d-------- C:\Documents and Settings\Owner.HOME-LISA\Application Data\AOL
2008-07-28 20:38:24 0 d-------- C:\Program Files\Gateway Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6176620C-3A23-4545-9B16-257243DFF1B0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 11:56 PM]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 07:19 PM C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 09:44 PM]
"RTHDCPL"="RTHDCPL.EXE" [11/09/2005 08:14 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/02/2005 03:43 PM C:\WINDOWS\Alcmtr.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/30/2005 10:02 AM]
"nwiz"="nwiz.exe" [11/30/2005 10:02 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/30/2005 10:02 AM]
"NWEReboot"="" []
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [06/23/2006 12:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [02/28/2008 03:31 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/29/2008 01:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM]
"mount.exe"="C:\Program Files\[email protected]\FileUtilities.3\mount.exe" [04/11/2008 04:17 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/28/2008 12:32 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nquwryil]
iuaittx.dll 08/10/2004 03:00 PM 104960 C:\WINDOWS\system32\iuaittx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ehshell.exe]
Debugger="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Udk75.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winai18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjq17.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpx42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyh86.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xriyqbaq


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-07-29 03:55:48 ------------
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "c:\windows\system32\drivers\xzyypaod.sys"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • c:\windows\system32\drivers\xzyypaod.sys

  • Click Open.
  • Click Post.
Thank you!



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP